Blog | General

Pins and Staples: Enhanced SSL Security

Posted on November 16, 2017

With Chrome backing away from HTTP Public Key Pinning and other industry thought-leaders calling for its death, I figured I'd take some time to review some existing and upcoming (and tedious) controls that aim to fix some of the many shortcomings within the SSL/HTTPS ecosystem. In so doing I figured I’d summarize some of these concepts into a...Continue reading 

Using Python To Get A Shell Without A Shell

Posted on October 27, 2017

Introduction Many times while conducting a pentest, I need to script something up to make my life easier or to quickly test an attack idea or vector. Recently I came across an interesting command injection vector on a web application sitting on a client's internet-facing estate. There was a page, running in Java, that allowed me to type arbitrary commands...Continue reading 

Unauthorized FLIR (Lorex) Cloud Access

Posted on October 10, 2017

Traditionally, closed circuit tv (CCTV) cameras and digital video recorders (DVRs) have been stand-alone, self-contained systems.  If the ability to access these systems remotely was required it was most commonly achieved by opening a port on a firewall and allowing access from the Internet to the DVR or camera directly.  Although effective, that method of access left what was in...Continue reading 

Have Questions?
Get Answers