Collaborate Disseminate
I’m testing the following /event/insert API endpoint which I believe may be vulnerable to a MongoDB injection. Specifically, I’m concerned about any/all injections that would overwrite or delete records in my Mongo location_history collect… Continue reading Is this vulnerable to a nosql injection?
I am doing a pentest which includes an API and all I have access to is Swagger UI docs. The Swagger docs don’t show me real-world data in the examples, nor do they offer a "try request" option. Some of these requests are huge POS… Continue reading Is there an automated way to generate a valid API request from Swagger docs?
As Wikipedia defines:
White-box testing is a method of software testing that tests internal structures or workings of an application, as opposed to its functionality (i.e. black-box testing).
When the code is a target of its own, this i… Continue reading Are peripheral issues and systems normally considered in a white box penetration testing scope?
I am pentesting an http server using jetty, where I have access to the code.
One of the urls I am looking at is get /services/test.js
Looking at the code below:
@GET
@Path("services/{script:.+[.]js}")
@Produces(MediaT… Continue reading how to exploit pathtraversal vulnerability
I am doing the PortSwigger CSRF lab, where the token is tied to a non-session cookie, the solution to this is that we set a cookie to the users’ browser through the search field which sets the search query to set cookie
and then do a POST … Continue reading cant set cookie from request to another domain, chrome third party cookies phaseout
I am a intermediate pentester who will soon be conducting a engagement with a hospice. This is my first engagement with a network where HIPAA is involved, and I am researching how this may affect my statement of work. My research so far ha… Continue reading How does a pentesting engagement change under HIPAA?
I am doing a security audit on a command line tool. The tool is java based and it runs on the server side, it collects some info and generate a report at the end of the run.
This tool can run nevertheless of which user has run this, so any… Continue reading how to apply authentication/authorization on CLI tools
I opened the PentestBox, it said it was like this("Code 267" on PentestBox like at image). What should I do to fix it or what to do next.
I hope everyone can help me know how to solve this problem
Continue reading How to fix the error "Code 267" on PentestBox? [closed]
I am a (modest) pen-tester on a team of a few. I am relatively new to my pen-testing career (a few years in) but I really enjoy it; it is very interesting.
We have just admitted a new, young pen-tester in our group, who, if I’m being compl… Continue reading A pen-tester on my team caused major database damage to a client- what should we do? [closed]
A client did an unannounced penetration test on our platform (SaaS, multi-tenant).
The first test, they made an extreme number of requests in a short amount of time. It was not logged in and was unannounced so I first thought it was a DDOS… Continue reading A client did an unannounced penetration test on our platform