What are Default Credentials? A Penetration Testers Best Friend!

While organizations focus on patching vulnerabilities, updating software, and training staff, one of the most overlooked yet dangerous entry points remains default credentials. These seemingly harmless username and password combinations are a hacker’s golden ticket into your network or destruction of the network. Unfortunately, default credentials are something we see on every. single. engagement. The […]

Logging – Mobile Application Penetration Testing #6

Mobile Application Penetration Testing Logging

Welcome back to the long awaited next entry in Brackish Security’s Mobile Application Penetration Testing series. When conducting mobile application penetration testing, inspecting logs on iOS and Android is a crucial step in understanding how an app behaves, particularly in how it handles sensitive data, error handling, and debugging information. Log files can provide insight […]

Physical Penetration Testing: Why Every Company Should Prioritize It

In an era dominated by digital transformation, businesses are more focused than ever on securing their online assets. Cybersecurity measures such as firewalls, antivirus software, and encryption protocols are essential, but one often overlooked aspect of comprehensive security is physical penetration testing. What Is Physical Penetration Testing? Physical penetration testing involves simulating a real-world attack […]

JavaScript Source Map Vulnerabilities

A map. Get it? JavaScript Source Map

What is a JavaScript source map file? Source map files map the transformed, minified, or compiled code back to the original source code, and they can often be found exposed publicly in web applications. This is particularly useful for debugging because it allows developers to view and step through the original source code even when […]

IoT Penetration Testing Part 1

IoT Penetration Testing

IoT Penetration Testing is one of our favorite types of testing here at Brackish Security. This will be the first of a multi-part blog series on embedded device security (the “Internet of Things” or IoT). Our goal is to show how the Brackish security team approaches an IoT pentest, including detailed methodologies and examples.  IoT […]

MouseJacking (With Flipper Zero): Tales from Pen Testing Trenches

As a continuation in our series of penetration testing stories (who doesn’t love those) we bring you MouseJacking (With Flipper Zero). Check out the first blog post in the series here here. In this engagement, we were successfully able to compromise a network utilizing an old attack vector – MouseJacking. MouseJacking was first brought to […]

Tales from Pen Testing Trenches: MAC Address Whitelisting Failure

MAC address whitelisting is commonly perceived as a foolproof network security mechanism. Yet, Brackish Security’s recent test on a wireless network illustrates how easily this method can be bypassed, challenging its efficacy as a standalone security solution. MAC address whitelisting operates on the premise that only devices with pre-approved MAC addresses can access a network. […]

What is Blind XSS?

blind xss

You may have heard of Reflected Cross Site Scripting (XSS) or Stored XSS, but what is Blind XSS? Unlike traditional XSS attacks, where the immediate impact is visible, Blind XSS vulnerabilities are typically triggered when the malicious input is viewed by a different user, often an administrator or a support person, at a later time […]

Android Studio – Mobile Application Penetration Testing #5

Android Studio and Android Debug

Welcome back to our series on Mobile Application Penetration Testing! In this post we will discuss Android Studio and Android Debug Bridge. If you’re new to this, you might want to go read from the beginning or check out the previous post. But not only will we discuss Android Studio and Android Debug Bridge, we […]

Another OSCP Blog Post

First, what is the OSCP? If you are ever curious about what it takes to become an ethical hacker, you will most likely find yourself googling “How to become a hacker”. Within your research, it doesn’t take long to read countless blogs and forums that point to the OSCP certification, by Offensive Security. As many […]