Web App

Lessons Learned While Pentesting GraphQL

Sean Verity // GraphQL is one of those technologies that I heard about several years ago but had not encountered during an actual pentest. After reading a blog or two, […]

Read the entire post here

Author, External/Internal, General InfoSec Tips & Tricks, Melissa Bruno, Web App

For Web Content Discovery, Who You Gonna Call? Gobuster!

Melissa Bruno // One of the best early steps to take when testing a network, especially a large one, is to run the tool EyeWitness to gain a quick understanding […]

Read the entire post here

Author, General InfoSec Tips & Tricks, How-To, Informational, InfoSec 101, Joff Thyer, Web App Joff Thyer

Web App Pen Testing in an Angular Context

Joff Thyer // If you are a fan of web application pen testing, you have been spoiled with a lot of easy pickings over the years. We all love our […]

Read the entire post here

External/Internal, How-To, Informational, Password Spray, Red Team, Red Team Tools, Web App Bypass IP Filtering, Darin Roberts, Foxy Proxy, IP Rotation, password spray, ProxyCannon, ProxyMesh

How To Rotate Your Source IP Address

Darin Roberts// IP-Go-Round – Source IP Rotation I was on an engagement recently that was blocking my password sprays based on my IP address. If I made 3 incorrect requests […]

Read the entire post here

Informational, Web App CORS, Cross Origin Request Sharing, Web App

CORS Lite

Dakota Nelson// Cross Origin Request Sharing (CORS) is complicated, and that complexity creates a lot of places where security vulnerabilities can sneak in. This article will give you a “lite” […]

Read the entire post here

00298_05072018_WEBCAST_WebAppAssessments

Author, Brian King, Web App, Webcasts Web App, Web App Assessment, Web Apps, webcast, webcasts

WEBCAST: Web App Assessments for Non-Majors

BB King // BB King looks at testing modern web apps in that “enterprise environment” so many of us inhabit. Taking the perspective of the Lonely Application Security Person in […]

Read the entire post here

00275_02202018_WhenInfosecAndWeedCollide

Author, Brian King, Informational, News, Web App audit, authentication, government, legal, ohio, potheads, webapp, webapp test

When Infosec and Weed Collide: Handling Administrative Actions Safely

BB King//* The state of Ohio recently validated a webapp pentest finding that sometimes goes overlooked. It relates to the details of administrative functions, how they can be abused, and […]

Read the entire post here

Author, External/Internal, How-To, Jordan Drysdale, Web App Digital Ocean, Jordan Drysdale, Nessus, Vulnerability Scanning

How to Scan Millions of IPv4 Addresses for Vulnerabilities

Jordan Drysdale// Some days are not like others. Some days, you might get tasked with scanning a million IP addresses. Here’s how I did it: Let’s go through some finer […]

Read the entire post here

External/Internal, Red Team, Web App Apache Struts, Unauthenticated Remote Code Execution

Strutting your stuff – Unauthenticated Remote Code Execution

Carrie Roberts // Unauthenticated Remote Code Execution? A hacker’s best friend. And that is what we have with CVE-2017-5638 Apache Struts with working exploit code here: https://github.com/rapid7/metasploit-framework/issues/8064 Save the exploit […]

Read the entire post here

1 2