Blog

Hashing Horror

Posted by Brian Berg on April 06, 2017Link 

Recently, I was working on a web application assessment that acted like a feature filled version of the Damn Vulnerable Web App. That meant there was a lot of XSS of course and a heavy handful of SQL injection vectors. This isn’t a post on how terrible the application was but the interesting way they chose to store their...Continue reading 

Exploitation: XML External Entity (XXE) Injection

Posted by Eric F. Tameesh on November 09, 2016Link 

Xxe Image

During the course of our assessments, we sometimes come across a vulnerability that allows us to carry out XML eXternal Entity (XXE) Injection attacks. XXE Injection is a type of attack against an application that parses XML input. Although this is a relatively esoteric vulnerability compared to other web application attack vectors, like Cross-Site Request Forgery (CSRF), we make the...Continue reading 

Polycom VVX-Series Business Media Phones Path Traversal Vulnerability

Posted by Jake Reynolds on December 11, 2015Link 

In June I spent a little time in the web administrative interface of a Polycom VVX600 IP phone running UC Software Version 5.1.3.1675. As I proxied the traffic through BurpSuite, I immediately noticed something interesting in the requests that the interface uses to display phone background images and ring tones to web users. The requests contained actual file names. Anyone involved...Continue reading 

Security threats are all around us. Are you prepared?
Not sure? Lets Talk.