Tag: TechInsights

Articles tagged with TechInsights

TechInsights Articles

From low-privileged user to Remote Code Execution: step-by-step pentest journey

12 July, 2024

In the world of web application security, some vulnerabilities are naturally less impactful than others. We often hear about direct, short, and simple attacks that can compromise an entire server or application. Sometimes, however, it is chaining multiple, less dangerous vulnerabilities that leads to serious consequences. Here we will go through a case from one of the pentests from a couple of weeks ago, where having a low-privileged user account allowed us first to read the application source code, then to escalate to admin, and finally to obtain remote code execution.

READ article

Elevating privileges via a XSS and authorization bypass attack

Sebastian Jeż

21 June, 2024

A highly effective attack method combines Reflected Cross-Site Scripting (XSS) and authorization vulnerabilities. This attack lets hackers gain unauthorized administrative access. It requires social engineering to trick an administrator into running malicious JavaScript code, which then changes user permissions, potentially taking over accounts.

READ article

Few steps on how to take over a whole application

Sebastian Jeż

14 June, 2024

In a recent penetration test, I found a vulnerability in the password reset tokens within a system's audit trail functionality. This flaw can lead to arbitrary account takeover, allowing attackers to hijack user accounts, including those with high-level privileges.

READ article

Insider threat - why security measures don't matter. Part 1

Dominik Antończak

09 February, 2024

A sneaky security threat that combines Blind XSS with data exfiltration techniques poses a significant risk, allowing adversaries to insert persistent HTML/JavaScript code that executes within the domain context of an application. This vulnerability can be exploited to steal any data from the application or perform actions on behalf of another user.

READ article

Better safe than sorry - The Imperative of Double-Checking Application Architecture Before Launch.

MICHAŁ ŻACZEK

12 January, 2024

Every application's journey from conception to release involves critical steps within the Software Security Development Life Cycle (SSDLC). Paramount among these is the Design Phase, where the application's architecture is conceptualized. This step is fundamental in determining the coding approach and necessitates careful consideration, especially from a security standpoint. Key aspects like data processing and storage need thorough examination.

READ article

Hacking the invisible: A deep dive into Sub-GHz communication and flaws in the devices we use every day

MATEUSZ KOWALCZYK

08 December, 2023

In our modern world, remote control technology is an ever-present part of daily life. This includes everything from the key fobs in our pockets to the remote controls on our coffee tables. But what lies behind the magic of these devices? In this article, we delve into the world of Sub-GHz communication, a technology in remote control systems, particularly those used for controlling entrance gates or garage doors

READ article

A professional cybersecurity consultant ready to assist with your inquiry.

Any questions?