MouseJacking (With Flipper Zero): Tales from Pen Testing Trenches
As a continuation in our series of penetration testing stories (who doesn’t love those) we bring you MouseJacking (With Flipper Zero). Check out the first blog post in the series here here. In this engagement, we were successfully able to compromise a network utilizing an old attack vector – MouseJacking. MouseJacking was first brought to […]
The Ultimate Guide to Protecting Your Business from Phishing Scams
In today’s digital age, cybersecurity is not just a technical necessity but a cornerstone of a successful business strategy. Among the myriad of cyber threats, phishing scams stand out for their cunning simplicity and devastating effectiveness. Phishing attacks manipulate human psychology to steal confidential information, disrupt business operations, and compromise customer trust. This comprehensive guide […]
Another OSCP Blog Post
First, what is the OSCP? If you are ever curious about what it takes to become an ethical hacker, you will most likely find yourself googling “How to become a hacker”. Within your research, it doesn’t take long to read countless blogs and forums that point to the OSCP certification, by Offensive Security. As many […]
More MobSF – Mobile Application Penetration Testing #3
Mobile Application Penetration Testing
Mobile Application Penetration Testing – #2 – MobSF Intro
If you haven’t read the previous entry in the Mobile Application Penetration Testing series, check it out. In this post we will start in with a frequently use mobile application security tool – MobSF. This is a tool that you’ll pretty much want to use on every mobile test that you do. As said before, […]
Guarding the Digital Front Door: The External Penetration Test
The demand and pressure for penetration testing services are growing every day – ethical hackers are racing to find all the vulnerabilities before the not so ethical ones do. The subject of penetration testing has expanded and deepened, with each specific area, whether web application, IoT, wireless, or even mobile, carrying significant importance. Arguably, the […]
Cybersecurity Awareness Month
October is the Cybersecurity Awareness Month, and at Brackish Security, we’re not just marking our calendars – we’re taking action! We understand the devastating impacts phishing attacks can have on individuals and organizations alike. That’s why we’re excited to introduce our ‘Free Phishing Campaign’ in honor of Cybersecurity Awareness Month. Understanding Phishing Phishing is a […]
OWASP Top Ten – Security Misconfiguration
What exactly is a Security Misconfiguration? It seems kind of nebulous, right? Well, that’s because it is. This vulnerability covers a wide range of issues that are some of the most prevalent in the wild and manifests in different forms—unnecessary default settings, overly verbose error handling, and unprotected files and directories, to name a few. […]
OWASP Top Ten – Broken Access Control
First things first, did you know that the OWASP acronym has changed from Open Web Application Security Project to Open Worldwide Application Security Project? Neither did we! But onto the real stuff. Today we have another entry in the OWASP Top Ten Series – Broken Access Control. This is one of the most prevalent vulnerabilities […]
Penetration Testing: White Box, Black Box, and Grey Box Testing
In this post, we’ll dive into the definitions and differences between white box, black box, and grey box testing so that you can better understand these essential techniques for securing your attack surface. But first, let’s get the basics right. What is penetration testing? In simple terms, it’s the practice of identifying vulnerabilities, weaknesses, or […]
Insecure Direct Object Reference (IDOR) Vulnerabilities: Understanding, Exploiting, and Detecting
Introduction Insecure Direct Object Reference, or IDOR, is a common security vulnerability that exposes sensitive data and allows unauthorized access to resources. It is a critical issue that often appears in the OWASP Top Ten, a list of the most prevalent security risks in web applications. In this blog post, we will discuss what IDOR […]
OWASP Mobile Application Security Testing Guide (MASTG)
Intro With the ever increasing use of mobile applications in various aspects of our lives, ensuring the security and privacy of users has become a top priority for developers and organizations alike. As mobile applications store and process sensitive data, securing them against potential attacks is of utmost importance. The Open Web Application Security Project […]
Unraveling the Intricacies of IoT Penetration Testing
Internet of What? The Internet of Things (IoT) penetration testing is needed more than ever as IoT devices have become an essential component of our everyday lives, with smart devices seamlessly integrating into various aspects of our routines. From wearable fitness trackers to smart home appliances, the IoT ecosystem is growing exponentially, promising greater convenience, […]
OWASP Top Ten – Cryptographic Failures
OWASP Top Ten – Cryptographic Failures The world of cybersecurity is constantly evolving as new threats and vulnerabilities emerge. This includes Cryptographic Failures. The Open Web Application Security Project (OWASP) Top Ten is a widely recognized list of the most critical security risks to web applications. One of the entries on this list is Cryptographic […]
OWASP Top Ten – Server Side Request Forgery (SSRF)
What is an SSRF? The next entry in our OWASP Top Ten Series covers Server Side Request Forgeries. Server Side Request Forgery (SSRF) is a security vulnerability that occurs when an attacker is able to make HTTP requests to an internal or external system from a vulnerable server, effectively using the server as a proxy. […]
Insecure Deserialization
Introduction Insecure deserialization is a cybersecurity vulnerability that affects various programming languages, including C#, Java, PHP, Python, and others. This article explores the dangers of insecure deserialization, how it affects different languages, and how developers can mitigate the risks. Additionally, we will discuss the roles of penetration testing and source code reviews in helping companies […]
Phishing, Domain Names, and TLDs
As a small or medium-sized business owner, you may be aware of the threat of phishing attacks. Phishing is a common technique used by cybercriminals to trick people into giving away sensitive information such as usernames, passwords, or credit card numbers. One way to protect your business against these attacks is to buy common domain […]
OWASP Top Ten – Identification and Authentication Failures
Identification and Authentication Failures Today we will cover Identification and Authentication Failures in our series on the OWASP Top Ten. Online security has become a crucial aspect of modern life. Today, every business is a tech business, and it becomes increasingly important to ensure that sensitive data and information are protected from unauthorized access. One […]
Phishing – The Most Important Thing?
It seems like every day we see in the news that another organization was compromised. If we dig deep into the root cause of these breaches we find a very common theme – phishing. Phishing is the act of sending fraudulent emails or messages with the intention of tricking the recipient into revealing sensitive information […]
TLS Versions Explained
Transport Layer Security (TLS) is a widely-used protocol for securing communications on the internet. TLS is responsible for establishing a secure and encrypted connection between two communicating devices, ensuring that the data transmitted between them is protected from eavesdropping, tampering, and other attacks. TLS has undergone several revisions over the years, with TLS 1.0 and […]
WordPress Security
WordPress is one of the most popular content management systems (CMS) in the world, powering over 40% of all websites on the internet. However, with great popularity comes a great responsibility to keep the WordPress installation secure. In this blog post, we’ll discuss some of the best practices that users should follow to ensure the […]
Data Privacy Day
What is Data Privacy? Data privacy is a critical issue in today’s digital age, as more and more personal information is being collected, stored, and shared by companies and organizations. It is important to ensure that individuals’ personal information is protected and kept private to prevent misuse and abuse. One of the major concerns with […]
Taking Over Organizr Accounts
Today we have another rate-limiting issue. While this one is not as impactful as the previous one – it’s still fun. Organizr is a self-hosted application written in PHP that basically helps you self-host other services at your home. It’s nifty application with a surprisingly large amount of functionality. We were recently poking at it […]
OWASP Top Ten – Injection
OWASP Top Ten – Injection Today’s entry in the OWASP Top Ten series is Injection. If we are going to call a vulnerability a classic, this would be it. In the latest version of the OWASP Top Ten, the venerable vulnerability Cross Site Scripting has been combined with other classic injections, such as SQL injection, […]
TutorTrac Multiple Stored XSS
TutorTrac Multiple Stored XSS Brackish researchers found authenticated stored cross-site-scripting (XSS) in TutorTrac version <= 4.2.170210. An authenticated attacker could utilize crafted input in several locations throughout the application to perform XSS attacks. This is a standard stored XSS attack that can be used to steal user’s sessions cookies, amongst other things. Injection is a […]
OWASP Top Ten – Vulnerable and Outdated Components
Vulnerable and Outdated Components This is the first post in a series of posts that will cover the OWASP Top Ten. Today’s post will cover Vulnerable and Outdated Components. This is a very common vulnerability found in nearly every penetration test. It basically boils down to using software that has not been updated and/or software […]
Why Your Business Needs A Penetration Test
Introduction A penetration test is a method of security testing that can help you identify vulnerabilities and prevent hackers from stealing your business’s data. Penetration testing is a critical part of any cybersecurity strategy, but many businesses don’t even know that it exists—let alone how to get started with one. In this article, we’ll cover […]
Microsoft OAuth Open Redirect
What is an open redirect? Open redirects are a web application vulnerability that allows an attacker to redirect a user to a malicious website. It can also be used to phish a user’s credentials, deliver malware, and sometimes perform XSS. An oft used example is as follows: Upon clicking this link, a victim is redirected […]
Zero Trust Brought to You by ChatGPT
Zero trust is a security concept that has gained popularity in recent years due to the increasing complexity and sophistication of cyber threats. It is based on the premise that no one, whether they are inside or outside an organization, should be trusted until they have been authenticated and authorized to access specific resources. This […]
A Password Manager for Enhanced Cybersecurity
You have all your passwords written on a piece of paper in the drawer next to you. You have all your passwords in a spreadsheet that is located on your desktop. You use the same password for every site. Or maybe you are extra secure because you change the numbers at the end of your […]
