June 2023 – We discuss and highlight how we bypassed one of the most heavily used ‘zero trust’ application whitelisting platforms. Their homepage ironically states that they block execution of anything not explicitly whitelisted ‘including ransomware’ but as we will show that wasn’t entirely accurate…
May 2023 – In this edition, we highlight how a decommissioned application was not fully removed as expected, allowing us to abuse legacy functionality to compromise an enormous amount of client and PII data.
March 2023 – With single sign-on becoming more common during our assessments, we cover one of the vulnerabilities we discovered during an engagement that let us forge SAML responses to escalate privileges in a web application.
In February 2023, we completed a web application security assessment for a new client within the legal field. What followed was a series of hurdles, followed by jumps and yet more hurdles, to eventually end up with a full working attack chain and LFI.
ImageMagick is one of those really powerful libraries that always gets mentioned in regards to anything to do with image processing. Sure enough, it’s a case of doing “apt install” and installing the relevant library in whatever programming language is being used. And away you go, you now have support for dozens of image formats and the ability to resize, convert between them, add text, and so on. This is exactly what one of our clients had implemented into their web application, that we assessed in late January.
In December 2022, we completed a web application security assessment for a client who wanted assurance that their newly developed application was ready for production. The application allowed users to upload documents, rename files, create directories – basically acting as a web based file explorer. As a penetration tester, file upload functionality always raises alarm bells in our head as it’s deceivingly difficult to implement securely.
In November 2022, we completed a web application security assessment for a new client within the health / wellbeing sector. We were told through previous discussions, that the web application had both standard user accounts for everyday use and administrator accounts for backend administration. As is fairly standard with these engagements, we were given credentials for a standard user account and were tasked to see what could be achieved from this position…
In October 2022, we completed an internal security assessment for a large tech organisation with clients in the legal industry, focused around the handling of sensitive documents for other companies. The scope was focused on their “user network” – which hosted their active directory domain which all of their workstations and laptops were all connected to. Our scenario assumed access to their office – while this may seem like a fairly extreme position to start with, our first day we arrived at their office, we were able to walk in and someone helpfully held the door open for us without asking who we were…
In September 2022, we completed an internal security assessment for a large client in the tech industry. The scope was enormous – about 20,000 hosts in scope split over eight different countries. Of these 20,000 hosts, there were approximately 50 Windows machines in a single domain. Our scenario assumed a stolen laptop of the lowest privileged user. This user had a standard account on AD with no access to the Linux infrastructure.
