How to Scan Millions of IPv4 Addresses for Vulnerabilities
Jordan Drysdale// Some days are not like others. Some days, you might get tasked with scanning a million IP addresses. Here’s how I did it: Let’s go through some finer […]
Web App
Strutting your stuff – Unauthenticated Remote Code Execution
Carrie Roberts // Unauthenticated Remote Code Execution? A hacker’s best friend. And that is what we have with CVE-2017-5638 Apache Struts with working exploit code here: https://github.com/rapid7/metasploit-framework/issues/8064 Save the exploit […]
OS Command Injection; The Pain, The Gain
Carrie Roberts // OS Command Injection is fun. I recently found this vulnerability on a web application I was testing (thanks to Burp Suite scanner). I was excited because I […]
Three Minutes with the HTTP TRACE Method
Brian King // All of our scanning tools tell us that we should disable the HTTP TRACE and TRACK methods. And we all think that’s because there’s something an attacker […]
Using Recursive Grep to Test Per-Request CSRF-Token Protected Pages
David Fletcher // Cross-Site Request Forgery (CSRF or XSRF) is an attack which is used to execute a transaction on behalf of a victim user against a vulnerable web application. […]
Let’s Talk About Direct Object References
Kelsey Bellew // Maybe you don’t know what Direct Object References mean, if you Google it, you’d get this: This description uses the words “direct”, “object” and “reference” to describe a […]
Pentesting ASP.NET Cookieless Sessions with Burp
Carrie Roberts & Brian King // We were recently testing a web application that used ASP.NET cookieless sessions. This meant that the session token was part of the URL as shown in the […]
Using Simple Burp Macros to Automate Testing
David Fletcher // Recently, while assessing a web application I noticed content on one of the pages that appeared to be derived from sensitive information stored within the site’s user […]
Service Detection – Tomcat Manager, From “Info” to “Ouch”
Carrie Roberts // Continuing on the thread of highlighting Nessus vulnerability scan results that turned out to be more severe than reported . . . I always review the “Info” level “Service Detection” […]