Tag: Pentesting

Articles tagged with Pentesting

Pentesting Articles

Symfony Profiler in Production – An Entry Point for Sensitive Data Leaks and Remote Code Execution

03 January, 2025

During a security audit, a web application using an outdated version of the Symfony framework was identified. The analysis revealed the presence of the Symfony Profiler tool, which is commonly used for debugging applications during development. The Profiler provides detailed information about the application's operation, which is useful for developers. However, in a production environment, its availability can lead to the disclosure of sensitive information and, in some cases, remote code execution on the server.

READ article

From an AWS Cognito Misconfiguration to Full Account Takeover

Securitum

30 December, 2024

Issues with AWS Cognito configuration can expose applications to significant abuse, including privilege escalation attacks. The discovered vulnerability allows users to modify their attributes, potentially granting access to resources belonging to other entities in the system.

READ article

Session Fixation: A „Hidden Threat” to Web Application Security

Marcin Zięba

20 December, 2024

Session fixation is a security vulnerability that occurs when an attacker forces a legitimate user to utilize a predetermined session identifier (session ID). This allows the attacker to hijack the session and impersonate the victim once they authenticate with the web application. The vulnerability arises when an application fails to properly regenerate a new session ID upon user authentication, thereby continuing to use the preexisting session ID provided by the attacker. Common attack vectors include injecting the session ID through URL parameters, cookies, or hidden form fields.

READ article

Heartbleed Vulnerability in 2024: A Fresh Case from Our Pentest

Paweł Różański

20 September, 2024

During a recent security audit, vulnerability known as The Heartbleed Bug was discovered on two publicly accessible servers. What is interesting it is a fact that this vulnerability was discovered 10 years ago! It allows an attacker to access data directly from the memory of vulnerable systems. In fact, it enables the extraction of sensitive information, including credentials, without any pre-existing access or authentication requirements.

READ article

Denial of Service Due to Improper Handling of Decimal Values

Dariusz Tytko

13 September, 2024

During one of my recent pentests, I found an interesting Denial of Service (DoS) vulnerability that allows an attacker to cause the server to become unavailable. The severity of this vulnerability has been classified as HIGH because it can be exploited with a single HTTP request.

READ article

Password reset flaw: when anyone can reset your password

Sebastian Jeż

29 May, 2024

During rigorous testing, security researchers uncovered a significant weakness in the password reset mechanisms used by numerous online platforms. By exploiting the seemingly harmless phone number field, an attacker can compromise a victim's account. The vulnerability lies in the mishandling of a four-digit code, which, instead of being sent solely to the owner's phone, is also included in the server's response. This oversight turns a seemingly harmless feature into a gateway for hackers to infiltrate users' digital lives.

READ article

Why you shouldn't (again) roll your own cryptography - real-life case in 2024.

Mateusz Lewczak

17 May, 2024

In the last part of our series "Why You Shouldn't Roll Your Own Cryptography," I talked about a custom hashing algorithm using Triple-DES. Today, I'll present another case from a desktop application that used a completely custom "hashing" algorithm. It's important to note that the application was written in a native language, so some reverse engineering will be involved.

READ article

How a simple lack of SMS code verification can compromise financial security

Securitum

30 April, 2024

During audits, it's crucial to check all possible attack vectors, even the seemingly obvious functionalities. This diligence led us to discover, during one of our web application audits, that the server does not verify the correctness of the SMS code used by applicants during the credit request process, either at the start or at the final document signing stage. In short: a credit application without any verification.

READ article

Multiple Benefits from a Single Action: The Dangers of Race Conditions in Your Application!

Adam Borczyk

19 April, 2024

When multiple application threads work on the same data concurrently, there is a risk of data inconsistency or data collisions. Database engineers have tackled this problem since the early days of database engines by introducing atomic transactions. However, web applications remain vulnerable to an attack known as a race condition.

READ article

Exploring DaaS Security - part 2: Other available applications on the machine (3rd party)

Mateusz Lewczak

12 April, 2024

When dealing with applications used by regular company employees, often involved in paperwork, it's likely that cloud environments will also include office applications, image viewers, and possibly File Explorer. While these are not hacking tools, they can still be utilized in ways that facilitate access to the system's shell.

READ article

Having trouble during your pentest? Could an LLM come to your rescue?

MACIEJ KISIELEWICZ

05 April, 2024

In this article we will discover whether an LLM can actually deliver value as a pentest assistant or a standalone hacking agent. With the AI revolution taking place, it's no wonder that penetration testers are also taking notice and employing LLM agents to help with their daily tasks.

READ article

Exploring DaaS Security: A Comprehensive Guide Based on Vulnerabilities Uncovered in Real Pentests - part 1

Mateusz Lewczak

15 March, 2024

We're experiencing a real renaissance among desktop applications, thanks to cloud services that have added Desktop As A Service to their offerings. This service allows us to stream the image of a native application running on a cloud machine directly to our browser. We interact with it as we would with a normal application, except that, by design, we have limited access to the system. And that's our main goal as pentesters - to escape from the Matrix (application) into the system shell! In a conventional test of a desktop application, the focus is primarily on the application itself and its associated files. However, for applications running under DaaS, the audit extends to the entire runtime environment.

READ article

Crashing servers with digits: floating-point numbers DoS vulnerabilities

Martin Matyja

10 March, 2024

A Denial-of-Service (DoS) attack is a malicious attempt to disrupt the normal functioning of a system or network, in this case – a web application. One sophisticated form of such an attack exploits vulnerabilities in the processing of floating-point numbers. In our scenario, attackers manipulate the system's handling of floating-point arithmetic, leading to inaccurate calculations and potential system failures. This method challenges the reliability of numerical computations and poses a serious threat to the stability and availability of targeted systems.

READ article

Server shutdown via GraphQL during real-life pentest

KAMIL JAROSIŃSKI

19 February, 2024

GraphQL is a query language and environment created by Facebook in 2012 and released publicly in 2015. However, it has only gained significant popularity among developers and organizations in the last few years. Why is it so popular? GraphQL serves as an alternative to traditional API protocols, like REST, offering a more flexible and efficient way for client-server communication. The emergence of new technology opens up new perspectives and solves some problems, but unfortunately, it also introduces threats. This is the case with GraphQL. If used without proper knowledge, it could potentially allow for a DoS (Denial of Service) attack.

READ article

A professional cybersecurity consultant ready to assist with your inquiry.

Any questions?