Collaborate Disseminate
A potential client is planning to do penetration testing on our SaaS.
Is it standard or fair for us to request things like the following?
An NDA from the pen tester
Details on who is performing the test (e.g., verifying they are accredite… Continue reading How can we safely allow a client to perform penetration testing?
I am really trying hard to exploit a Client Side Template Injection vulnerability in a webapp I am currently pentesting. Im so close to getting the payload to be executed, but I am stuck at the last little part^^. Would be great if you cou… Continue reading Angular Expression/XSS-Payload without Quotes or "$"
Let’s suppose that I have to do a VAPT and a target has a full-stack "shield" such as BitNinja. What techniques should a pentester use to avoid the interruption of the communications due to this shield and proceed with the VAPT?
… Continue reading BitNinja and VAPT [closed]
I work at a small software company, and we are working with another company that wants to use our software. However, their InfoSec team want us to have a 3rd party source code review completed, with static and dynamic scanning pipelines cr… Continue reading Safe sharing source code with 3rd party for security review?
We’ve recently had a penetration test for one of our applications.
The Penetration Testing company identified that our application lacks protections against brute-force attacks on the login page.
Ref: https://owasp.org/www-community/contro… Continue reading Is using PBKDF2 good protection against brute-force attacks on web application login pages?
I am working with a team who is developing a mobile app for which they are using GraphQL.
So as part of performing security testing it, they only shared the graphql endpoint and nothing else.
Not even the app UI nor any credentials.
Based … Continue reading GraphQL endpoint security testing
I want to study pentest. But recently I read Cronus CyBot,Cymulate and PenTera, WPA3, WPA2-enterprice. That instruments destroys pentester work or make it impossible. So it is worth to me to learn it?
I was recently working on Broken link Hijacking and found a link in a target which reflected on multiple pages. It was portal.REDACTED.local which was not accessible and returned response as bad host.
So I never saw a extension that has .l… Continue reading .local domain any possible ways in getting the extension
The post Cybersecurity Tool Kit appeared first on Digital Defense, Inc..
The post Cybersecurity Tool Kit appeared first on Security Boulevard.
Continue reading Cybersecurity Tool Kit
I’m working on security assessment of thick client application created using ULC. It is black box approach.
Based on wiki (wiki.c2.com): "Ultra Light Client (ULC) for Java is a widget set that enables a Swing Look and Feel for Servlet… Continue reading Java – Ultra Light Client (ULC traffic inspection)