#pentests — Public Fediverse posts
Live and recent posts from across the Fediverse tagged #pentests, aggregated by home.social.
-
New Warning — Microsoft Copilot AI Can Access Restricted Passwords
https://www.forbes.com/sites/daveywinder/2025/05/14/new-warning---microsoft-copilot-ai-can-access-restricted-passwords/
#cybersecurity #copilot #Sharepoint #password #cracking #pentests -
#Announcement: On Friday, our #usdHeroLab colleagues published a major release of our BurpSuite Plugin #FlowMate: https://github.com/usdAG/FlowMate/releases/tag/v1.1
During BlackHat USA 2023 and DEF CON 31, our colleagues received a lot of helpful feedback on their #tool: The new version 1.1 contains bug fixes and some new features. In our video, Florian Haag explains the advantages and possible use cases in the context of #WebApplication #Pentests: https://www.youtube.com/watch?v=BJhRhGmDATw
#CheckItOut #Security #Pentesting #Hacking #Tools #Community #moresecurity
-
The #usdHeroLab analysts examined #ThingsBoard while conducting their #pentests.
1⃣Vulnerability Type: Server-Side Template Injection
🚨Security Risk: High
🧵👇 More Details🧐ThingsBoard is an open-source IoT platform for data collection, processing, visualization, and device management.
During an assessment a Server-Side Template Injection (SSTI) vulnerability has been discovered. It enables attackers to dynamically create and modify templates, that are used for automated generation of mail content, which results in the execution of arbitrary system commands.
The vulnerability was reported to the vendor under the Responsible Disclosure Policy and subsequently fixed for #moresecurity. More information can be found here 👩💻👨💻👇
https://herolab.usd.de/en/security-advisories/usd-2023-0010/
-
The #usdHeroLab analysts examined the Content Management System #Contao while conducting their #pentests.
1⃣Vulnerability Type: Improper Neutralization of Input During Web Page Generation (CWE-79)
🚨 Security Risk: Medium
👇More details🧐Contao is an open source Content Management System that allows you to create professional websites and scalable web applications.
The vulnerability enabled attackers with a low-privileged role to use a modified HTTP request to create an article with a JavaScript payload of their choice, which was client-triggered on the frontend and backend. For example, such an attack could upgrade a low-privileged account to an administrator account.
The vulnerability was reported to the vendor under the Responsible Disclosure Policy and subsequently fixed for #moresecurity. More information can be found here 👩💻👇
https://herolab.usd.de/en/security-advisories/usd-2023-0020/
-
The #usdHeroLab analysts examined the #SAP HTTP Content Server while conducting their #pentests.
1⃣Vulnerability Type: Improper Neutralization of HTTP Headers for Scripting Syntax #CWE644 #CVE202326457
🚨 Security Risk: High
👇🧵 More detailsThe SAP HTTP Content Server returns error messages in the header x-errordescription of the #HTTP Response. When invalid input is provided in a HTTP request, it is also placed in the error message inside this header.
During this process the input is URL-decoded, therefore for example %41 is translated to A and %0a is translated to a newline. This enables an #attacker to add new headers and change the content of the response.
The vulnerability was reported to the vendor under the Responsible Disclosure Policy and subsequently fixed for #moresecurity. More information can be found here 👩💻👨💻👇
https://herolab.usd.de/security-advisories/usd-2022-0046/ -
The #usdHeroLab analysts examined the #SAP Partner Portal while conducting their #pentests.
1⃣ Vulnerability Type: Improper Neutralization of Input During Web Page Generation #CWE79 #CrossSiteScripting
🚨 Security Risk: High
👇🧵 More detailsIn cases where users do not have sufficient permissions to view a specific URL within the #SAP Partner Portal, they get redirected to an error page. During this redirection, the requested URL is passed to the error message as a parameter without any filtering or encoding.
Therefore it is possible to include HTML-Tags and JavaScript in the URL, making it possible for malicious actors to launch #XSS attacks.The vulnerability was reported to the vendor under the Responsible Disclosure Policy and subsequently fixed for #moresecurity. More information can be found here 👩💻👇
https://herolab.usd.de/security-advisories/usd-2023-0017/ -
Website update finally. Figured might be a good idea due to an upcoming announcement. At least doesn’t say next cloud security class is November 2019 in Melbourne, Australia 😆
#2ndSightLab #Cyber #Cloud #Security #pentests #assessments #training
https://2ndsightlab.medium.com/2nd-sight-lab-website-update-cc08e61754c6
-
To counteract the increasing complexity of #hacker attacks, high-quality #pentests are essential. This is best achieved when the knowledge and instinct of #pentest professionals are complemented by suitable #tools. 🛠️
That's why our extensive experience with #TechnicalSecurityAnalyses is continuously contributes to the development of helpful tools. As a result, we proudly present our in-house developments #FlowMate, #SNCScan and #CSTC to the global #SecurityCommunity at #BlackHat and @support. We are proud to provide international security experts with tools for #moresecurity
Our Colleagues Matthias Göhring, Nicolas Schickert and Florian Haag are fine-tuning the very last details before heading to #LasVegas next week. We wish our Heroes great presentations and keep our fingers crossed!🤞
-
I'm looking to enhance our Cybersecurity library with books about Hardware Hacking and Security and could need some help.
I checked out Cybersecurity Canon but could only find a single Hardware Hacking book in their list. I'm looking for books about Pentesting Hardware, a general overview about embedded software security or even some general Cybersecurity books, if the contents transfer well.Any pointers?
#Cybersecurity #Pentests #HardwareHacking #HardwareSecurity #EmbeddedSoftware