Theft From Online Shopping Carts – Past and Present

June 4, 2020
Past Circa 2007, during a penetration test, I encountered an online shopping cart that exposed a variable containing a product’s price and it allowed for manipulation to lower the cart’s total. In early 2008, research was conducted to answer the question – just how many carts are vulnerable to such a trivial hack? At the...
TrustedSec Blogs + Articles logo

Full Disclosure: Authenticated Command Execution Vulnerability in pfSense

November 17, 2017
On 05/19/2016 Scott White of TrustedSec discovered an authenticated command injection vulnerability in pfSense. It was responsibly disclosed to pfSense ([email protected]) on 06/08/2016 and promptly fixed by the pfSense development team. TrustedSec wants to thank the pfSense team for the impressive response time and for providing a great open source project. Although the vulnerability was...
TrustedSec Blogs + Articles logo

Ruby ERB Template Injection

September 13, 2017
Written by Scott White & Geoff Walton Templates are commonly used both client and server-side for many of today‚Äôs web applications.  Many template engines are available in several different programming languages.  Some examples are Smarty, Mako, Jinja2, Jade, Velocity, Freemaker, and Twig.  Template injection is a type of injection attack that can have some particularly...
TrustedSec smiley icon

Full Disclosure: Adobe ColdFusion Path Traversal for CVE-2010-2861

March 15, 2017
This blog was written by Scott White, Senior Principal Security Consultant, Web Application Team Lead – TrustedSec TL;DR: A publicly undisclosed pre-auth local file disclosure path in older Adobe ColdFusion products (8.0, 8.0.1, 9.0, 9.0.1 and earlier versions) exists at /CFIDE/debug/cf_debugFr.cfm?userPage=../../etc/hosts During a recent penetration test, a web site utilizing cfm pages was identified and...

DerbyCon CTF Statistics

October 1, 2015
TrustedSec gathered the following statistics based upon the 2015 DerbyCon CTF from Sept 25-27.  The statistics reveal some interesting points.  For instance the fact that approximately 74% of the teams or accounts that were registered found at least one valid flag.   Some of the other statistics are provided below. Teams/Accounts Registered:  154  (114 or ~74%...

Ashley Madison Hacked. Dump Released

August 19, 2015
Ashley Madison suffered a breach a number of months ago. The hackers called “Impact Team” stated that if Ashley Madison didn’t shut down, it would expose the databases and information hacked from the popular online cheating site. Today it appears that promise came true and Ashley Madison did not buckle or shut down. The database...
  • Browse by Category

  • Clear Form