Using CloudTrail to Pivot to AWS Accounts When performing cloud penetration tests (CPTs), the goal is to find and exploit high-severity issu... 2022-6-8 00:30:0 | 阅读: 6 | 收藏 | bishopfox.com - bishopfox.com cloudtrail assumedrole assumerole arn

ripgen: Taking the Guesswork Out of Subdomain Discovery In our most recent Tool Talk, we featured ripgen, a super-fast tool for conducting subdomain disco... 2022-6-2 04:0:0 | 阅读: 13 | 收藏 | bishopfox.com - bishopfox.com subdomain ripgen staging security

Call of DeFi: The Battleground of Blockchain Last year, decentralized finance (DeFi) grew tremendously, not only in usage, but also in cybersec... 2022-5-24 20:0:0 | 阅读: 4 | 收藏 | bishopfox.com - bishopfox.com defi security wallets hacks

Ruby Vulnerabilities: Exploiting Dangerous Open, Send and Deserialization Operations On a recent assessment, I tested a Ruby on Rails application that was vulnerable to three of the m... 2022-5-18 00:0:0 | 阅读: 11 | 收藏 | bishopfox.com - bishopfox.com gem oj rails tarreader payload

Our Top 9 Favorite Fuzzers In keeping with our new tradition of crowdsourcing pen testing tool list topics (like this cloud p... 2022-4-19 23:0:0 | 阅读: 0 | 收藏 | bishopfox.com - bishopfox.com fuzzer creator unicorn security libfuzzer

Nuclei: Packing a Punch with Vulnerability Scanning Here at Bishop Fox, we love using open-source tools to outfox attackers and protect our customers’... 2022-4-6 01:0:0 | 阅读: 0 | 收藏 | bishopfox.com - bishopfox.com nuclei security bishop fox

Reports from the Field: Part 3 In the third part of our “Reports from the Field” series, we’ll explore how attackers utilize all t... 2022-3-22 23:45:0 | 阅读: 0 | 收藏 | bishopfox.com - bishopfox.com security network attackers determined shortening

Reports from the Field: Part 2 In the second part of our “Reports from the Field” series, we’ll explore exposed configuration file... 2022-3-9 01:0:0 | 阅读: 0 | 收藏 | bishopfox.com - bishopfox.com repository recovered database attacker attackers

Reports from the Field: Part 1 To defeat and deter cyberattacks, it’s essential to study the attacker’s methods and motivations to... 2022-3-2 09:0:0 | 阅读: 0 | 收藏 | bishopfox.com - bishopfox.com recovered reuse client loot subsidiary

Never, Ever, Ever Use Pixelation for Redacting Text We write a lot of reports at Bishop Fox (it’s what happens when you hack all the things). This fre... 2022-2-15 21:0:0 | 阅读: 2 | 收藏 | bishopfox.com - bishopfox.com letter unredacter guesses redaction letters

Creating an Exploit: SolarWinds Vulnerability CVE-2021-35211 BackgroundAs part of our work on the Cosmos platform (formerly known as CAST) we sometimes have a... 2022-1-13 21:0:0 | 阅读: 7 | 收藏 | bishopfox.com - bishopfox.com serv x8b x89 0000009d

Zero-Day Collaboration: Working With Imperva to Eliminate a Critical Exposure During a recent investigation, the Bishop Fox Cosmos Adversarial Operations experts identified a W... 2022-1-12 07:3:0 | 阅读: 5 | 收藏 | bishopfox.com - bishopfox.com imperva bypass fox bishop security

How Bishop Fox Has Been Identifying and Exploiting Log4shell If you’re like me, the big Log4j vulnerability (CVE-2021-44228 and pals) has eaten up the last wee... 2021-12-28 06:26:0 | 阅读: 0 | 收藏 | bishopfox.com - bishopfox.com jndi payload client attacker nuclei

XMPP: An Under-appreciated Attack Surface IntroIn this blog post, I’ll demonstrate why XMPP is of interest to penetration testers, security... 2021-12-7 01:0:0 | 阅读: 2 | 收藏 | bishopfox.com - bishopfox.com xmpp jabber xeps

Eyeballer 2.0 Web Interface and Other New Features So there you are on an engagement with a large external footprint. There's thousands of exposed IP... 2021-11-16 00:0:0 | 阅读: 0 | 收藏 | bishopfox.com - bishopfox.com eyeballer parked dogs buttons bishop

A Snapshot of CAST in Action: Automating API Token Testing While investigating our clients’ attack surfaces, I find myself repeating tasks frequently enough t... 2021-10-22 07:16:0 | 阅读: 0 | 收藏 | bishopfox.com - bishopfox.com nuclei sendgrid github cosmos repeatable

An Intro to Fuzzing (AKA Fuzz Testing) What is Fuzzing?Fuzzing, also known as fuzz testing, is a technique that allows developers and se... 2021-9-28 15:0:0 | 阅读: 2 | 收藏 | bishopfox.com - bishopfox.com fuzzer fuzzers harness dumb developer

IAM Vulnerable - Assessing the AWS Assessment Tools In my previous post, I introduced IAM Vulnerable, walked through how to set it up in a playground AW... 2021-9-23 15:0:0 | 阅读: 1 | 收藏 | bishopfox.com - bishopfox.com privesc deny 3awspxv1 notaction

IAM Vulnerable - An AWS IAM Privilege Escalation Playground If you are ever in a position where you need to assess the security of an AWS environment, one of th... 2021-9-9 15:0:0 | 阅读: 3 | 收藏 | bishopfox.com - bishopfox.com arn privesc ec2 privesc1

You're Doing IoT RNG There’s a crack in the foundation of Internet of Things (IoT) security, one that affects 35 billion... 2021-8-5 15:0:0 | 阅读: 1 | 收藏 | bishopfox.com - bishopfox.com rng hardware hal entropy csprng