Pentest chronicles
In this section we share stories about vulnerabilities found during real-life penetration tests conducted by experienced testers. Check out our approach to testing web, mobile and desktop applications, as well as infrastructure and cloud systems. You'll get a step-by-step view of how we find vulnerabilities and the methods we advice to defend against them. Dive in and see what we've uncovered!
Latest pentest chronicle
Exploring DaaS Security - part 2: Other available applications on the machine (3rd party)
Mateusz Lewczak
March 15, 2024
When dealing with applications used by regular company employees, often involved in paperwork, it's likely that cloud environments will also include office applications, image viewers, and possibly File Explorer. While these are not hacking tools, they can still be utilized in ways that facilitate access to the system's shell.
READ article
All pentest chronicles
Exploring DaaS Security: A Comprehensive Guide Based on Vulnerabilities Uncovered in Real Pentests - part 1
Mateusz Lewczak
March 15, 2024
We're experiencing a real renaissance among desktop applications, thanks to cloud services that have added Desktop As A Service to their offerings. This service allows us to stream the image of a native application running on a cloud machine directly to our browser. We interact with it as we would with a normal application, except that, by design, we have limited access to the system. And that's our main goal as pentesters - to escape from the Matrix (application) into the system shell! In a conventional test of a desktop application, the focus is primarily on the application itself and its associated files. However, for applications running under DaaS, the audit extends to the entire runtime environment.
READ article
Unicode's role in XSS vulnerabilities.
jacek siwek
March 04, 2024
Web application security is a crucial concern in today's digital landscape. Cross-Site Scripting (XSS) attacks pose a significant threat to web applications, allowing attackers to inject malicious scripts into trusted websites. Request validation mechanisms are implemented to mitigate such attacks by blocking certain characters or patterns commonly associated with malicious code. However, recent discoveries suggest that there is a possibility of bypassing these validation mechanisms using Unicode characters, which could lead to successful XSS attacks.
READ article
Insider threat - The average insider threat attack scenario. How attackers can take over an entire domain in a few steps. Part 2.
DOMINIK ANTOŃCZAK
February 23, 2024
Have you ever wondered how little it takes to take over an Active Directory domain? Have you considered using some exploit? Nah, using exploits is not a fancy way and can be easily detected, and if anything, that option remains as a last resort. As savvy "hackers", we possess the right knowledge to navigate the network smoothly without making noise. Sometimes it takes a few steps, and just as Neil Armstrong said, it's one small step for man…, but for us hackers, taking over one system is a small step towards taking over the entire network. In this scenario, I'll demonstrate how the ability to analyze acquired information, coupled with a few sublime actions, was sufficient to take over the entire domain of a company consisting of 500-1000 users.
READ article
Server shutdown via GraphQL during real-life pentest
KAMIL JAROSIŃSKI
February 19, 2024
GraphQL is a query language and environment created by Facebook in 2012 and released publicly in 2015. However, it has only gained significant popularity among developers and organizations in the last few years. Why is it so popular? GraphQL serves as an alternative to traditional API protocols, like REST, offering a more flexible and efficient way for client-server communication. The emergence of new technology opens up new perspectives and solves some problems, but unfortunately, it also introduces threats. This is the case with GraphQL. If used without proper knowledge, it could potentially allow for a DoS (Denial of Service) attack.
READ article
Insider threat - why security measures don't matter. Part 1
Dominik Antończak
February 09, 2024
A sneaky security threat that combines Blind XSS with data exfiltration techniques poses a significant risk, allowing adversaries to insert persistent HTML/JavaScript code that executes within the domain context of an application. This vulnerability can be exploited to steal any data from the application or perform actions on behalf of another user.
READ article
Persistent threats via blind XSS and subsequent data exfiltration - tips and ticks from a security perspective.
SEBASTIAN JEŻ, KALINA ZIELONKA
February 05, 2024
A sneaky security threat that combines Blind XSS with data exfiltration techniques poses a significant risk, allowing adversaries to insert persistent HTML/JavaScript code that executes within the domain context of an application. This vulnerability can be exploited to steal any data from the application or perform actions on behalf of another user.
READ article
Better safe than sorry - The Imperative of Double-Checking Application Architecture Before Launch.
MICHAŁ ŻACZEK
January 12, 2024
Every application's journey from conception to release involves critical steps within the Software Security Development Life Cycle (SSDLC). Paramount among these is the Design Phase, where the application's architecture is conceptualized. This step is fundamental in determining the coding approach and necessitates careful consideration, especially from a security standpoint. Key aspects like data processing and storage need thorough examination.
READ article
Beyond fingerprints: Discussing the challenges of behavioral biometrics security
MATEUSZ LEWCZAK
December 01, 2023
Behavioral biometrics is an increasingly common element of the security of our bank accounts. It considers the way we type on a keyboard, move a mouse, use audio/video equipment, and even how we hold our phone. As it turns out, each of us performs these activities in a different way, and although these are small differences, with the use of Machine Learning, we are able to assess whether banking operations are performed by the account owner.
READ article
Unveiling hidden data: a log file's security breach
ROBERT KRUCZEK
November 10, 2023
Unveiling hidden data during 2023 pentest: how a misplaced log file can compromise 2FA security. Conducting penetration tests requires the use of existing solutions that significantly facilitate the work. For web applications, it is valuable to recognize the structure of directories or find files of interest. For this purpose, we can use applications such as: • ffuf, • dirbuster, • gobuster. During the discussed test, I used the ffuf tool with a basic dictionary available publicly: https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/common.txt
READ article
Demystifying Prototype Pollution and its link to DOM XSS
Kalina Zielonka
October 03, 2023
JavaScript, the backbone of many web applications today, brings with it flexibility and potential. At the core of its architecture, every element we interact with is essentially an object, each with its own unique properties and methods. The Role of Prototypes in JavaScript Prototypes allow JS to share attributes or properties between different objects. Every object in JS has a prototype object associated with it, which gives that object its own properties. In other words, an object in JS inherits all the properties of its prototype.
READ article
The Silent Threat of ReDoS: 2023 Real-Life Pentest Case
MATEUSZ LEWCZAK
September 26, 2023
Regular Expression Denial of Service (ReDoS) is a type of vulnerability that arises when an attacker submits a specially crafted input to an application that utilizes regular expressions to validate or process user input. The attacker's input aims to activate a slow or inefficient regex pattern, leading the application to consume excessive resources, such as CPU time or memory. This can result in denial of service (DoS) or system slowdowns. ReDoS attacks are especially concerning because they can be launched with ease and have the potential to inflict considerable financial harm to the affected organization.
READ article
Why you shouldn't roll your own cryptography - real-life case in 2023.
MATEUSZ LEWCZAK
August 28, 2023
In the world of IT, a common practice has emerged where cryptography is developed by a group of researchers possessing a strong mathematical background, while developers implement ready-made solutions and ensure that they are up-to-date and meet the best security practices. Taking this into consideration and adding the fact that desktop application testing is often carried out by pentesters who may overlook issues related to encryption or hashing, while focusing on searching for known vulnerabilities, it should be expected ...
READ article
How Private Cache Can Lead to Mass Account Takeover – pentest case
Mateusz Kowalczyk
July 12 2023
In many situations, minor vulnerabilities might seem like small fish in the vast ocean of cybersecurity threats. They’re often marked as low severity and thus, overlooked by developers who assume that the conditions for their exploitation are too complicated to be met. However, in this article, we’re going to challenge that assumption and show you …
READ article
A small oversight with big consequences: how a minor mistake can lead to the compromise of your Domain Controller.
dominik antończak
August 4 2023
Have you ever wondered how much information you can glean about others through observation? In the real world, when we're in public places, we're not always conscious of who's watching us and what information they're gathering about us.
READ article
When Usernames Become Passwords: A Real-World Case Study of Weak Password Practices
michał wnękowicz
June 9, 2022
In today's world, ensuring the security of our accounts is more crucial than ever. Just as keys protect the doors to our homes, passwords serve as the first line of defense for our data and assets. It's easy to assume that technical individuals, such as developers and IT professionals, always use strong, unique passwords to keep their accounts secure. However, this is not always the case; for example, ...
READ article
