HackDig : Dig high-quality web security articles for hackers

8 Keys to Writing Safer Code

All too often, security in code is an afterthought. There’s a reason that bug bounties are so prevalent; as codebases get larger, testing gets harder. Add in the time constraints of a “move fast and break things” mentality and it’s no wonder so many security issues arise. The basics might be there, encrypted connections, hashed passwo
Publish At:2020-07-09 11:54 | Read:174 | Comments:0 | Tags:Application Security Assessment Penetration Testing Security

Google Tsunami vulnerability scanner is now open-source

Google announced that its Tsunami vulnerability scanner for large-scale enterprise networks is going to be open-sourced. Google has decided to release as open-source a vulnerability scanner for large-scale enterprise networks named Tsunami. “We have released the Tsunami security scanning engine to the open source communities. We hope t
Publish At:2020-07-09 04:30 | Read:133 | Comments:0 | Tags:Breaking News Hacking Google hacking news information securi

Adventures in Phishing Email Analysis

Opening Phishing attacks are a daily threat to all organizations and unfortunately, they are one of the hardest threats to protect against. No matter how many defensive layers an organization has put in place following best practice defense-in-depth design, it only takes one (1) user to click on that malicious link or open that weaponized attached documen
Publish At:2020-06-18 10:09 | Read:126 | Comments:0 | Tags:Incident Response Incident Response & Forensics Penetration

Workflow Improvements for Pentesters

As penetration testers, we are always on the lookout for quality of life improvements. Whether it’s scripting, automating some mundane process, or trying to conquer that all-important client report, it is in our very nature to constantly strive to make things better. One way to advance your art as a pentester is through workflow improvements. A lot
Publish At:2020-06-16 15:41 | Read:195 | Comments:0 | Tags:Penetration Testing Security Testing & Analysis

Abusing Windows Telemetry for Persistence

Today we’re going to talk about a persistence method that takes advantage of some of the wonderful telemetry that Microsoft has included in Windows versions for the last decade. The process outlined here affects Windows machines from 2008R2/Windows 7 through 2019/Windows 10.As of this posting, this persistence technique requires local admin rights to i
Publish At:2020-06-09 06:06 | Read:166 | Comments:0 | Tags:Application Security Assessment Penetration Testing Research

Introducing Proxy Helper – A New WiFi Pineapple Module

I have had several occasions when I’ve been performing a pentest against an Android or iOS application, attempting to monitor the traffic with Burp Suite, only to realize that the application is not respecting my proxy settings. Now, if you have a rooted or jailbroken device, there are some ways you can force the application to go through a proxy, but
Publish At:2020-05-26 13:56 | Read:167 | Comments:0 | Tags:Application Security Assessment Hardware Security Assessment

Refocusing Cybersecurity Best Practices on Security Hygiene

While organizations around the world are rightly focused on the COVID-19 pandemic, the work of cybersecurity must continue. In fact, attackers often increase their efforts to breach networks and systems during times of trouble, counting on the chaos as a useful distraction. In such times, the best cybersecurity practices should actually refocus on the most b
Publish At:2020-05-24 06:18 | Read:231 | Comments:0 | Tags:CISO Antivirus Chief Information Security Officer (CISO) Cyb

Breaking Typical Windows Hardening Implementations

In this post, I will go over some hardening configurations that are typically set in Group Policy settings and ways to bypass them. It is important to remember that hardening configurations can be a whole series of different settings. For this post, I am showing only a few specific settings, meaning that if these were in a real hardened environment, some of
Publish At:2020-05-18 12:54 | Read:221 | Comments:0 | Tags:Application Security Assessment Penetration Testing Security

Practical OAuth Abuse for Offensive Operations – Part 1

Background OAuth is an open authorization standard that facilitates unrelated servers and services working together, allowing access to their assets without sharing the initial, related, single logon credential. I have been thinking of it as a kind of Kerberos for external services, without a shared domain or forest. A familiar instance would be authen
Publish At:2020-05-18 12:54 | Read:223 | Comments:0 | Tags:Application Security Assessment Penetration Testing Purple T

Ad Hoc or Managed Penetration Testing: Which One Is Best for You?

Penetration testing is no longer an extraordinary security engagement. Due to regulatory mandates, internal policies, business executive requests and the overall desire to avoid becoming the next breach victim, testing is now commonplace among many organizations. The kind of testing, however, can still be a question. Do you need ad hoc testing, that as-neede
Publish At:2020-05-03 08:13 | Read:316 | Comments:0 | Tags:Application Security Data Protection Risk Management Securit

COVID-19 cybersecurity: Pro-bono Pentests for COVID-19 related Apps & Software

COVID 19 cybersecurity: Pro-bono program helping organizations & developers to secure their applications. What is it? COVID-19 poses a grave danger to the world due to the high rates of spreading and the virus continuing to affect different geographical locations. A global slowdown appears to be a foregone conclusion to the lockdown.  To
Publish At:2020-05-03 07:50 | Read:288 | Comments:0 | Tags:News Penetration Testing Web Application Security COVID 19 A

Generating SSH Config Files with Ansible

If you like to stand up infrastructure in the cloud using Ansible (like we do), one of the pain points can be getting the new instance IP addresses configured in an SSH config file for easy connecting. This used to be a manual process, but generating these files as part of your playbook is straightforward using Jinja templates. When combined with a little-kn
Publish At:2020-04-14 10:33 | Read:450 | Comments:0 | Tags:Application Security Assessment Penetration Testing Security

Wanted: Process Command Lines

As a Red teamer, the key to not getting detected is to blend in. That means that if I need to spawn a new process on a host, it is important that it looks legitimate with command line parameters that look correct. Many system binaries have a set of parameters when they are executed. This blog post will cover how to find process command line parameters on a t
Publish At:2020-04-09 12:10 | Read:511 | Comments:0 | Tags:Application Security Assessment Penetration Testing Red Team

PentesterLab Pro Giveaway

We are excited to announce that we will be giving away 200 one-month subscriptions to PentesterLab Pro. During these challenging times, we hope that you will be able to use this learning resource to improve your web application testing skills. PentesterLab Pro is a leading industry tool designed to make learning web hacking easier. Using hands-on exe
Publish At:2020-04-04 14:45 | Read:415 | Comments:0 | Tags:Penetration Testing Security Testing & Analysis

Tricks for Weaponizing XSS

In this blog post, we will look at some simple JavaScript tricks for creating weaponized cross-site scripting (XSS) payloads. If less reading more videoing is your thing, watch this topic in webinar form here: https://www.trustedsec.com/events/webinar-popping-shells-instead-of-alert-boxes-weaponizing-xss-for-fun-and-profit/ Often, penetration testers
Publish At:2020-03-30 11:22 | Read:445 | Comments:0 | Tags:Application Security Assessment Penetration Testing Xss


Share high-quality web security related articles with you:)