Latest pentest chronicle
Logging into any application user account using 'X' as a password? A real case of unauthenticated backdoor access!
Sebastian Jeż
April 30, 2025
During one of audits I performed a pentest of custom web platform providing organisational and personnel management functionality. The assessment was conducted with a black box methodology, allowing to interact with the system exclusively through the exposed HTTP interface and without privileged source code access.
READ article
All pentest chronicles
Remote Configuration Disclosure and Code Execution in a Legacy TYPO3 Instance
Dariusz Tytko
April 25, 2025
During an external penetration test I identified a critical vulnerability that grants unauthenticated users full visibility of the application side configuration and a direct path to server side code execution. The target site operates on TYPO3 CMS version 6.2.31, a release line that addresses some patches, including the security bulletin referenced as typo3 psa 2020 001. Because the instance still exposes the auxiliary validateHash controller, any visitor can request a Hash based Message Authentication Code for an arbitrary value. TYPO3 relies on that to protect form metadata sent from client to server, once an attacker can mint valid HMACs, every integrity barrier collapses. The following sections reproduce the proof of concept chronology performed during the audit.
READ article
Overriding Data Loss Prevention Controls via Misconfigurations and Endpoint Security Bypass
Dominik Antończak
April 17, 2025
Data Loss Prevention (DLP) solutions are often implemented in corporate environments to prevent unauthorized exfiltration of intellectual property, code, and other sensitive materials. These systems typically rely on a combination of monitoring, filtering, and dynamic rule enforcement to detect any suspicious attempt to copy critical files to unapproved external devices or cloud-based services.
READ article
Unrestricted File Upload Leading to Arbitrary Code Execution and NTLM Hash Disclosure
Dominik Antończak
April 11, 2025
During a security audit, I found a critical vulnerability in the file upload mechanism of an application designed to receive user-submitted requests. This vulnerability enables attackers to upload and subsequently execute malicious files on the server with administrative privileges. Furthermore, it allows a maliciously crafted PDF file to steal the NTLM hash of the user who opens it, potentially enabling lateral movement and privilege escalation within the infrastructure. This write-up provides technical details, a proof of concept (PoC), and recommended remediation strategies.
READ article
Exploiting improper password reset token validation – an uncommon authentication flaw enabling account takeover
PIOTR ĆWIKLIŃSKI
April 4, 2025
During a security audit of a web application, I discovered an uncommon flaw in the password reset mechanism. Due to insufficient server-side validation, the application failed to properly verify the presence and validity of a reset token, which is a core element of any secure password recovery flow. This oversight made it possible for an attacker to bypass the verification process entirely and reset the password of any user, ultimately leading to full account takeover.
READ article
Denial of Service attack via web cache poisoning – Vulnerability Analysis
Mikołaj Pudlicki
March 28, 2025
During security tests, a critical vulnerability was discovered in the tested application. This issue allows an attacker to block access to the application. The problem is caused by incorrect cache handling. Web cache poisoning is an attack where an attacker exploits the caching mechanism to store altered or malicious responses in a cache entry, forcing the website to serve harmful HTTP responses to its users. When improperly implemented, caching mechanisms significantly increase the risk of for example denial of service (DoS) conditions, by serving incorrect cached responses to legitimate users.
READ article
(Not) Easy authorization
Jacek Siwek
March 14, 2025
Vulnerabilities from the broken access control group according to OWASP TOP TEN 2021 are among the most common in web applications. They give users with lower privileges the ability to, among other things, access data or functions that are not intended for such a role. It also happens that an ordinary user can use functionalities belonging to the administrator, which can also lead to privilege escalation.
READ article
Breaking license validation in a desktop application – how business logic flaw can enable unauthorized activations
Piotr Ćwikliński
March 07, 2025
During one of my security audits, I discovered a business logic flaw in the license verification process of a macOS desktop application. This flaw made it possible for an ordinary user with basic hacking skills to bypass restrictions and activate the software on multiple devices, even though the license was meant for just one machine.
READ article
Possible Misconfigurations in Active Directory – Security Audit Findings
Jarosław Kamiński
February 28, 2025
Active Directory (AD) is a critical component of IT infrastructure, serving as the backbone for user authentication, access control, and identity management within an organization. However, misconfigurations and weak security controls in AD can expose an environment to severe risks, including privilege escalation, unauthorized access, and even full domain compromise.
READ article
How Secure Are Your Application Secrets? Lessons from Years of Real-World Penetration Tests
Mateusz Lewczak
February 21, 2025
In the context of web applications, "secrets" refer to sensitive data used to secure communication, authenticate users, or access restricted resources. These are critical pieces of information that must be protected to maintain the security and integrity of the application. First and foremost, it's important to acknowledge that the secure storage of secrets in applications is still an unresolved challenge. Many developers find this aspect unclear or challenging.
READ article
Vishing – How It Works and Why It’s So Effective: Insights from Commercial Social Engineering Tests
Jacek Siwek
February 14, 2025
Vishing is a type of social engineering attack in which scammers call their victims, pretending to be trusted individuals or institutions (such as IT departments, banks, or service providers) to extract confidential information or manipulate them into performing specific actions. While the conversation may seem harmless, it can lead to the disclosure of login credentials to company systems or even the execution of malicious software.
READ article
From temporary solutions to insecure security practices.
Adam Borczyk
February 06, 2025
When auditing security posture of our clients’ Azure and Entra ID infrastructures, we always verify what are the current Multi-Factor Authentication (MFA) rules and policies. We check what does the Conditional Access enforce, who is covered by which policy and what are the exclusions, if any.
READ article
The Hidden Danger in PDFs: How Misconfigurations Can Expose Sensitive Data?
Patryk Bogdan
January 28, 2025
Recent security audit revealed a critical vulnerability in the way WeasyPrint processes user-provided data for generating invoices in PDF format. The issue occurs because of insufficient input validation, allowing attackers to inject malicious HTML tags that are rendered within the generated PDF. This flaw opens the door to extracting sensitive files from the application’s infrastructure or querying remote resources, posing significant security risks.
READ article
Ex-Employee Private Code Repository Accounts: A Breach Waiting to Happen?
Adam Borczyk
January 22, 2025
A recent application audit revealed several concerns regarding source code management practices. The most significant finding involves the storage of code in a private GitHub repository that remains tied to a former employee's account. This configuration poses potential risks to code access and management.
READ article
From SPI Sniffing to Keys: Extracting Clevis/BitLocker Secrets from TPM Traffic #HardwareHacking
Mateusz Lewczak
January 10, 2025
In September 2024, a real-world penetration test was conducted to assess the security of a laptop using LUKS disk encryption on Linux, with Clevis facilitating automatic disk unlocking. The tested device relied on a TPM (Trusted Platform Module) to secure the decryption key used by Clevis. The focus of the test was to explore potential vulnerabilities to SPI Sniffing attacks.
READ article
Symfony Profiler in Production – An Entry Point for Sensitive Data Leaks and Remote Code Execution
Jakub Zoczek
January 3, 2025
During a security audit, a web application using an outdated version of the Symfony framework was identified. The analysis revealed the presence of the Symfony Profiler tool, which is commonly used for debugging applications during development. The Profiler provides detailed information about the application's operation, which is useful for developers. However, in a production environment, its availability can lead to the disclosure of sensitive information and, in some cases, remote code execution on the server.
READ article
From an AWS Cognito Misconfiguration to Full Account Takeover
Securitum
December 30, 2024
Issues with AWS Cognito configuration can expose applications to significant abuse, including privilege escalation attacks. The discovered vulnerability allows users to modify their attributes, potentially granting access to resources belonging to other entities in the system.
READ article
Session Fixation: A „Hidden Threat” to Web Application Security
Marcin Zięba
December 20, 2024
Session fixation is a security vulnerability that occurs when an attacker forces a legitimate user to utilize a predetermined session identifier (session ID). This allows the attacker to hijack the session and impersonate the victim once they authenticate with the web application. The vulnerability arises when an application fails to properly regenerate a new session ID upon user authentication, thereby continuing to use the preexisting session ID provided by the attacker. Common attack vectors include injecting the session ID through URL parameters, cookies, or hidden form fields.
READ article
Arbitrary Code Execution Through Uploading a Malicious JSP File – Vulnerability Analysis
MIKOŁAJ PUDLICKI
December 13, 2024
During security tests, a critical vulnerability was discovered in the tested application. This issue allows an attacker to execute any code on the server by uploading a malicious JSP file. The problem arises from a lack of proper validation of uploaded files, which can be exploited by attackers.
READ article
Exploiting the Password Reset Vulnerability: A Real-World Case Study
Securitum
December 6, 2024
Modern web applications need to prioritize user security. However, even well-designed systems can have hidden flaws that make them vulnerable to attacks. During a recent security test, a serious issue was found in the password reset feature of an application. This vulnerability made it possible for attackers to gain access to any user account, including the super administrators. Here’s what went wrong and why it’s such a big problem.
READ article
Exploring Vulnerabilities in Mobile Applications: Key Exchange Protocol Hacking - Man-in-the-Middle and Brute-force in Action. Part 2 of 2.
Dariusz Tytko
November 29, 2024
In first part of this article, I described how do we analyze protocols during mobile applications testing. During this analysis, I noticed that the Diffie–Hellman protocol is used to exchange encryption keys. The protocol implementation was audited, and I discovered that it is prone to two attacks: Man-in-the-Middle and brute-force. Each of these attacks compromise the security of the protocol, allowing attackers to view and modify the data sent between the mobile applications and the servers.
READ article
Exploring Vulnerabilities in Mobile Applications: Key Exchange Protocol Analysis and Toolkit Setup. Part 1 of 2.
Dariusz Tytko
November 22, 2024
During one of latest pentests I tested mobile application. To perform analysis of the communication protocol and prepare a toolkit for testing network communication, the Android version of the application was used. Protocol analysis The protocol is implemented using C++ language, the implementation is included in the native library lib/arm64-v8a/lib[…].so. Wireshark, Frida (the instrumentation toolkit) and Ghidra (a software reverse engineering framework) were used to analyze the protocol.
READ article
Memory Heist: The Secrets and Risks of Cold Boot Attacks
Mateusz Lewczak
November 15, 2024
A Cold Boot Attack is a technique designed to capture data directly from a computer’s RAM, where critical and sensitive information is often stored. What kind of data? It could be almost anything: passwords, encryption keys, user login data, or even active sessions, which could provide attackers with extensive access to the system. In short, the attacker is after any information held in RAM during computer operation, and the Cold Boot Attack allows them to retrieve it.
READ article
Accessing Internal Network by WiFi Hacking - 2024 Pentest Case
Aleksander Wojdyła
October 25, 2024
During the last penetration test, I performed an Evil Twin attack, which involves setting up a fake access point with the same name as the legitimate one. Due to improper configuration of endpoint devices (e.g., computers, phones, tablets), users could accept an incorrect (fake, generated by the auditor) certificate identifying the network. This led to a successful capture of the authentication segment of the communication. Subsequently, the auditor subjected the captured data to brute-force attacks, resulting in the retrieval of credentials.
READ article
From SOQL Query to Data Breach - Lessons from a Real-World Pentest
Adam Borczyk
October 18, 2024
During one of security audits of a web application, I uncovered an interesting vulnerability: the exposure of an endpoint that allows users to perform arbitrary Salesforce Object Query Language (SOQL) queries. Such functionality, when available to unauthorized users or misconfigured, poses significant security risk, especially if Row-Level Security (RLS) permissions are not properly set. In this article I will analyze technical aspects of this vulnerability, the potential risks, and steps to mitigate such issues.
READ article
Bypassing Host Validation: Real Pentest Case of Sensitive Data Exposure
MATEUSZ Kowalczyk
October 11, 2024
During one of penetration tests, I discovered a vulnerability that allowed us to bypass a host whitelist, leading to the exposure of sensitive data. This behavior could let attackers to exfiltrate sensitive information, such as password reset tokens, to external hosts they control. The severity of this vulnerability is significant, as it opens up further attack vectors that could potentially compromise the application and its users.
READ article
Hacking IBM AS/400 in 2024: QShell and Remote Code Execution
MATEUSZ Kowalczyk
October 04, 2024
A few months ago, one of our clients commissioned us to audit a customer service application that continued to use the IBM AS400 environment. These days, an emulator is needed to connect to this application. An AS/400 emulator is software designed to emulate the functionality of an AS/400 system on a different platform, such as a modern desktop or server computer. These emulators enable users to access and interact with AS/400 applications and resources without the need for physical AS/400 hardware.
READ article
Heartbleed Vulnerability in 2024: A Fresh Case from Our Pentest
Paweł Różański
September 20, 2024
During a recent security audit, vulnerability known as The Heartbleed Bug was discovered on two publicly accessible servers. What is interesting it is a fact that this vulnerability was discovered 10 years ago! It allows an attacker to access data directly from the memory of vulnerable systems. In fact, it enables the extraction of sensitive information, including credentials, without any pre-existing access or authentication requirements.
READ article
Denial of Service Due to Improper Handling of Decimal Values
Dariusz Tytko
September 13, 2024
During one of my recent pentests, I found an interesting Denial of Service (DoS) vulnerability that allows an attacker to cause the server to become unavailable. The severity of this vulnerability has been classified as HIGH because it can be exploited with a single HTTP request.
READ article
Key Insights from Red Team Testing
krystian działowy
August 5, 2024
The goal of Red Team testing is to gain access to a company's internal network using various external, internal, or social engineering attacks. In other words, practically all methods are allowed, and the auditors' objective is to breach the internal network and carry out as many malicious operations as possible. In one of our recent tests of this type, our team, equipped with a wide range of scenarios, successfully infiltrated the client's internal network, gaining access to numerous resources where we obtained credentials to critical assets, such as databases and email accounts.
READ article
How NOT to store data in a desktop application?
Mateusz Lewczak
August 7, 2024
Due to their offline nature, desktop applications often struggle with storing sensitive data in a secure way. Many developers mistakenly believe that compiling an application automatically secures the data within it. This approach is especially common in applications written in languages that are easy to decompile, like for example .NET. However, the truth is that no matter what technology is used, various techniques can still be used to access unprotected confidential information, which can lead to major security breaches. In this article, we'll take a look at some common methods that can be used to access supposedly secure information from desktop applications. We will also discuss the potential impacts of these vulnerabilities.
READ article
From low-privileged user to Remote Code Execution: step-by-step pentest journey
Adam Borczyk
July 12, 2024
In the world of web application security, some vulnerabilities are naturally less impactful than others. We often hear about direct, short, and simple attacks that can compromise an entire server or application. Sometimes, however, it is chaining multiple, less dangerous vulnerabilities that leads to serious consequences. Here we will go through a case from one of the pentests from a couple of weeks ago, where having a low-privileged user account allowed us first to read the application source code, then to escalate to admin, and finally to obtain remote code execution.
READ article
Elevating privileges via a XSS and authorization bypass attack
Sebastian Jeż
June 21, 2024
A highly effective attack method combines Reflected Cross-Site Scripting (XSS) and authorization vulnerabilities. This attack lets hackers gain unauthorized administrative access. It requires social engineering to trick an administrator into running malicious JavaScript code, which then changes user permissions, potentially taking over accounts.
READ article
Few steps on how to take over a whole application
Sebastian Jeż
June 14, 2024
In a recent penetration test, I found a vulnerability in the password reset tokens within a system's audit trail functionality. This flaw can lead to arbitrary account takeover, allowing attackers to hijack user accounts, including those with high-level privileges.
READ article
How a simple vulnerability allowed proxying TCP traffic - real pentest case
Dariusz Tytko
June 7, 2024
During a penetration test for our client, it was discovered that the turn.example.com server, which is part of the tested application infrastructure, is vulnerable. This flaw allows for proxying TCP traffic through the server, enabling attacks on any host on the internet. Additionally, attackers could gain access to internal systems and their configurations, potentially compromising the entire infrastructure.
READ article
Exploiting PDF generation vulnerability: a case study from real pentest
SECURITUM
June 05, 2024
In a recent penetration test conducted by [Your Security Company], we identified a critical vulnerability within a web application that allowed unauthorized access to sensitive resources. This flaw permits an attacker to access both local server files and data on other servers within the same network. The vulnerability stems from improper handling of user-input data, presenting a severe security risk.
READ article
Password reset flaw: when anyone can reset your password
Sebastian Jeż
May 29, 2024
During rigorous testing, security researchers uncovered a significant weakness in the password reset mechanisms used by numerous online platforms. By exploiting the seemingly harmless phone number field, an attacker can compromise a victim's account. The vulnerability lies in the mishandling of a four-digit code, which, instead of being sent solely to the owner's phone, is also included in the server's response. This oversight turns a seemingly harmless feature into a gateway for hackers to infiltrate users' digital lives.
READ article
Why you shouldn't (again) roll your own cryptography - real-life case in 2024.
Mateusz Lewczak
May 17, 2024
In the last part of our series "Why You Shouldn't Roll Your Own Cryptography," I talked about a custom hashing algorithm using Triple-DES. Today, I'll present another case from a desktop application that used a completely custom "hashing" algorithm. It's important to note that the application was written in a native language, so some reverse engineering will be involved.
READ article
Crashing servers with digits: floating-point numbers DoS vulnerabilities
Martin Matyja
March 10, 2024
A Denial-of-Service (DoS) attack is a malicious attempt to disrupt the normal functioning of a system or network, in this case – a web application. One sophisticated form of such an attack exploits vulnerabilities in the processing of floating-point numbers. In our scenario, attackers manipulate the system's handling of floating-point arithmetic, leading to inaccurate calculations and potential system failures. This method challenges the reliability of numerical computations and poses a serious threat to the stability and availability of targeted systems.
READ article
Exploring DaaS Security - part 2: Other available applications on the machine (3rd party)
Mateusz Lewczak
April 12, 2024
When dealing with applications used by regular company employees, often involved in paperwork, it's likely that cloud environments will also include office applications, image viewers, and possibly File Explorer. While these are not hacking tools, they can still be utilized in ways that facilitate access to the system's shell.
READ article
Exploring DaaS Security: A Comprehensive Guide Based on Vulnerabilities Uncovered in Real Pentests - part 1
Mateusz Lewczak
March 15, 2024
We're experiencing a real renaissance among desktop applications, thanks to cloud services that have added Desktop As A Service to their offerings. This service allows us to stream the image of a native application running on a cloud machine directly to our browser. We interact with it as we would with a normal application, except that, by design, we have limited access to the system. And that's our main goal as pentesters - to escape from the Matrix (application) into the system shell! In a conventional test of a desktop application, the focus is primarily on the application itself and its associated files. However, for applications running under DaaS, the audit extends to the entire runtime environment.
READ article
Unicode's role in XSS vulnerabilities.
jacek siwek
March 04, 2024
Web application security is a crucial concern in today's digital landscape. Cross-Site Scripting (XSS) attacks pose a significant threat to web applications, allowing attackers to inject malicious scripts into trusted websites. Request validation mechanisms are implemented to mitigate such attacks by blocking certain characters or patterns commonly associated with malicious code. However, recent discoveries suggest that there is a possibility of bypassing these validation mechanisms using Unicode characters, which could lead to successful XSS attacks.
READ article
Insider threat - The average insider threat attack scenario. How attackers can take over an entire domain in a few steps. Part 2.
DOMINIK ANTOŃCZAK
February 23, 2024
Have you ever wondered how little it takes to take over an Active Directory domain? Have you considered using some exploit? Nah, using exploits is not a fancy way and can be easily detected, and if anything, that option remains as a last resort. As savvy "hackers", we possess the right knowledge to navigate the network smoothly without making noise. Sometimes it takes a few steps, and just as Neil Armstrong said, it's one small step for man…, but for us hackers, taking over one system is a small step towards taking over the entire network. In this scenario, I'll demonstrate how the ability to analyze acquired information, coupled with a few sublime actions, was sufficient to take over the entire domain of a company consisting of 500-1000 users.
READ article
Server shutdown via GraphQL during real-life pentest
KAMIL JAROSIŃSKI
February 19, 2024
GraphQL is a query language and environment created by Facebook in 2012 and released publicly in 2015. However, it has only gained significant popularity among developers and organizations in the last few years. Why is it so popular? GraphQL serves as an alternative to traditional API protocols, like REST, offering a more flexible and efficient way for client-server communication. The emergence of new technology opens up new perspectives and solves some problems, but unfortunately, it also introduces threats. This is the case with GraphQL. If used without proper knowledge, it could potentially allow for a DoS (Denial of Service) attack.
READ article
Insider threat - why security measures don't matter. Part 1
Dominik Antończak
February 09, 2024
A sneaky security threat that combines Blind XSS with data exfiltration techniques poses a significant risk, allowing adversaries to insert persistent HTML/JavaScript code that executes within the domain context of an application. This vulnerability can be exploited to steal any data from the application or perform actions on behalf of another user.
READ article
Persistent threats via blind XSS and subsequent data exfiltration - tips and ticks from a security perspective.
SEBASTIAN JEŻ, KALINA ZIELONKA
February 05, 2024
A sneaky security threat that combines Blind XSS with data exfiltration techniques poses a significant risk, allowing adversaries to insert persistent HTML/JavaScript code that executes within the domain context of an application. This vulnerability can be exploited to steal any data from the application or perform actions on behalf of another user.
READ article
Better safe than sorry - The Imperative of Double-Checking Application Architecture Before Launch.
MICHAŁ ŻACZEK
January 12, 2024
Every application's journey from conception to release involves critical steps within the Software Security Development Life Cycle (SSDLC). Paramount among these is the Design Phase, where the application's architecture is conceptualized. This step is fundamental in determining the coding approach and necessitates careful consideration, especially from a security standpoint. Key aspects like data processing and storage need thorough examination.
READ article
Beyond fingerprints: Discussing the challenges of behavioral biometrics security
MATEUSZ LEWCZAK
December 01, 2023
Behavioral biometrics is an increasingly common element of the security of our bank accounts. It considers the way we type on a keyboard, move a mouse, use audio/video equipment, and even how we hold our phone. As it turns out, each of us performs these activities in a different way, and although these are small differences, with the use of Machine Learning, we are able to assess whether banking operations are performed by the account owner.
READ article
Unveiling hidden data: a log file's security breach
ROBERT KRUCZEK
November 10, 2023
Unveiling hidden data during 2023 pentest: how a misplaced log file can compromise 2FA security. Conducting penetration tests requires the use of existing solutions that significantly facilitate the work. For web applications, it is valuable to recognize the structure of directories or find files of interest. For this purpose, we can use applications such as: • ffuf, • dirbuster, • gobuster. During the discussed test, I used the ffuf tool with a basic dictionary available publicly: https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/common.txt
READ article
Demystifying Prototype Pollution and its link to DOM XSS
Kalina Zielonka
October 03, 2023
JavaScript, the backbone of many web applications today, brings with it flexibility and potential. At the core of its architecture, every element we interact with is essentially an object, each with its own unique properties and methods. The Role of Prototypes in JavaScript Prototypes allow JS to share attributes or properties between different objects. Every object in JS has a prototype object associated with it, which gives that object its own properties. In other words, an object in JS inherits all the properties of its prototype.
READ article
The Silent Threat of ReDoS: 2023 Real-Life Pentest Case
MATEUSZ LEWCZAK
September 26, 2023
Regular Expression Denial of Service (ReDoS) is a type of vulnerability that arises when an attacker submits a specially crafted input to an application that utilizes regular expressions to validate or process user input. The attacker's input aims to activate a slow or inefficient regex pattern, leading the application to consume excessive resources, such as CPU time or memory. This can result in denial of service (DoS) or system slowdowns. ReDoS attacks are especially concerning because they can be launched with ease and have the potential to inflict considerable financial harm to the affected organization.
READ article
Why you shouldn't roll your own cryptography - real-life case in 2023.
MATEUSZ LEWCZAK
August 28, 2023
In the world of IT, a common practice has emerged where cryptography is developed by a group of researchers possessing a strong mathematical background, while developers implement ready-made solutions and ensure that they are up-to-date and meet the best security practices. Taking this into consideration and adding the fact that desktop application testing is often carried out by pentesters who may overlook issues related to encryption or hashing, while focusing on searching for known vulnerabilities, it should be expected ...
READ article
How Private Cache Can Lead to Mass Account Takeover – pentest case
Mateusz Kowalczyk
July 12 2023
In many situations, minor vulnerabilities might seem like small fish in the vast ocean of cybersecurity threats. They’re often marked as low severity and thus, overlooked by developers who assume that the conditions for their exploitation are too complicated to be met. However, in this article, we’re going to challenge that assumption and show you …
READ article
A small oversight with big consequences: how a minor mistake can lead to the compromise of your Domain Controller.
dominik antończak
August 4 2023
Have you ever wondered how much information you can glean about others through observation? In the real world, when we're in public places, we're not always conscious of who's watching us and what information they're gathering about us.
READ article
When Usernames Become Passwords: A Real-World Case Study of Weak Password Practices
michał wnękowicz
June 9, 2022
In today's world, ensuring the security of our accounts is more crucial than ever. Just as keys protect the doors to our homes, passwords serve as the first line of defense for our data and assets. It's easy to assume that technical individuals, such as developers and IT professionals, always use strong, unique passwords to keep their accounts secure. However, this is not always the case; for example, ...
READ article
Pentest chronicles
In this section we share stories about vulnerabilities found during real-life penetration tests conducted by experienced testers. Check out our approach to testing web, mobile and desktop applications, as well as infrastructure and cloud systems. You'll get a step-by-step view of how we find vulnerabilities and the methods we advice to defend against them. Dive in and see what we've uncovered!
