PDF Generator Best Practices
The dangers of using server-side PDF generation technologies without properly sanitising user input.
Privasec RED
Demystifying Two Different Worlds: A Look into ISO 27001 and Red Teaming
Red Team Attack Simulations mimic an adversary attacking your organisation. Red Team Attack Simulations enable you to understand and improve upon your ability to identify and respond to an adversary tyring to access your systems or information.
But what actually happens during a Red Team and how does an Attack Simulation work in practise?
What happens during a Red Team Attack Simulation?
Red Team Attack Simulations mimic an adversary attacking your organisation. Red Team Attack Simulations enable you to understand and improve upon your ability to identify and respond to an adversary tyring to access your systems or information.
But what actually happens during a Red Team and how does an Attack Simulation work in practise?
Red Team Incognito War Stories: Crashing down the castle wall through deception
The impact from a lack of security awareness training through the eyes of a recent red team engagement performed by the Privasec Red team.
ZenTao CMS – A Monkey’s journey to Priv Esc & Remote Code Execution
This article explores Zentao, understanding how its routing works, and identifying several vulnerabilities that lead to an attack chain that an attacker can execute in order to achieve remote code execution.
Red, Blue, Purple, White, Black & Gold Team
For everyone who’s asking, what are the differences with a Red team, Blue and Purple, Black, White and Gold? Find out more here!
The Benefits of Infrastructure as Code for Adversary Simulation
Check out our Senior Red Consultant’s talk at the recent CRESTCon Australia 2021, on the ‘The benefits of Infrastructure as Code for Adversary Simulation’.
CVE-2020-3977: VMware Horizon DaaS Broken Authentication (MFA Bypass)
Not long ago, I assisted a client of ours with a penetration test of their VMware Horizon remote access solution and discovered a vulnerability affecting how it handles Multi-Factor Authentication (MFA). As a result, with a compromised user account password, I could gain access to the organisations internal network from the internet, bypassing the MFA requirement. In this blog, I’ll provide a high-level summary and explain how I identified and exploited the vulnerability.