Tag: InfoSec

Articles tagged with InfoSec

← Back to all tags

InfoSec Articles

Illustration of Let the framework guard your JWT internals - but who is guarding the framework?

Let the framework guard your JWT internals - but who is guarding the framework?

Marek Kaliszczyk

26 September, 2025

During a recent security assessment, we found a critical authentication bypass, which at the first glance looked like a classic Json Web Token (JWT) issue - no cryptographic signature verification and possibility to forge valid tokens as a result. A blackbox assessment would probably have called it a day and reported the issue as a lack of cryptographic signature verification, which would be a legitimate issue. However, since the assessment consisted of whitebox code review, it was possible to dive deeper into the application's logic.

Illustration of From SPI Sniffing to Keys: Extracting Clevis/BitLocker Secrets from TPM Traffic #HardwareHacking

From SPI Sniffing to Keys: Extracting Clevis/BitLocker Secrets from TPM Traffic #HardwareHacking

Mateusz Lewczak

10 January, 2025

In September 2024, a real-world penetration test was conducted to assess the security of a laptop using LUKS disk encryption on Linux, with Clevis facilitating automatic disk unlocking. The tested device relied on a TPM (Trusted Platform Module) to secure the decryption key used by Clevis. The focus of the test was to explore potential vulnerabilities to SPI Sniffing attacks.

Illustration of Exploring Vulnerabilities in Mobile Applications: Key Exchange Protocol Hacking - Man-in-the-Middle and Brute-force in Action. Part 2 of 2.

Exploring Vulnerabilities in Mobile Applications: Key Exchange Protocol Hacking - Man-in-the-Middle and Brute-force in Action. Part 2 of 2.

29 November, 2024

In first part of this article, I described how do we analyze protocols during mobile applications testing. During this analysis, I noticed that the Diffie–Hellman protocol is used to exchange encryption keys. The protocol implementation was audited, and I discovered that it is prone to two attacks: Man-in-the-Middle and brute-force. Each of these attacks compromise the security of the protocol, allowing attackers to view and modify the data sent between the mobile applications and the servers.

Illustration of Exploring Vulnerabilities in Mobile Applications: Key Exchange Protocol Analysis and Toolkit Setup. Part 1 of 2.

Exploring Vulnerabilities in Mobile Applications: Key Exchange Protocol Analysis and Toolkit Setup. Part 1 of 2.

22 November, 2024

During one of latest pentests I tested mobile application. To perform analysis of the communication protocol and prepare a toolkit for testing network communication, the Android version of the application was used. Protocol analysis The protocol is implemented using C++ language, the implementation is included in the native library lib/arm64-v8a/lib[…].so. Wireshark, Frida (the instrumentation toolkit) and Ghidra (a software reverse engineering framework) were used to analyze the protocol.

Illustration of Memory Heist: The Secrets and Risks of Cold Boot Attacks

Memory Heist: The Secrets and Risks of Cold Boot Attacks

Mateusz Lewczak

15 November, 2024

A Cold Boot Attack is a technique designed to capture data directly from a computer's RAM, where critical and sensitive information is often stored. What kind of data? It could be almost anything: passwords, encryption keys, user login data, or even active sessions, which could provide attackers with extensive access to the system. In short, the attacker is after any information held in RAM during computer operation, and the Cold Boot Attack allows them to retrieve it.

Illustration of Security Mechanisms vs. Application Logic: Conclusions from Mobile App Penetration Tests

Security Mechanisms vs. Application Logic: Conclusions from Mobile App Penetration Tests

31 October, 2024

In our daily work, we often come across mobile applications, primarily for Android and iOS platforms. This article describes an example that demonstrates how popular security mechanisms should not replace essential application logic. During a recent audit, we discovered a security gap that allowed a bypass of the child mode restrictions within a mobile app.

Illustration of Accessing Internal Network by WiFi Hacking - 2024 Pentest Case

Accessing Internal Network by WiFi Hacking - 2024 Pentest Case

Aleksander Wojdyła

25 October, 2024

During the last penetration test, I performed an Evil Twin attack, which involves setting up a fake access point with the same name as the legitimate one. Due to improper configuration of endpoint devices (e.g., computers, phones, tablets), users could accept an incorrect (fake, generated by the auditor) certificate identifying the network. This led to a successful capture of the authentication segment of the communication. Subsequently, the auditor subjected the captured data to brute-force attacks, resulting in the retrieval of credentials.

Illustration of From SOQL Query to Data Breach - Lessons from a Real-World Pentest

From SOQL Query to Data Breach - Lessons from a Real-World Pentest

18 October, 2024

During one of security audits of a web application, I uncovered an interesting vulnerability: the exposure of an endpoint that allows users to perform arbitrary Salesforce Object Query Language (SOQL) queries. Such functionality, when available to unauthorized users or misconfigured, poses significant security risk, especially if Row-Level Security (RLS) permissions are not properly set. In this article I will analyze technical aspects of this vulnerability, the potential risks, and steps to mitigate such issues.

Illustration of Bypassing Host Validation: Real Pentest Case of Sensitive Data Exposure

Bypassing Host Validation: Real Pentest Case of Sensitive Data Exposure

MATEUSZ Kowalczyk

11 October, 2024

During one of penetration tests, I discovered a vulnerability that allowed us to bypass a host whitelist, leading to the exposure of sensitive data. This behavior could let attackers to exfiltrate sensitive information, such as password reset tokens, to external hosts they control. The severity of this vulnerability is significant, as it opens up further attack vectors that could potentially compromise the application and its users.

Illustration of Hacking IBM AS/400 in 2024: QShell and Remote Code Execution

Hacking IBM AS/400 in 2024: QShell and Remote Code Execution

MATEUSZ Kowalczyk

04 October, 2024

A few months ago, one of our clients commissioned us to audit a customer service application that continued to use the IBM AS400 environment. These days, an emulator is needed to connect to this application. An AS/400 emulator is software designed to emulate the functionality of an AS/400 system on a different platform, such as a modern desktop or server computer. These emulators enable users to access and interact with AS/400 applications and resources without the need for physical AS/400 hardware.

Illustration of Heartbleed Vulnerability in 2024: A Fresh Case from Our Pentest

Heartbleed Vulnerability in 2024: A Fresh Case from Our Pentest

Paweł Różański

20 September, 2024

During a recent security audit, vulnerability known as The Heartbleed Bug was discovered on two publicly accessible servers. What is interesting it is a fact that this vulnerability was discovered 10 years ago! It allows an attacker to access data directly from the memory of vulnerable systems. In fact, it enables the extraction of sensitive information, including credentials, without any pre-existing access or authentication requirements.

Illustration of Denial of Service Due to Improper Handling of Decimal Values

Denial of Service Due to Improper Handling of Decimal Values

13 September, 2024

During one of my recent pentests, I found an interesting Denial of Service (DoS) vulnerability that allows an attacker to cause the server to become unavailable. The severity of this vulnerability has been classified as HIGH because it can be exploited with a single HTTP request.

Illustration of From low-privileged user to Remote Code Execution: step-by-step pentest journey

From low-privileged user to Remote Code Execution: step-by-step pentest journey

In the world of web application security, some vulnerabilities are naturally less impactful than others. We often hear about direct, short, and simple attacks that can compromise an entire server or application. Sometimes, however, it is chaining multiple, less dangerous vulnerabilities that leads to serious consequences. Here we will go through a case from one of the pentests from a couple of weeks ago, where having a low-privileged user account allowed us first to read the application source code, then to escalate to admin, and finally to obtain remote code execution.

Illustration of Two new CVEs: FooGallery's WordPress plugin

Two new CVEs: FooGallery's WordPress plugin

During some happy hunting, I found two XSS vulnerabilities in the FooGallery WordPress plugin (version 2.4.14), which made 50k instances vulnerable on the day of discovery! These can allow attackers to execute malicious code and gain unauthorized access to administrative functionalities. Below is a detailed explanation of these vulnerabilities and how they can be exploited.

Illustration of Elevating privileges via a XSS and authorization bypass attack

Elevating privileges via a XSS and authorization bypass attack

A highly effective attack method combines Reflected Cross-Site Scripting (XSS) and authorization vulnerabilities. This attack lets hackers gain unauthorized administrative access. It requires social engineering to trick an administrator into running malicious JavaScript code, which then changes user permissions, potentially taking over accounts.

Illustration of Few steps on how to take over a whole application

Few steps on how to take over a whole application

In a recent penetration test, I found a vulnerability in the password reset tokens within a system's audit trail functionality. This flaw can lead to arbitrary account takeover, allowing attackers to hijack user accounts, including those with high-level privileges.

Illustration of How a simple vulnerability allowed proxying TCP traffic - real pentest case

How a simple vulnerability allowed proxying TCP traffic - real pentest case

During a penetration test for our client, it was discovered that the turn.example.com server, which is part of the tested application infrastructure, is vulnerable. This flaw allows for proxying TCP traffic through the server, enabling attacks on any host on the internet. Additionally, attackers could gain access to internal systems and their configurations, potentially compromising the entire infrastructure.

Illustration of Exploiting PDF generation vulnerability: a case study from real pentest

Exploiting PDF generation vulnerability: a case study from real pentest

In a recent penetration test conducted by [Your Security Company], we identified a critical vulnerability within a web application that allowed unauthorized access to sensitive resources. This flaw permits an attacker to access both local server files and data on other servers within the same network. The vulnerability stems from improper handling of user-input data, presenting a severe security risk.

Illustration of Password reset flaw: when anyone can reset your password

Password reset flaw: when anyone can reset your password

During rigorous testing, security researchers uncovered a significant weakness in the password reset mechanisms used by numerous online platforms. By exploiting the seemingly harmless phone number field, an attacker can compromise a victim's account. The vulnerability lies in the mishandling of a four-digit code, which, instead of being sent solely to the owner's phone, is also included in the server's response. This oversight turns a seemingly harmless feature into a gateway for hackers to infiltrate users' digital lives.

Illustration of Why you shouldn't (again) roll your own cryptography - real-life case in 2024.

Why you shouldn't (again) roll your own cryptography - real-life case in 2024.

Mateusz Lewczak

In the last part of our series "Why You Shouldn't Roll Your Own Cryptography," I talked about a custom hashing algorithm using Triple-DES. Today, I'll present another case from a desktop application that used a completely custom "hashing" algorithm. It's important to note that the application was written in a native language, so some reverse engineering will be involved.

Illustration of Crashing servers with digits: floating-point numbers DoS vulnerabilities

Crashing servers with digits: floating-point numbers DoS vulnerabilities

A Denial-of-Service (DoS) attack is a malicious attempt to disrupt the normal functioning of a system or network, in this case – a web application. One sophisticated form of such an attack exploits vulnerabilities in the processing of floating-point numbers. In our scenario, attackers manipulate the system's handling of floating-point arithmetic, leading to inaccurate calculations and potential system failures. This method challenges the reliability of numerical computations and poses a serious threat to the stability and availability of targeted systems.

Illustration of Unicode's role in XSS vulnerabilities.

Unicode's role in XSS vulnerabilities.

Web application security is a crucial concern in today's digital landscape. Cross-Site Scripting (XSS) attacks pose a significant threat to web applications, allowing attackers to inject malicious scripts into trusted websites. Request validation mechanisms are implemented to mitigate such attacks by blocking certain characters or patterns commonly associated with malicious code. However, recent discoveries suggest that there is a possibility of bypassing these validation mechanisms using Unicode characters, which could lead to successful XSS attacks.

Illustration of Better safe than sorry - The Imperative of Double-Checking Application Architecture Before Launch.

Better safe than sorry - The Imperative of Double-Checking Application Architecture Before Launch.

MICHAŁ ŻACZEK

12 January, 2024

Every application's journey from conception to release involves critical steps within the Software Security Development Life Cycle (SSDLC). Paramount among these is the Design Phase, where the application's architecture is conceptualized. This step is fundamental in determining the coding approach and necessitates careful consideration, especially from a security standpoint. Key aspects like data processing and storage need thorough examination.

Illustration of New Year, Fresh Vulnerabilities: Unmasking Hidden Threats in Web Applications

New Year, Fresh Vulnerabilities: Unmasking Hidden Threats in Web Applications

05 January, 2024

Security flaws, sometimes overlooked as minor ones, can escalate into significant risks for entire applications. Our recent penetration test identified a critical vulnerability enabling potential account takeover at the administrative level. This write-up highlights the essential need for comprehensive security measures throughout the application development process.

Illustration of Unveiling hidden data: a log file's security breach

Unveiling hidden data: a log file's security breach

10 November, 2023

Unveiling hidden data during 2023 pentest: how a misplaced log file can compromise 2FA security. Conducting penetration tests requires the use of existing solutions that significantly facilitate the work. For web applications, it is valuable to recognize the structure of directories or find files of interest. For this purpose, we can use applications such as: ffuf, dirbuster, gobuster. During the discussed test, I used the ffuf tool with a basic dictionary available publicly: https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/common.txt

Illustration of A small oversight with big consequences: how a minor mistake can lead to the compromise of your Domain Controller.

A small oversight with big consequences: how a minor mistake can lead to the compromise of your Domain Controller.

Dominik Antończak

04 August, 2023

Have you ever wondered how much information you can glean about others through observation? In the real world, when we're in public places, we're not always conscious of who's watching us and what information they're gathering about us.

A professional cybersecurity consultant ready to assist with your inquiry.

Any questions?

Happy to get a call or email
and help!