Web and Mobile Application Fuzzing Best Practices

If you’re reading this, you’ve probably used tools like Ffuf or Gobuster to fuzz an application to expand the attack surface and potentially find sensitive files and directories. Unfortunately, we here at Brackish find that a lot of testers are doing fuzzing incorrectly. Read below to get our Rules of Fuzzing and even a generic […]

Logging – Mobile Application Penetration Testing #6

Mobile Application Penetration Testing Logging

Welcome back to the long awaited next entry in Brackish Security’s Mobile Application Penetration Testing series. When conducting mobile application penetration testing, inspecting logs on iOS and Android is a crucial step in understanding how an app behaves, particularly in how it handles sensitive data, error handling, and debugging information. Log files can provide insight […]

JavaScript Source Map Vulnerabilities

A map. Get it? JavaScript Source Map

What is a JavaScript source map file? Source map files map the transformed, minified, or compiled code back to the original source code, and they can often be found exposed publicly in web applications. This is particularly useful for debugging because it allows developers to view and step through the original source code even when […]

MouseJacking (With Flipper Zero): Tales from Pen Testing Trenches

As a continuation in our series of penetration testing stories (who doesn’t love those) we bring you MouseJacking (With Flipper Zero). Check out the first blog post in the series here here. In this engagement, we were successfully able to compromise a network utilizing an old attack vector – MouseJacking. MouseJacking was first brought to […]

Tales from Pen Testing Trenches: MAC Address Whitelisting Failure

MAC address whitelisting is commonly perceived as a foolproof network security mechanism. Yet, Brackish Security’s recent test on a wireless network illustrates how easily this method can be bypassed, challenging its efficacy as a standalone security solution. MAC address whitelisting operates on the premise that only devices with pre-approved MAC addresses can access a network. […]

Android Studio – Mobile Application Penetration Testing #5

Android Studio and Android Debug

Welcome back to our series on Mobile Application Penetration Testing! In this post we will discuss Android Studio and Android Debug Bridge. If you’re new to this, you might want to go read from the beginning or check out the previous post. But not only will we discuss Android Studio and Android Debug Bridge, we […]

The Importance of Comprehensive IoT Penetration Testing in Modern Cybersecurity

IoT Penetration Testing is needed in today’s dynamic landscape of the Internet of Things (IoT), where everyday devices are interconnected and smarter than ever. Comprehensive IoT Penetration Testing emerges as a crucial strategy for businesses and individuals alike to fortify their digital frontiers. This blog post delves into the why and how of thorough IoT […]

IIS Short File Name Enumeration

II short file name enumeration

Microsoft IIS short file name enumeration is a technique used to discover the filenames and directories on a web server running IIS. This method exploits a feature in IIS related to how it handles file and directory names. This vulnerability is kind of the gift that keeps on giving. As of writing, it’s been around […]

Software and Data Integrity Failures – OWASP Top Ten

Software and Data Integrity Failures

Welcome to the final entry in our OWASP Top Ten Series – Software and Data Integrity Failures. If you haven’t read any of the previous ones, check them out. Among the OWASP Top Ten entries, Software and Data Integrity Failures have emerged as a formidable category that encapsulates a range of issues where assumptions about […]