TSA’s Proposed Cybersecurity Rule for the Transportation Sector – The Need for Penetration Testing
In an era where cyber threats are increasingly sophisticated, the Transportation Security Administration (TSA) has proposed a new set of cybersecurity requirements targeting the pipeline, rail, and over-the-road bus (OTRB) sectors. This Notice of Proposed Rulemaking (NPRM) aims to strengthen protections for critical infrastructure by mandating a comprehensive Cyber Risk Management (CRM) program for certain […]
What are Default Credentials? A Penetration Testers Best Friend!
While organizations focus on patching vulnerabilities, updating software, and training staff, one of the most overlooked yet dangerous entry points remains default credentials. These seemingly harmless username and password combinations are a hacker’s golden ticket into your network or destruction of the network. Unfortunately, default credentials are something we see on every. single. engagement. The […]
Logging – Mobile Application Penetration Testing #6
Welcome back to the long awaited next entry in Brackish Security’s Mobile Application Penetration Testing series. When conducting mobile application penetration testing, inspecting logs on iOS and Android is a crucial step in understanding how an app behaves, particularly in how it handles sensitive data, error handling, and debugging information. Log files can provide insight […]
Physical Penetration Testing: Why Every Company Should Prioritize It
In an era dominated by digital transformation, businesses are more focused than ever on securing their online assets. Cybersecurity measures such as firewalls, antivirus software, and encryption protocols are essential, but one often overlooked aspect of comprehensive security is physical penetration testing. What Is Physical Penetration Testing? Physical penetration testing involves simulating a real-world attack […]
JavaScript Source Map Vulnerabilities
What is a JavaScript source map file? Source map files map the transformed, minified, or compiled code back to the original source code, and they can often be found exposed publicly in web applications. This is particularly useful for debugging because it allows developers to view and step through the original source code even when […]
IoT Penetration Testing Part 1
IoT Penetration Testing is one of our favorite types of testing here at Brackish Security. This will be the first of a multi-part blog series on embedded device security (the “Internet of Things” or IoT). Our goal is to show how the Brackish security team approaches an IoT pentest, including detailed methodologies and examples. IoT […]
MouseJacking (With Flipper Zero): Tales from Pen Testing Trenches
As a continuation in our series of penetration testing stories (who doesn’t love those) we bring you MouseJacking (With Flipper Zero). Check out the first blog post in the series here here. In this engagement, we were successfully able to compromise a network utilizing an old attack vector – MouseJacking. MouseJacking was first brought to […]
Tales from Pen Testing Trenches: MAC Address Whitelisting Failure
MAC address whitelisting is commonly perceived as a foolproof network security mechanism. Yet, Brackish Security’s recent test on a wireless network illustrates how easily this method can be bypassed, challenging its efficacy as a standalone security solution. MAC address whitelisting operates on the premise that only devices with pre-approved MAC addresses can access a network. […]
What is Blind XSS?
You may have heard of Reflected Cross Site Scripting (XSS) or Stored XSS, but what is Blind XSS? Unlike traditional XSS attacks, where the immediate impact is visible, Blind XSS vulnerabilities are typically triggered when the malicious input is viewed by a different user, often an administrator or a support person, at a later time […]
Android Studio – Mobile Application Penetration Testing #5
Welcome back to our series on Mobile Application Penetration Testing! In this post we will discuss Android Studio and Android Debug Bridge. If you’re new to this, you might want to go read from the beginning or check out the previous post. But not only will we discuss Android Studio and Android Debug Bridge, we […]
Another OSCP Blog Post
First, what is the OSCP? If you are ever curious about what it takes to become an ethical hacker, you will most likely find yourself googling “How to become a hacker”. Within your research, it doesn’t take long to read countless blogs and forums that point to the OSCP certification, by Offensive Security. As many […]
The Importance of Comprehensive IoT Penetration Testing in Modern Cybersecurity
IoT Penetration Testing is needed in today’s dynamic landscape of the Internet of Things (IoT), where everyday devices are interconnected and smarter than ever. Comprehensive IoT Penetration Testing emerges as a crucial strategy for businesses and individuals alike to fortify their digital frontiers. This blog post delves into the why and how of thorough IoT […]
Shodan Series Part 2: The Untraditional Web Ports
Our goal of this series is to revisit Shodan and demonstrate to IT admins and business owners, how much an attacker can glean of a network without sending any packets to the actual to an organization. Our last post focused on Remote Desktop Protocol being exposed to the publicly accessible internet: https://brackish.io/shodan-series-part-1-the-accidental-open-door/ This week we […]
IIS Short File Name Enumeration
Microsoft IIS short file name enumeration is a technique used to discover the filenames and directories on a web server running IIS. This method exploits a feature in IIS related to how it handles file and directory names. This vulnerability is kind of the gift that keeps on giving. As of writing, it’s been around […]
Even More MobSF – Mobile Application Penetration Testing #4
In this part of the guide we go over more of the MobSF output for the YouTube APK
Software and Data Integrity Failures – OWASP Top Ten
Welcome to the final entry in our OWASP Top Ten Series – Software and Data Integrity Failures. If you haven’t read any of the previous ones, check them out. Among the OWASP Top Ten entries, Software and Data Integrity Failures have emerged as a formidable category that encapsulates a range of issues where assumptions about […]
More MobSF – Mobile Application Penetration Testing #3
Mobile Application Penetration Testing
What is the Difference Between Vulnerability Assessments and Penetration Testing?
In the ever-evolving world of cybersecurity, businesses often come across terms like ‘vulnerability assessments‘ and ‘penetration testing‘. While they might seem interchangeable to the untrained eye, they serve distinct purposes. Both are critical components of a comprehensive security strategy, but they approach the task of safeguarding a network from different angles. Let’s dive into the […]
Mobile Application Penetration Testing – #2 – MobSF Intro
If you haven’t read the previous entry in the Mobile Application Penetration Testing series, check it out. In this post we will start in with a frequently use mobile application security tool – MobSF. This is a tool that you’ll pretty much want to use on every mobile test that you do. As said before, […]
Mobile Application Penetration Testing – #1 – Getting Started
Welcome to the first of many parts of our series on Mobile Application Penetration Testing. We wanted to write this series because it seems like a lot of the material out there on mobile application penetration testing is out of date, wrong, or lacking. Furthermore, when it comes to mobile application penetration testing, there are […]
Unmasking the Shadows: The Unseen Vulnerabilities Within Your Walls
Prior to reading this, please check out a previous blog of ours on how important an external penetration test is. Hey there, security enthusiasts and curious minds alike! Today, we are taking a deep dive into a topic that’s often buzzing around but isn’t always entirely understood – yes, we’re talking about Internal Penetration Testing […]
Beyond the Breach: The Essential Role of Regular Penetration Testing in Safeguarding Organizational Reputation
In today’s interconnected world, cyber resilience is not just about protecting data but is closely tied to an organization’s reputation and trustworthiness. A cyberattack doesn’t only translate to financial losses but can significantly tarnish a company’s image. A case in point is the recent cyberattack on Clorox, emphasizing the imperative of preemptive measures, particularly regular […]
Guarding the Digital Front Door: The External Penetration Test
The demand and pressure for penetration testing services are growing every day – ethical hackers are racing to find all the vulnerabilities before the not so ethical ones do. The subject of penetration testing has expanded and deepened, with each specific area, whether web application, IoT, wireless, or even mobile, carrying significant importance. Arguably, the […]
Cybersecurity Awareness Month
October is the Cybersecurity Awareness Month, and at Brackish Security, we’re not just marking our calendars – we’re taking action! We understand the devastating impacts phishing attacks can have on individuals and organizations alike. That’s why we’re excited to introduce our ‘Free Phishing Campaign’ in honor of Cybersecurity Awareness Month. Understanding Phishing Phishing is a […]
OWASP Top Ten – Insecure Design
Insecure Design was a new entry when the latest version of the OWASP Top Ten was released in 2021. An really, what it gets at is a good lesson – Designing an application with security in mind can go a long way in ensuring that the end product is robust against all sorts of vulnerabilities. […]
OWASP Top Ten – Security Misconfiguration
What exactly is a Security Misconfiguration? It seems kind of nebulous, right? Well, that’s because it is. This vulnerability covers a wide range of issues that are some of the most prevalent in the wild and manifests in different forms—unnecessary default settings, overly verbose error handling, and unprotected files and directories, to name a few. […]
OWASP Top Ten – Broken Access Control
First things first, did you know that the OWASP acronym has changed from Open Web Application Security Project to Open Worldwide Application Security Project? Neither did we! But onto the real stuff. Today we have another entry in the OWASP Top Ten Series – Broken Access Control. This is one of the most prevalent vulnerabilities […]
Is Caido The New Burp?
There has been some buzz around Caido recently – a contender to the Burp crown. Brackish Security testers recently sat down and tried Caido out on some real pentests. Our findings follow. Keep in mind that Caido is still fairly new, while Burp has been in development and use for a very long time. Additionally, […]
Reflected XSS: Differences and Relationship with Stored and DOM XSS
Cross-site Scripting (XSS) is a prevalent security vulnerability in web applications that allows attackers to inject malicious scripts into web pages viewed by users. In this blog post, we will explore the concept of reflected XSS, compare it with stored and DOM XSS, and discuss if reflected XSS can also be stored or DOM XSS. […]
Microsoft OAuth Open Redirect
What is an open redirect? Open redirects are a web application vulnerability that allows an attacker to redirect a user to a malicious website. It can also be used to phish a user’s credentials, deliver malware, and sometimes perform XSS. An oft used example is as follows: Upon clicking this link, a victim is redirected […]
