Abraham Lincoln (repeating a woodsman) would have answered the question: what would you do if you had just six hours to chop down a tree? I would spend the first four hours sharpening my axe.
What does it tell us? That preparation is key.
You cannot protect what you don’t know, therefore knowing your attack surface is the first essential step to protect it efficiently.
Once you have decided to go for a pentest, you may wonder if it should target your production environment.
Depending on the risks, it can be appropriate to pentest either a production environment or a test environment. Below is a summary of the pros and cons for each alternative.
Vaadata is a start-up specialized in security audits. We are looking for a cybersecurity consultant (M/F) to join our team, at the interface between technical and business issues.
25 pages to know the existing and exploitable vulnerabilities on these technologies, as well as the means to counter or reduce the risks.
The OWASP Top 10 2017 introduces the risk of insufficient logging and monitoring. Indeed, inherent problems in this practice are often underestimated and misunderstood. But why is a seemingly simple task ending up being a crucial point of information system security?
From the too many cyberattacks 2019, we’ve summed up 5 insights: here is our year in review.
A digital certificate is a data file that allow, on the one hand, the non-repudiation and the integrity of data, and on the other hand, to identify and to authenticate a person or an organization and also to encode communications.
A digital certificate includes several information, as:
This last point is crucial to verify the trustworthiness of a certificate. For this, when a certificate is received, a chain of trust is built to a certificate authority.
To explain the working of the chain of trust, let’s present some notions:
The Metasploit framework is an open source tool, allowing searching, analysing and exploiting vulnerabilities. It has many modules and tools that can be very useful during intrusion tests, whether on Web applications or on a company’s information system.
Although often used relatively basically, for example to launch a simple exploitation module on a target, this framework has options and tools that make it a key ally for a pentest. We will therefore see here how to use the Metasploit framework in an optimized way.
For the demonstration, we will attack a local network we are connected to.
Before starting a pentest, should you present your product or solution to pentesters? It all depends on your situation and on your objectives!
In this previous article, we have seen what a SSRF vulnerability is, and how, in general, it can be exploited. We had placed ourselves in a quite simple theoretical framework, but various elements (either due to the vulnerability itself or due to security implementations) can make the task more complicated.
In this article, we will have a look at various methods to go further. On
the agenda: