Tag Archives: Penetration Testing

WE’RE HIRING: Penetration Testers


March 25, 2015

Securus Global is looking to expand its technical delivery team, so that as we grow, we can continue to deliver top-quality security assessments to our clients.

  • Location: Sydney or Melbourne CBD
  • Salary: Dependent upon experience.
  • Work Type: Full Time

ROLE PURPOSE:

The Penetration Tester is a hands-on technical role, primarily involving:

  • Performing penetration testing (web apps, networks, mobile apps, code reviews, you name it)
  • Reviewing other technical deliverables, such as penetration testing work and client reports
  • Presenting technical work to clients and be able to explain various security issues and why they’re important to both technical and non-technical audiences
  • Contributing to the development of internal tools and methodologies

Continue reading

Bypassing WAFs with SVG


October 13, 2014

By Julian Berton (LinkedIn)

Recently, I presented a lightning talk at Ruxcon 2014, on a cross-site scripting issue we discovered on a client engagement, and two interesting ways in which we could bypass the WAF present (as well as Firefox’s cross-site scripting filter).

The cross-site scripting issue we found was fairly standard at first, with an initial URI like the following:

localhost:4000/apply_thankyou?uuid=d77a9190-4ace-11e4-b775-bd2f6eee9714&userId=542e239cc6f6f28004c4dae0&result=HC999|SUCCESS

This generates a page like the screenshot below, with the reference number pulled from a vulnerable parameter in a URI, with the “jquery.query.get()” function.

xss_blogpost_Image1

Continue reading

Dumping Windows Credentials


December 20, 2013

By Sebastien Macke, @lanjelot

Introduction

During penetration testing engagements, we often find ourselves on Windows systems, looking for account credentials. The purpose of this post is to walk through some techniques to gather credentials from Windows systems while being as non-intrusive as possible.

The core principles behind the techniques described in this post are:

  • Safety – Avoid causing any downtime, by using tools and techniques which are known to be safe, and will not render a system unstable.
  • Stealthiness – Avoid detection by using tools and techniques that will trigger alerts. Refrain from uploading binaries, turning off the anti-virus, generating suspicious event logs etc.
  • Efficiency – While Bernardo’s blog attempts to cover many of the tools and techniques available for dumping credentials from a Windows host, this post focuses on the most practical way to get the job done. Continue reading

London 2012 Olympic Games ‘faced cyber attack threats’

The London 2012 Olympic Games was at serious risk of a cyber attack, with organisers fearing that the opening ceremony could have been targeted.

Officials have revealed for the first time in an interview with BBC Radio 4 that real threats emerged ahead of the Games, as the whole country's infrastructure was put in jeopardy.

Continue reading

Retailers ‘becoming more vulnerable to attack’


July 05, 2013

Retailers are likely to find themselves increasingly prone to cyber attacks, especially as their systems become more and more complex.

This is according to Abe Lietz, chief information officer and vice-president of information systems for Jenny Craig, who believes that retailers have so far been largely unaffected.

Continue reading

UK subject to ‘industrial scale’ cyber attacks


July 03, 2013

Cyber security is a growing problem across the world, with the UK intelligence agency GCHQ the latest to reveal the extent to which it is under attack.

Director of the group Sir Iain Lobban explained in an interview for BBC Radio 4 that business secrets are being stolen on an industrial scale, highlighting the need to carry out penetration testing.

Continue reading

Report: Cyber criminals will never stop


July 02, 2013

Businesses need to realise that cyber criminals will never stop in their quest to compromise systems to obtain data, a new report from Trustwave has established.

The 2013 Global Security Report pointed out that new threats are arising just as fast as businesses can implement steps to combat them, so they always need to be on their guard.

Continue reading

Consumers willing to give up personal data – if there are benefits


June 27, 2013

The majority of people are willing to give up their personal data, but only if companies can demonstrate a clear incentive for getting them to do so.

These are the results of a new survey by Infosys, which revealed that there is a level of caution towards data sharing, even in spite of the benefits it can bring.

Continue reading