Pentesting ASP.NET Cookieless Sessions with Burp
Carrie Roberts & Brian King // We were recently testing a web application that used ASP.NET cookieless sessions. This meant that the session token was part of the URL as shown in the […]
Using Simple Burp Macros to Automate Testing
David Fletcher // Recently, while assessing a web application I noticed content on one of the pages that appeared to be derived from sensitive information stored within the site’s user […]
Developing Hacking Kung Fu (or How To Get Into Information Security)
Derek Banks // More than occasionally I am asked how to get into Information Security as a profession. As attacks and breaches continue to escalate in frequency the demand […]
Can we C2? Yes we can!
Dakota Nelson // It’s become more and more common lately to see advanced attackers using legitimate internet channels to move data in and out of networks. Social networks such as […]
Evil Twin: WPA2 Enterprise Syle on Kali 2.0
Brian Fehrman //
The New Security Fundamentals – Kill Your AV
John Strand // AV is Dead Long Live Whitelisting. We have been discovering more and more of our tests bypass AV controls with ease. We have yet to see any iteration or […]
How Compliance Compromises Happen. (Or, The Most Boring Article Title in the History of All the Internet…)
John Strand // There have been quite a few articles lately on how compliance standard X or Y is broken. Unfortunately, this often leads to blaming the nameless and faceless people behind the […]
Password Spraying & Other Fun with RPCCLIENT
Joff Thyer // Many of us in the penetration testing community are used to scenarios whereby we land a targeted phishing campaign within a Windows enterprise environment and have […]