Security Research

Here’s where our security researchers analyze and share insights about the latest vulnerabilities, providing details on how they work, or how to exploit them.

3 initial access tactics to simulate in your penetration tests

In this guide, I’ll talk about these tactics (phishing attacks, RDP attacks, and exploitable vulnerabilities) pentesters can use to simulate realistic attack scenarios and apply them in their ethical hacking engagements. You'll walk away with practical examples and actionable advice on how to effectively replicate these attacks. Plus, you’ll help your customers to create better security awareness inside their organizations.

Author(s)

Catalin Iovita

Published at: 29 Sep 2023

How these offensive security books changed their readers - and their authors

Books have extraordinary power. They give both readers and authors new perspectives on how to see the world – and how to inhabit it more meaningfully. They allow you to go in-depth on a topic you love (or didn’t know you could love). Books create space for reflection and give you the chance to soak up someone else's experience and make parts of it your own.

Author(s)

Published at: 13 Sep 2023

Breaking down the 5 most common SQL injection threats

In this ongoing battle, organizations and offensive security pros grapple with many questions: Why do these attacks persist? What are the most prevalent types of SQL injection attacks? And, most importantly, how do we prevent them effectively? You’ll get answers to these burning questions (and more!) in this practical guide.

Author(s)

Published at: 01 Sep 2023

10 Practical scenarios for XSS attacks

Let’s delve into these 10 practical attack scenarios with actionable examples that highlight the real risk of cross-site scripting (XSS) vulnerabilities.

Author(s)

Published at: 07 Jul 2023

Pro tips from 10 ethical hackers for stellar reports

The strongest proof of your work and expertize are the pentest reports you deliver. They capture your investigative skills, razor-sharp critical thinking, and creative hacking abilities. So your reports better be great. Looking to impress your team or clients with outstanding pentest reports? You're in luck! Delve into the collective wisdom of 10 seasoned offensive security professionals who've generously shared their insider tips on mastering the art of pentest reporting.

Author(s)

Ioana Rijnetu

Published at: 05 May 2023

Why this 14-year-old heap corruption vulnerability in MS Word is still relevant

A critical vulnerability with Remote Code Execution (RCE) potential in Microsoft Word (CVE-2023-21716) with a CVSS score of 9.8 was among the Zero-Day vulnerabilities that were fixed.

Author(s)

Kelyan Yesil

Published at: 18 Apr 2023

Securing Your Laravel Application: A Comprehensive Guide

As someone who has worked with the Laravel framework for years, I've seen firsthand the importance of taking security seriously. I've seen how simple mistakes lead to disastrous consequences, and I've also seen the benefits of a secure and well-maintained Laravel application.

Author(s)

Cosmin Coman

Published at: 11 Apr 2023

Log4J - why some CVEs (almost) never disappear

Unless you’ve been on a sabbatical for the past year, you probably know how a critical vulnerability known as Log4shell took over the world.

Author(s)

Kelyan Yesil

Published at: 07 Apr 2023

The most exploited vulnerabilities in 2022

Offensive security is a fast-moving space, yet some security vulnerabilities persist for years, causing problem after problem. 2023 being no exception, you can spare yourself from repetitive work by learning to find and mitigate these top 10 CVEs.

Author(s)

Kelyan Yesil

Published at: 16 Mar 2023

Thinking outside the box: 3 creative ways to exploit business logic vulnerabilities in pentests

These flaws are particularly dangerous because attackers exploit behavioral patterns by interacting with apps in different ways than intended. When exploited successfully, they cause serious disruption, including business processes impact and reputational damage.

Author(s)

Published at: 02 Mar 2023

How supply chain attacks work and 7 ways to mitigate them

Your organization is a connected network of vendors, software, and people that keep your business operational. Each of these elements has various degrees of access to sensitive information which a bad actor can use as entry points in supply chain attacks.

Author(s)

Iulian Tita

Published at: 20 Feb 2023

100+ essential penetration testing statistics [2023 edition]

If there’s anything we learned from years of working in infosec is this: don’t make assumptions without knowing the context and make decisions based on reliable data. With that in mind, we’ve put together this extensive list of penetration testing statistics and relevant data that shed light on many aspects of the industry.

Author(s)

Ioana Rijnetu

Published at: 13 Feb 2023