Using DNS To Bypass SSRF Protections
On a recent web application penetration test, I identified a classic server-side request forgery (SSRF) vulnerability that used a Denylist in an attempt to prevent active exploitation. This post details […]
On a recent web application penetration test, I identified a classic server-side request forgery (SSRF) vulnerability that used a Denylist in an attempt to prevent active exploitation. This post details […]
Weaponizing CVE-2018-19859 Summary On a recent internal penetration test, White Oak Security discovered an outdated version of OpenRefine which is vulnerable to an unauthenticated Zip Slip attack. The vulnerability was […]
This is one part of a series of posts on how to prepare your API for a pentest. The first post was focused on Insomnia. The second was focused on […]
Modifying Security Focus With Bloodhound Prerequisite viewing: Let’s Enhance At a very basic level, Active Directory authenticates and authorizes users and computers in a Windows domain environment. It can also […]
Lately, I have received more phishing emails in my burner (test) email that are related to Amazon than ever before. This probably due to the influx of online shopping driven […]
This is one part of a series of posts on how to prepare your API for a pentest. Other posts are located here: Insomnia. Similar to web applications, web APIs […]
For those not yet familiar with the Simple Security Fails series – previous posts are located here: part 1, part 2, part 3, part 4 Lately I have tested a […]
This is one part of a series of posts on how to prepare your API for a pentest. Check back in the near future for additional content. Similar to web […]
Before we get into the nuts and bolts of this post, I need to provide a little background. The COVID-19 pandemic has brought a number of changes to our day […]
Welcome back! We hope you’re enjoying our series on Simple Security Fails. If not, or if you have any topics that you’re interested in learning more about, hit us up! […]