Blog

CVE-2017-6079 – Blind Command Injection in Edgewater Edgemarc Devices

Posted by Spencer Davis on May 16, 2017Link 

During a recent external penetration test, one of the many servers listening on the default HTTP port 80 caught my eye. The web server threw a HTTP Basic Authentication login prompt immediately upon viewing it, which was unique amongst this particular target network. Some time was spent trying to fingerprint the device and nmap did most of the heavy lifting for...Continue reading 

Hashing Horror

Posted by Brian Berg on April 06, 2017Link 

Recently, I was working on a web application assessment that acted like a feature filled version of the Damn Vulnerable Web App. That meant there was a lot of XSS of course and a heavy handful of SQL injection vectors. This isn’t a post on how terrible the application was but the interesting way they chose to store their...Continue reading 

Exploitation: XML External Entity (XXE) Injection

Posted by Eric F. Tameesh on November 09, 2016Link 

Xxe Image

During the course of our assessments, we sometimes come across a vulnerability that allows us to carry out XML eXternal Entity (XXE) Injection attacks. XXE Injection is a type of attack against an application that parses XML input. Although this is a relatively esoteric vulnerability compared to other web application attack vectors, like Cross-Site Request Forgery (CSRF), we make the...Continue reading 

Security threats are all around us. Are you prepared?
Not sure? Lets Talk.