Web App

External/Internal, General InfoSec Tips & Tricks, Web App

For Web Content Discovery, Who You Gonna Call? Gobuster!

Melissa Bruno // One of the best early steps to take when testing a network, especially a large one, is to run the tool EyeWitness to gain a quick understanding […]

Read the entire post here

General InfoSec Tips & Tricks, How-To, Informational, InfoSec 101, Web App

Web App Pen Testing in an Angular Context

Joff Thyer // If you are a fan of web application pen testing, you have been spoiled with a lot of easy pickings over the years. We all love our […]

Read the entire post here

External/Internal, How-To, Informational, Password Spray, Red Team, Red Team Tools, Web App Bypass IP Filtering, Darin Roberts, Foxy Proxy, IP Rotation, password spray, ProxyCannon, ProxyMesh

How To Rotate Your Source IP Address

Darin Roberts// IP-Go-Round – Source IP Rotation I was on an engagement recently that was blocking my password sprays based on my IP address. If I made 3 incorrect requests […]

Read the entire post here

Informational, Web App CORS, Cross Origin Request Sharing, Web App

CORS Lite

Dakota Nelson// Cross Origin Request Sharing (CORS) is complicated, and that complexity creates a lot of places where security vulnerabilities can sneak in. This article will give you a “lite” […]

Read the entire post here

00298_05072018_WEBCAST_WebAppAssessments

Web App, Webcasts Web App, Web App Assessment, Web Apps, webcast, webcasts

WEBCAST: Web App Assessments for Non-Majors

BB King // BB King looks at testing modern web apps in that “enterprise environment” so many of us inhabit. Taking the perspective of the Lonely Application Security Person in […]

Read the entire post here

00275_02202018_WhenInfosecAndWeedCollide

Informational, News, Web App audit, authentication, government, legal, ohio, potheads, webapp, webapp test

When Infosec and Weed Collide: Handling Administrative Actions Safely

BB King//* The state of Ohio recently validated a webapp pentest finding that sometimes goes overlooked. It relates to the details of administrative functions, how they can be abused, and […]

Read the entire post here

External/Internal, How-To, Web App Digital Ocean, Nessus, Vulnerability Scanning

How to Scan Millions of IPv4 Addresses for Vulnerabilities

Jordan Drysdale// Some days are not like others. Some days, you might get tasked with scanning a million IP addresses. Here’s how I did it: Digital Ocean. Amazon is too […]

Read the entire post here

External/Internal, Red Team, Web App Apache Struts, Unauthenticated Remote Code Execution

Strutting your stuff – Unauthenticated Remote Code Execution

Carrie Roberts // Unauthenticated Remote Code Execution? A hacker’s best friend. And that is what we have with CVE-2017-5638 Apache Struts with working exploit code here: https://github.com/rapid7/metasploit-framework/issues/8064 Save the exploit […]

Read the entire post here

Red Team, Web App All the Shellz, hacking, metasploit, msfvenom, netcat, OS Command Injection, pen-testing, Python, Real Life Hacking, Waiting

OS Command Injection; The Pain, The Gain

Carrie Roberts // OS Command Injection is fun. I recently found this vulnerability on a web application I was testing (thanks to Burp Suite scanner). I was excited because I […]

Read the entire post here

1 2