Application security practitioners often preach about the importance of shifting security left in the software development life-cycle (SDLC). The reason this catch-phrase so-easily resonates with leadership is simple: if it’s possible to identify and remediate ...
Not too long ago, while working at another company, I was subjected to a presentation by a paid speaker at our annual sales kickoff meeting. Since I was heavily focused on security consulting solutions for ...
SuiteCRM is a popular open-source Client Relations Manager (CRM). I took some time to review the code and basic implementation of the application within a vanilla Ubuntu Debian build. I found good security practices within ...
Type juggling is an expected functionality of PHP when leveraging loose comparisons. However, it can be used to subvert intended operations. In this blog, we will discuss why type juggling occurs, what are the potential ...
Here at Abricto Security, we believe that application penetration tests only reveal the tip of the iceberg. Specifically, if we conduct an application penetration test and we find that it’s riddled with vulnerabilities, the remediation ...
Abricto Security understands that all industries feel the impact of COVID-19 and we’re here to help. Our team is shifting our operating procedures to accommodate fully remote consultations and assessments. Here is how we plan ...
Target the http://target.server.com URL using the "-u" flag: sqlmap -u 'http://target.server.com' Specify POST requests by specifying the "--data" flag: sqlmap -u 'http://target.server.com' --data='param1=blah¶m2=blah' Target a vulnerable parameter in an authenticated session by specifying cookies using the "--cookie" ...
Public key encryption is heavily utilized in modern implementations of SSH. By leveraging public key cryptography, administrators can generate both a public key and a private key to encrypt and decrypt data in transit. Using ...
In many of our network and web application penetration tests, we come across login portals that aren't protected by anti-automation controls. Essentially, this allows us to launch unrestricted dictionary attacks on previously identified usernames. When ...
