WordPress Security
WordPress is one of the most popular content management systems (CMS) in the world, powering over 40% of all websites on the internet. However, with great popularity comes a great responsibility to keep the WordPress installation secure. In this blog post, we’ll discuss some of the best practices that users should follow to ensure the […]
Why you need a DMZ
Why you need a DMZ In today’s interconnected world, network design and segmentation are crucial for the security and performance of an organization’s IT infrastructure. A well-designed network should be segmented to isolate critical assets and minimize the impact of a potential security breach. One common approach to network segmentation is the use of a […]
How ChatGPT Helps Us
How ChatGPT Helps Us Recently, Brackish was conducting a phishing engagement, and we had the idea to try out ChatGPT to help us build our phishing infrastructure. We’ve already built this stuff manually, so this experiment would give us an idea of exactly how helpful ChatGPT can be for us in “real” situations. The Engagement […]
Attack Surface Management
Introduction External attack surface management (ASM) refers to the process of identifying, analyzing, and mitigating security risks and vulnerabilities that originate from outside an organization’s network. The focus of external ASM is to protect against threats such as hackers, cybercriminals, and malicious software that can target public-facing systems and applications. These threats can pose a […]
Data Privacy Day
What is Data Privacy? Data privacy is a critical issue in today’s digital age, as more and more personal information is being collected, stored, and shared by companies and organizations. It is important to ensure that individuals’ personal information is protected and kept private to prevent misuse and abuse. One of the major concerns with […]
Taking Over Organizr Accounts
Today we have another rate-limiting issue. While this one is not as impactful as the previous one – it’s still fun. Organizr is a self-hosted application written in PHP that basically helps you self-host other services at your home. It’s nifty application with a surprisingly large amount of functionality. We were recently poking at it […]
OWASP Top Ten – Injection
OWASP Top Ten – Injection Today’s entry in the OWASP Top Ten series is Injection. If we are going to call a vulnerability a classic, this would be it. In the latest version of the OWASP Top Ten, the venerable vulnerability Cross Site Scripting has been combined with other classic injections, such as SQL injection, […]
TutorTrac Multiple Stored XSS
TutorTrac Multiple Stored XSS Brackish researchers found authenticated stored cross-site-scripting (XSS) in TutorTrac version <= 4.2.170210. An authenticated attacker could utilize crafted input in several locations throughout the application to perform XSS attacks. This is a standard stored XSS attack that can be used to steal user’s sessions cookies, amongst other things. Injection is a […]
OWASP Top Ten – Insufficient Logging & Monitoring
Insufficient Logging & Monitoring This week’s entry in the OWASP Top Ten series is Insufficient Logging & Monitoring. This is one of those things that organizations often don’t realize they are missing until it is too late. People sometimes overlook this one because it’s not an attack or a threat in the common usage of […]
OWASP Top Ten – Vulnerable and Outdated Components
Vulnerable and Outdated Components This is the first post in a series of posts that will cover the OWASP Top Ten. Today’s post will cover Vulnerable and Outdated Components. This is a very common vulnerability found in nearly every penetration test. It basically boils down to using software that has not been updated and/or software […]
Why Your Business Needs A Penetration Test
Introduction A penetration test is a method of security testing that can help you identify vulnerabilities and prevent hackers from stealing your business’s data. Penetration testing is a critical part of any cybersecurity strategy, but many businesses don’t even know that it exists—let alone how to get started with one. In this article, we’ll cover […]
Zero Trust Brought to You by ChatGPT
Zero trust is a security concept that has gained popularity in recent years due to the increasing complexity and sophistication of cyber threats. It is based on the premise that no one, whether they are inside or outside an organization, should be trusted until they have been authenticated and authorized to access specific resources. This […]
Credentials Gone Wild
If there is one thing that Brackish testers have seen a lot lately, it is default credentials. In five out of the last five engagements performed by Brackish, testers have found default credentials in use. In several of these instances, these default credentials have led to highly critical issues in internal networks, external networks, and […]
A Password Manager for Enhanced Cybersecurity
You have all your passwords written on a piece of paper in the drawer next to you. You have all your passwords in a spreadsheet that is located on your desktop. You use the same password for every site. Or maybe you are extra secure because you change the numbers at the end of your […]
