Securitum

🔒 Two new CVEs - update your WordPress plugins❗ We just published a new article! Our auditor, Robert Kruczek, discovered two new CVEs during some bug hunting in the WordPress plugin FooGallery 2.4.14, used by more than 50 thousand users❗ In this article, Robert provides a step-by-step guide to exploiting these XSS vulnerabilities. Additionally, we have attached a Proof of Concept to demonstrate the findings in detail. 📖 Read the full article and PoC on our website: https://lnkd.in/d9sWU83n #CyberSecurity #PenetrationTesting #NetworkSecurity #Infosec #XSS #FooGallery #CVE 

🔒 Elevating privileges via XSS and authorization vulnerabilities. 🔒 New #PentestChronicles. We have just published a new article by our auditor, Sebastian Jeż, detailing a complex attack method used during real penetration testing case. This tutorial demonstrates how to combine XSS and authorization bypass to gain unauthorized administrative access. In this article, you will learn: 👉 how attackers can identify and exploit XSS vulnerabilities. 👉 the step-by-step process of combining XSS with authorization bypass to escalate privileges. 👉 practical steps based on actual pentest experience. 📖 Read the full article on our website: https://lnkd.in/d4KDb4yq #CyberSecurity #PenetrationTesting #NetworkSecurity #Infosec #XSS #AuthorizationBypass #TechInsights #RealWorldPentest 

📣 A few steps on how to take over a whole application ❗ We have just published a new article detailing a vulnerability discovered by Sebastian Jeż during a recent penetration test. This flaw in the password reset token handling within a system's audit trail functionality allows attackers to hijack user accounts, including those with high-level privileges. In this article, we provide a comprehensive overview of the vulnerability, helping you understand the flaw and its implications. We also offer a step-by-step guide on how attackers can exploit this weakness. Furthermore, as always, we share best practices and recommendations to safeguard against such vulnerabilities. 📖 Read the full article on our website: https://lnkd.in/dsjaharJ Stay informed and stay secure! #CyberSecurity #PenetrationTesting #NetworkSecurity #Infosec #VulnerabilityManagement #TechInsights #PentestChronicles

🔒 How a simple vulnerability allowed proxying TCP traffic - real pentest case 🔒 We've published a new article by Dariusz Tytko detailing a vulnerability discovered during a recent penetration test. This flaw in the server that allows attackers to proxy TCP traffic, enabling unauthorized access to both external and internal systems. In this article, we cover: 👉 Detailed exploitation steps: understand how attackers can exploit this vulnerability. 👉 Case studies: real examples of accessing external systems and internal configurations. 👉 Mitigation strategies: learn how to secure your infrastructure against such threats. 📖 Read the full article: https://lnkd.in/g-Y-GRAr Stay informed and stay secure! #CyberSecurity #PenetrationTesting #NetworkSecurity #Infosec #VulnerabilityManagement #STUN #TURN #PentestChronicles

🚨 Exploiting PDF generation vulnerability: a case study from real pentest 🚨 Our team discovered vulnerability in a web application that allows unauthorized access to sensitive resources. This flaw enables attackers to access local server files and data on other servers within the same network, posing a severe security risk. This article provides an in-depth analysis of SSRF vulnerability, including technical details and proof of concept. We also offer practical recommendations to mitigate this risk and enhance your application's security. Read the full article to stay informed and ensure your systems are protected. 🔗 https://lnkd.in/g7t2FJDw #CyberSecurity #WebSecurity #PenetrationTesting #InfoSec #DataProtection #PentestChronicles 

📢 New article alert ❗ 🔒 Password reset flaw - when anyone can reset your password 🔒 Discover a critical vulnerability in password reset mechanisms in our latest article. Our auditor, Sebastian Jeż, provides in-depth insights into how logical flaws in these functionalities can be exploited, compromising user accounts with minimal effort. These kinds of vulnerabilities are more common than you'd think, and understanding them is crucial. A simple oversight during the development phase can lead to serious security issues, as highlighted in our latest research. In this article, we cover: 👉 The step-by-step process of how attackers can exploit this flaw. 👉 The potential consequences for individuals and organizations. 👉 Mitigation strategies to safeguard against such vulnerabilities. As a professional penetration testing company, we regularly encounter cases like this. Our goal is to help businesses enhance their security and prevent such risks. 👉 Read the full article on our website: https://lnkd.in/drtNH5Sq Stay informed and stay secure! #CyberSecurity #PenetrationTesting #PasswordReset #Vulnerability #DataProtection #PentestChronicles 

📢 New public penetration testing report available! 📢 We are excited to announce the release of our latest penetration testing report, now available on our website! 🔍 Report overview: We conducted an extensive penetration test on a company's external network infrastructure (WAN). Our detailed findings and recommendations aim to help organizations improve their security measures. 💡 Key highlight: During our tests, we found several Denial of Service (DoS) vulnerabilities that could severely impact the availability of services. 💡 Interesting insight: During our tests, we discovered that due to the lack of proper server configuration, the Apache server was vulnerable to a well-known Slowloris attack (first mentioned in 2007!). During the tests, we combined it with the seemingly harmless CVE-2023-43622, a vulnerability in the HTTP/2 protocol handling. This combination allowed us to rapidly deplete the pool of available sockets, causing the unavailability of the WWW service. 🔗 Read the full report here: https://lnkd.in/ggEydSrC 📕 Check out our other public reports at: https://lnkd.in/gTJQMamm Why read this report?❓ 👉 Stay informed: understand the latest security threats and vulnerabilities. 👉 Protect your network: learn from our findings to enhance your own security measures. 👉 Expert insights: gain valuable recommendations from our experienced penetration testers. Don't miss out on this opportunity to stay ahead of potential threats. Visit our website to download and read the full report. #PenetrationTesting #CyberSecurity #PublicReport #WAN #ExternalNetworkInfrastructure

📢 New public penetration testing report available! 📢 We are excited to announce the release of our latest penetration testing report, now available on our website! 🔍 Report overview: We conducted an extensive penetration test on a company's external network infrastructure (WAN). Our detailed findings and recommendations aim to help organizations improve their security measures. 💡 Key highlight: During our tests, we found several Denial of Service (DoS) vulnerabilities that could severely impact the availability of services. 💡 Interesting insight: During our tests, we discovered that due to the lack of proper server configuration, the Apache server was vulnerable to a well-known Slowloris attack (first mentioned in 2007!). During the tests, we combined it with the seemingly harmless CVE-2023-43622, a vulnerability in the HTTP/2 protocol handling. This combination allowed us to rapidly deplete the pool of available sockets, causing the unavailability of the WWW service. 🔗 Read the full report here: https://lnkd.in/ggEydSrC 📕 Check out our other public reports at: https://lnkd.in/gTJQMamm Why read this report?❓ 👉 Stay informed: understand the latest security threats and vulnerabilities. 👉 Protect your network: learn from our findings to enhance your own security measures. 👉 Expert insights: gain valuable recommendations from our experienced penetration testers. Don't miss out on this opportunity to stay ahead of potential threats. Visit our website to download and read the full report. #PenetrationTesting #CyberSecurity #PublicReport #WAN #ExternalNetworkInfrastructure

🔐 Another #PentestChronicle, another problem with cryptography 🔐 We've just completed a revealing pentest that clearly illustrates the risks of custom cryptography! Check out Mateusz Lewczak's article, "Why you shouldn't (again) roll your own cryptography - real-life pentest showcase from 2024," where we dive into a recent case where custom crypto led to some serious security problems. 🚀 What's Inside: 👉 We’re always on the hunt for those tricky, complex vulnerabilities. 👉 Our latest findings show how even well-meaning crypto can open doors for attackers if not done right. 👉 We start with some theory and then based on this we disscuss THREE different attack vectors on tested cryptography algorithm. It’s a real talk on the importance of sticking to the security standards and why getting creative with cryptography could backfire. 📖 Dive into the full story here: https://lnkd.in/degnnd5g #Cybersecurity #PentestChronicles #Cryptography #InfoSec 

🚨 CRASHING SERVER WITH DIGITS❗ Fresh Case from REAL pentest🚨 Are you using decimals in your web application? It might seem harmless, but a simple request could make your application unavailable to your clients. Discover the real vulnerabilities linked to floating-point numbers and how they can be exploited in production environments. In our latest #PentestChronicles article, Martin Matyja delves into a sophisticated form of DoS attack that manipulates floating-point arithmetic to cause disruptions. We've included real-life pentest scenarios that illustrate how attackers can use these methods to induce system failures. Key Takeaways: 💡 👉 Understand how floating-point numbers can be exploited by cybercriminals. 👉 Explore effective strategies to enhance the security of your systems. 👉 Learn from detailed examples and practical solutions how to check your application's resilience. 🔗 Read the full article here: https://lnkd.in/dEZC8N5n #Cybersecurity #DoSAttack #WebSecurity #Pentesting #InfoSec #PentestChronicles