Web and Mobile Application Fuzzing Best Practices
If you’re reading this, you’ve probably used tools like Ffuf or Gobuster to fuzz an application to expand the attack surface and potentially find sensitive files and directories. Unfortunately, we here at Brackish find that a lot of testers are doing fuzzing incorrectly. Read below to get our Rules of Fuzzing and even a generic […]
Software and Data Integrity Failures – OWASP Top Ten
Welcome to the final entry in our OWASP Top Ten Series – Software and Data Integrity Failures. If you haven’t read any of the previous ones, check them out. Among the OWASP Top Ten entries, Software and Data Integrity Failures have emerged as a formidable category that encapsulates a range of issues where assumptions about […]
Mobile Application Penetration Testing – #1 – Getting Started
Welcome to the first of many parts of our series on Mobile Application Penetration Testing. We wanted to write this series because it seems like a lot of the material out there on mobile application penetration testing is out of date, wrong, or lacking. Furthermore, when it comes to mobile application penetration testing, there are […]
OWASP Top Ten – Insecure Design
Insecure Design was a new entry when the latest version of the OWASP Top Ten was released in 2021. An really, what it gets at is a good lesson – Designing an application with security in mind can go a long way in ensuring that the end product is robust against all sorts of vulnerabilities. […]
OWASP Top Ten – Security Misconfiguration
What exactly is a Security Misconfiguration? It seems kind of nebulous, right? Well, that’s because it is. This vulnerability covers a wide range of issues that are some of the most prevalent in the wild and manifests in different forms—unnecessary default settings, overly verbose error handling, and unprotected files and directories, to name a few. […]
OWASP Top Ten – Broken Access Control
First things first, did you know that the OWASP acronym has changed from Open Web Application Security Project to Open Worldwide Application Security Project? Neither did we! But onto the real stuff. Today we have another entry in the OWASP Top Ten Series – Broken Access Control. This is one of the most prevalent vulnerabilities […]
Certification Pinning and Root Detection: Helpful but Not Unhackable
Introduction As mobile app developers, we are constantly striving to create secure and reliable applications for our users. To achieve this, we often employ various security measures such as certificate pinning and root detection. While these practices undoubtedly enhance the security of a mobile app, it’s important to understand that no solution is ever completely […]
Insecure Direct Object Reference (IDOR) Vulnerabilities: Understanding, Exploiting, and Detecting
Introduction Insecure Direct Object Reference, or IDOR, is a common security vulnerability that exposes sensitive data and allows unauthorized access to resources. It is a critical issue that often appears in the OWASP Top Ten, a list of the most prevalent security risks in web applications. In this blog post, we will discuss what IDOR […]
OWASP Mobile Application Security Testing Guide (MASTG)
Intro With the ever increasing use of mobile applications in various aspects of our lives, ensuring the security and privacy of users has become a top priority for developers and organizations alike. As mobile applications store and process sensitive data, securing them against potential attacks is of utmost importance. The Open Web Application Security Project […]
Unraveling the Intricacies of IoT Penetration Testing
Internet of What? The Internet of Things (IoT) penetration testing is needed more than ever as IoT devices have become an essential component of our everyday lives, with smart devices seamlessly integrating into various aspects of our routines. From wearable fitness trackers to smart home appliances, the IoT ecosystem is growing exponentially, promising greater convenience, […]
OWASP Top Ten – Cryptographic Failures
OWASP Top Ten – Cryptographic Failures The world of cybersecurity is constantly evolving as new threats and vulnerabilities emerge. This includes Cryptographic Failures. The Open Web Application Security Project (OWASP) Top Ten is a widely recognized list of the most critical security risks to web applications. One of the entries on this list is Cryptographic […]
OWASP Top Ten – Server Side Request Forgery (SSRF)
What is an SSRF? The next entry in our OWASP Top Ten Series covers Server Side Request Forgeries. Server Side Request Forgery (SSRF) is a security vulnerability that occurs when an attacker is able to make HTTP requests to an internal or external system from a vulnerable server, effectively using the server as a proxy. […]
Phishing, Domain Names, and TLDs
As a small or medium-sized business owner, you may be aware of the threat of phishing attacks. Phishing is a common technique used by cybercriminals to trick people into giving away sensitive information such as usernames, passwords, or credit card numbers. One way to protect your business against these attacks is to buy common domain […]
OWASP Top Ten – Identification and Authentication Failures
Identification and Authentication Failures Today we will cover Identification and Authentication Failures in our series on the OWASP Top Ten. Online security has become a crucial aspect of modern life. Today, every business is a tech business, and it becomes increasingly important to ensure that sensitive data and information are protected from unauthorized access. One […]
What are Weak Hashing Algorithms
“SSL Certificate signed using weak hashing algorithm” refers to a security vulnerability in the SSL/TLS certificate used by a website. A hashing algorithm is used to create a unique digital signature for the certificate, which is then used to encrypt communications between the website and its visitors. If a weak hashing algorithm is used, the […]
Attack Surface Management
Introduction External attack surface management (ASM) refers to the process of identifying, analyzing, and mitigating security risks and vulnerabilities that originate from outside an organization’s network. The focus of external ASM is to protect against threats such as hackers, cybercriminals, and malicious software that can target public-facing systems and applications. These threats can pose a […]
OWASP Top Ten – Injection
OWASP Top Ten – Injection Today’s entry in the OWASP Top Ten series is Injection. If we are going to call a vulnerability a classic, this would be it. In the latest version of the OWASP Top Ten, the venerable vulnerability Cross Site Scripting has been combined with other classic injections, such as SQL injection, […]
TutorTrac Multiple Stored XSS
TutorTrac Multiple Stored XSS Brackish researchers found authenticated stored cross-site-scripting (XSS) in TutorTrac version <= 4.2.170210. An authenticated attacker could utilize crafted input in several locations throughout the application to perform XSS attacks. This is a standard stored XSS attack that can be used to steal user’s sessions cookies, amongst other things. Injection is a […]
OWASP Top Ten – Insufficient Logging & Monitoring
Insufficient Logging & Monitoring This week’s entry in the OWASP Top Ten series is Insufficient Logging & Monitoring. This is one of those things that organizations often don’t realize they are missing until it is too late. People sometimes overlook this one because it’s not an attack or a threat in the common usage of […]
OWASP Top Ten – Vulnerable and Outdated Components
Vulnerable and Outdated Components This is the first post in a series of posts that will cover the OWASP Top Ten. Today’s post will cover Vulnerable and Outdated Components. This is a very common vulnerability found in nearly every penetration test. It basically boils down to using software that has not been updated and/or software […]
