Tag: RealWorldPentests

Articles tagged with RealWorldPentests

RealWorldPentests Articles

How a simple lack of SMS code verification can compromise financial security

30 April, 2024

During audits, it's crucial to check all possible attack vectors, even the seemingly obvious functionalities. This diligence led us to discover, during one of our web application audits, that the server does not verify the correctness of the SMS code used by applicants during the credit request process, either at the start or at the final document signing stage. In short: a credit application without any verification.

READ article

Multiple Benefits from a Single Action: The Dangers of Race Conditions in Your Application!

Adam Borczyk

19 April, 2024

When multiple application threads work on the same data concurrently, there is a risk of data inconsistency or data collisions. Database engineers have tackled this problem since the early days of database engines by introducing atomic transactions. However, web applications remain vulnerable to an attack known as a race condition.

READ article

Exploring DaaS Security - part 2: Other available applications on the machine (3rd party)

Mateusz Lewczak

12 April, 2024

When dealing with applications used by regular company employees, often involved in paperwork, it's likely that cloud environments will also include office applications, image viewers, and possibly File Explorer. While these are not hacking tools, they can still be utilized in ways that facilitate access to the system's shell.

READ article

Exploring DaaS Security: A Comprehensive Guide Based on Vulnerabilities Uncovered in Real Pentests - part 1

Mateusz Lewczak

15 March, 2024

We're experiencing a real renaissance among desktop applications, thanks to cloud services that have added Desktop As A Service to their offerings. This service allows us to stream the image of a native application running on a cloud machine directly to our browser. We interact with it as we would with a normal application, except that, by design, we have limited access to the system. And that's our main goal as pentesters - to escape from the Matrix (application) into the system shell! In a conventional test of a desktop application, the focus is primarily on the application itself and its associated files. However, for applications running under DaaS, the audit extends to the entire runtime environment.

READ article

A professional cybersecurity consultant ready to assist with your inquiry.

Any questions?