There is a great saying in cybersecurity: "Anything you can't see, you can't secure." In an ever-evolving threat landscape, gaining visibility into your organization's assets is more crucial than ever. So Asset Inventory Management (AIM) solutions are designed to provide comprehensive insights
Mubashir
In today's complex digital landscape, cyber threats pose a constant risk to organizations of all sizes. Traditional security measures, while essential, often struggle to keep pace with the rapid evolution of cyberattacks.
Zero-day vulnerabilities, in particular, can be exploited by malicious actors to compromise sensitive data, disrupt operations,
In today's digital age, a single exposed secret, like an API key or database password, can unlock the doors to sensitive information, inviting cyber criminals to wreak havoc. A single misstep can lead to severe consequences, including financial loss, reputational damage, and regulatory penalties. To mitigate these risks,
Nowadays most of the hacks or security breaches that we see have some kind of human element involved where any social engineering attack is used to trick employees or users which can be leveraged as an initial entry to carry out further attacks such as gaining unauthorized access to various
Snapsec's Vulnerability Report Management solution provides a practical way for organizations to manage reports from their penetration testing teams in a more modern and structured format. This solution allows teams to easily receive, review, and understand findings, while also offering a wide variety of functionalities to enhance vulnerability
In today’s digital landscape, most cyberattacks begin with something as simple as a phishing email. Picture this scenario: you receive an email from an unknown sender, perhaps claiming to be a prince from a distant country, offering you millions. Out of curiosity or politeness, you click the link provided,
Agorapulse provides everything an organization could possibly need for social media marketing, monitoring, and management. Agorapulse is a full-featured social media management platform. Some of its features include a variety of ways to publish content, schedule posts, and report about social account usage. The software is used to create and
Cross-site request forgery (also known as CSRF) is a web security vulnerability that allows an attacker to induce users to perform actions that they do not intend to perform. It allows an attacker to partly circumvent the same origin policy, which is designed to prevent different websites from interfering with
A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the
One of the largest online password manager with Over 25 million users as of 2020. LastPass suffered a massive data breach recently. The data included user information and vault data. Earlier in August, LastPass informed customers that an unauthorised actor had gained access to their development server through a compromised
Almost a year back in March 2020 shuffling our private invites stock to crash into a program worthy of our time and excitement. In a while, we stumbled upon a program by name of Lark Technologies. Larksuite is a collaborrative platform where users can collaborate on various tasks. This product
Working with a target having various access roles and functionalities always gives us goosebumps. This time it was a design flaw in the application logic that we reformed to create a backdoor which revealed us all of the response details submitted on the form or survey created by the admin.
So far you may have come across various web applications where you were able to invite members with limited access to the information within the organization. Developers are able to make such applications or services by implementing access control models within their applications.
What are Access Control Models:
Access control
Another expedition to choose a new target to hack at Snapsec stopped at Zendesk. Zendek aligned with most of our testing principles, which we consider while choosing a new target to hack. Their available metrics remarked that the Zendesk security team was responsive and acknowledged the work of security researchers
Web hosting provider GoDaddy recently disclosed a multi-year(possibly since 2020) security breach, which enabled attackers to install malware and steal source code related to some of its services. The company attributed the attack to a “sophisticated and organized group targeting hosting services.”
According to the company, it received several
What is rate-limiting? Well, Rate limiting is a process of limiting requests received by the networking device. It is used to control network traffic. Suppose a web server allows up to 20 requests per minute. If you try to send more than 20 requests, an error will be triggered. A
Log4j is a logging framework for Java applications. It is a popular choice for developers looking for a simple and flexible logging solution. However, in the past Log4j has been found to be vulnerable to a number of security threats. The log4j library has recently been found to contain a
On 15 September, UBER acknowledged that it was responding to a “cybersecurity incident” and had contacted law authorities about the hack. An individual claiming to be an 18-year-old hacker claimed credit for the attack. On Thursday night, the attacker reportedly tweeted, “Hi I declare I am a hacker and UBER
The complexity of the modern applications has increased exponentially in the past decade. Unfortunately, this has also increased the attacker surface and hence increased the total number of vulnerabilities that have been found on such applications. One such type being business logic vulnerabilities.
So what is a business logic vulnerability?
If you are a developer, you already know that it’s nearly impossible to keep every resource in one place. It’s expensive (because everything has to be managed by one party) and it gets quite messy. So you maybe thinking that developers can potentially use two different domains to
You might be familiar with the annoying OTPS or other authentication tokens delivered right after you log into your favorite site. This article will help you to understand the purpose of 2FA and its exploitation. I have also drafted some of the 2FA bypasses you can use these techniques to
File sharing or simple file upload functionality is a widely used feature in web apps now a days. Any misconfiguration in this one feature can put the entire application or even organization at a great risk. In this article I will talk about this vulnerability, how to attack it and
Authentication issues are easy to understand however they can sometimes prove the most critical ones because of the fact that authentication is the core of security in any application. In the forthcoming sections, we will discuss briefly authentication and how various authentication mechanisms can be exploited.
What is authentication?
Familiar