Log4J - why some CVEs (almost) never disappearUnless you’ve been on a sabbatical for the past year, you probably know how a critical vulnerability known as Log4shell took over the world.Author(s)Kelyan YesilPublished at07 Apr 2023Updated at12 Jul 2023
The most exploited vulnerabilities in 2022Offensive security is a fast-moving space, yet some security vulnerabilities persist for years, causing problem after problem. 2023 being no exception, you can spare yourself from repetitive work by learning to find and mitigate these top 10 CVEs.Author(s)Kelyan YesilPublished at16 Mar 2023Updated at31 Oct 2023
Thinking outside the box: 3 creative ways to exploit business logic vulnerabilities in pentestsThese flaws are particularly dangerous because attackers exploit behavioral patterns by interacting with apps in different ways than intended. When exploited successfully, they cause serious disruption, including business processes impact and reputational damage.Author(s)Razvan IonescuPublished at02 Mar 2023Updated at12 Jul 2023
How supply chain attacks work and 7 ways to mitigate themYour organization is a connected network of vendors, software, and people that keep your business operational. Each of these elements has various degrees of access to sensitive information which a bad actor can use as entry points in supply chain attacks.Author(s)Iulian TitaPublished at20 Feb 2023Updated at31 Oct 2023
100+ essential penetration testing statistics [2023 edition]If there’s anything we learned from years of working in infosec is this: don’t make assumptions without knowing the context and make decisions based on reliable data. With that in mind, we’ve put together this extensive list of penetration testing statistics and relevant data that shed light on many aspects of the industry.Author(s)Ioana RijnetuPublished at13 Feb 2023Updated at31 Oct 2023
Phishing a company through a 7-Zip misconfigurationReading about phishing can sometimes feel tedious, as many articles simply rehash the same old scenarios and prevention strategies without diving into technical details or offering anything fresh. But don't worry, we've got you covered!Author(s)Kelyan YesilPublished at19 Jan 2023Updated at13 Apr 2023
How the DMARC email security protocol can take down an entire companyGet familiar with DMARC, a less-known email security protocol that can help businesses prevent phishing campaigns.Author(s)Kelyan YesilPublished at13 Dec 2022Updated at10 Apr 2023
17 Infosec pros talk about the future of penetration testingAs offensive security specialists, we want to understand how pentesting changes over the next decade so we can use our experience and know-how to make better decisions.Author(s)Ioana RijnetuPublished at25 Nov 2022Updated at21 Nov 2023
Everything you need to know about the new OpenSSL vulnerabilities (CVE-2022-3602 & CVE-2022-3786)Before securing systems, we need to understand what we’re trying to secure and how to do it. Today we are exploring two new vulnerabilities that got the community's attention this month. Most importantly you will learn how to patch them and how impactful they are.Author(s)Kelyan YesilPublished at18 Nov 2022Updated at18 Jul 2023
How to conduct a full network vulnerability assessmentThe best ethical hackers build and maintain an outstanding workflow and process because it pays off – big time! When you’re always overwhelmed with work, it’s difficult to make time for tweaks and improvements, even if we both know they have compound returns in the long run.Author(s)Daniel BecheneaPublished at24 Aug 2022Updated at18 Aug 2023
Authenticated Magento RCE with deserialized PHAR filesBack in August 2019, I reported a security vulnerability in Magento affecting versions 2.3.2, 2.3.3, and 2.3.4 using the HackerOne bug bounty platform. The bug impacted some installations of Magento and it allowed us to gain Remote Code Execution based on the way PHAR files are deserialized and by abusing Magento’s Protocol Directives.Author(s)Alexandru PostolachePublished at03 Aug 2022Updated at18 Jul 2023
Visualize exploit paths with the Sniper network graphWhether working in offensive or defensive security, we all see it: high-risk, widespread vulnerabilities cause significant disruptions to already struggling security teams.Author(s)Andra ZahariaPublished at23 Jun 2022Updated at23 Feb 2023