Finding

External/Internal, Finding, General InfoSec Tips & Tricks, How-To, Melissa Bruno, Web App IDOR, Insecure Direct Object Reference

Revisiting Insecure Direct Object Reference (IDOR)

The new year has begun, and as a penetration tester at Black Hills Information Security, one thing really struck me as I reflected on 2023: a concerningly large number of […]

Read the entire post here

Finding, How-To, Informational, Isaac Burton, Web App Prototype Pollution, Web API

Hit the Ground Running with Prototype Pollution  

Isaac Burton // For as long as we have known about prototype pollution vulnerabilities, there has been confusion on what they are and how they can be exploited. We’re going […]

Read the entire post here

Author, Finding, Fun & Games, General InfoSec Tips & Tricks, How-To, Informational, InfoSec 101, Jason Blanchard, Webcasts Jason Blanchard

Webcast: How to Hunt for Jobs like a Hacker

Job hunting? Looking for a career change? Still in college and want to know how to get started now in your career? If you answered yes to any of these […]

Podcast: Play in new window | Download

Subscribe: Apple Podcasts | Spotify | Amazon Music | RSS

Read the entire post here

Author, Finding, General InfoSec Tips & Tricks, How-To, Informational, InfoSec 101, Justin Angel, Phishing, Recon, Red Team, Red Team Tools Justin Angel, LinkedIn, Parsuite, Peasant, SendGrid

Collecting and Crafting User Information from LinkedIn

Justin Angel // Penetration testing and red team engagements often require operators to collect user information from various sources that can then be translated into inputs to support social engineering […]

Read the entire post here

Author, Blue Team, Blue Team Tools, Finding, How-To, Hunt Teaming, Informational, John Strand, Podcasts ADHD, Black Hat, Cyber Deception, Honey Tokens, Honeypots, john strand, Tracking, training

BHIS PODCAST: Tracking attackers. Why attribution matters and how to do it.

In this BHIS podcast, originally recorded as a live webcast, we cover some new techniques and tactics on how to track attackers via various honey tokens.  We cover how to […]

Podcast: Play in new window | Download

Subscribe: Apple Podcasts | Spotify | Amazon Music | RSS

Read the entire post here

Author, Blue Team, External/Internal, Finding, Jordan Drysdale, Red Team BlueTeam, Cisco, External Pentest, internal pentest, Inventory, Jordan Drysdale, Nessus, RedTeam, SIET

Cisco Smart Installs and Why They’re Not “Informational”

Jordan Drysdale // tl;dr Cisco Smart Install is awesome (on by default)…for hackers… not sysadmins. So, you Nessus too? Criticals and highs are all that matter! Right??? Until this beauty […]

Read the entire post here

Blue Team, Finding, General InfoSec Tips & Tricks, How-To, Informational after the pen test, how to deal with you penetration test results, What to do after a penetration test, what to do after a pentest

What to Expect After a Pen Test

Scott Worden* // So you and your company had a pen test…now what? What to do, how to plan, and good SQUIRREL! ways to stay on track.   The 3 […]

Read the entire post here

Author, David Fletcher, Finding encryption, Secure Sockets Layer, SSL, TLS, Transport Layer Security, Web

Finding: Server Supports Weak Transport Layer Security (SSL/TLS)

David Fletcher// The following blog post is meant to expand upon the findings commonly identified in BHIS reports.  The “Server Supports Weak Transport Layer Security (SSL/TLS)” is almost universal across […]

Read the entire post here

Author, David Fletcher, Finding, Informational bad passwords, password, password policy, weak password

Finding: Weak Password Policy

David Fletcher// The weak password policy finding is typically an indicator of one of two conditions during a test: A password could be easily guessed using standard authentication mechanisms. A […]

Read the entire post here