Throughout our assessments, we get the opportunity to work with a wide variety of clients and see a ton of different web applications. When performing web application penetration testing in particular, there are a number of issues that we notice over and over again, regardless of the development language, application architecture, etc. If we see […]
In a previous post, we covered timing-based username enumeration vulnerabilities and how an attacker can exploit these weaknesses to craft a list of known-valid user accounts. The next step in that attack chain is using that list of valid accounts to conduct password attacks and try to gain unauthorized access to an organization’s exposed login […]
From time to time, when we see a particular vulnerability that keeps showing up over and over again during penetration testing engagements, we like to write about it and help spread awareness. This can help explain the issue, the subsequent risk it presents to your organization, and how to successfully remediate the issue or at […]
