As we look back on Q1 we’re highlighting some of the blogs and contributions our pentesters have made to the security community. Our Core members, as we like to call our pentesters, frequently contribute their expertise in the form of blogs, and helpful tips to spread awareness amongst their security colleagues.
ImpressCMS: from unauthenticated SQL injection to RCE by Egidio Romano
Egidio walks us through how ImpressCMS works, and how to best use it. ImpressCMS is an open-source Content Management System that is used when managing multilingual websites.
Dirty Pipe Explained -CV-2022-0847 by Sheeraz Ali
In March, security researcher Max Kellermann published the vulnerability nicknamed ‘Dirty-Pipe’ which allows an attacker to perform a local privilege escalation. Sheeraz broke down just how this vulnerability works.
How to Kerberos? its components and function by Sheeraz Ali
Have you heard of Kerberos? It’s a tool that provides secure authentication on an insecure network. Sheeraz walked us through just how exactly it functions.
Remote code execution vulnerability uncovered in Hashnode blogging platform featuring Aditya Dixit
In February Aditya found a remote code execution vulnerability in the blogging platform Hashnode which is often used by those in the engineer and developer community. He actually found this vulnerability when he was trying to upload a blog himself. Check out this article from the Daily Swig about the experience.
Exploiting DOM Based XSS via Misconfigured postMessage() Function by Armaan Pathan
Armaan wrote a blog about how to exploit DOM-based XSS through misconfigured post message function. This relates to being able to bypass the same-origin policy when working with two sites.
AutoSmuggle by Suraj Khetani
Suraj created a utility to quickly create your HTML smuggled files.