Introduction 2022 was a tough year. It seemed like no one was safe. Nvidia, Samsung, Ubisoft, T-Mobile, Microsoft, Okta, Uber—and those were just some of Lapsus$’s breaches. What’s a Script Kiddie to do to be better protected in 2023? Another year in the books, and it was another big year for cybersecurity. While 2022 did…
Read
Insecure By Default Mobile application assessments diverge somewhat from normal web application assessments as there is an installed client application on a local device to go along with the backend server. Mobile applications can often work offline, and thus have a local store of data. This is commonly in the form of SQLite databases stored…
Read
With the ever-increasing demand for mobile technology, it seems like there is an app to do just about anything you can think of, right on your cell phone. From banking to mobile gaming and even controlling the RGB lights installed in your home office, everything is interconnected now. With the rise of this functionality also…
Read
Original post: https://www.trustedsec.com/blog/the-defensive-security-strategy-what-strategy/ Massive exposures and attacks, such as recent SolarWinds and Exchange exploit issues, have been common news lately. While the security landscape has advanced and changed, these massive exposures are continuing to occur. The question is why, and how, are they occurring? While common issues are often leveraged, the mentality around them is…
Read
Today, we are releasing iHide, a new tool for bypassing jailbreak detection in iOS applications. You can install iHide by adding the repo https://repo.kc57.com in Cydia or clicking here on an iOS device with Cydia installed. Additionally, you can check out the code and build/install it yourself if you prefer. Once installed, iHide will add…
Read
As the web application footprint migrates client-side, tools to thoroughly analyze and test client behavior are becoming increasingly important. Burp Suite has made some great strides in this direction with their browser-based enhancements to crawling and scanning, but when it comes time to really dig into the particulars for research, we are still very much…
Read
Or, “I’m Sorry, You Said You’re from Where Again?” In a prior webinar on creating weaponized Cross-Site Scripting (XSS) payloads, I mentioned that XSS payloads (written in JavaScript) could not change the HTTP Referer header. Malicious requests made through an XSS payload will often have an unexpected Referer header that does not generally make sense…
Read
So, who is testing the client-side components of Single Page Applications (SPAs)? What are you doing exactly, dropping a few cross-site scripting (XSS) polyglots into boxes like you used to do with “<ScRiPt>alert(123)</sCrIpT>” for traditional apps back in 2001? Are you mostly holding out hope that all big problems will be in the back-end APIs?…
Read
The main advantage of utilizing serverless architecture, such as Amazon Web Services (AWS), is that it is a great way to build applications without having to manage the infrastructure. The provider will provision, scale, and maintain the servers to run applications, databases, and storage systems. Naturally, this offloads the risk of server-side insecurities to the…
Read
This post will walk you through the creation of a Frida script that will be used to demonstrate the usage of the Frida Python bindings. The Frida script will be used to monitor encryption calls and capture details about the encryption type and keys in use. We will learn how to send messages from Frida…
Read