OWASP Top 10 : Cross-Site Scripting #3 Bad JavaScript Imports

This blog covers Cross-Site Scripting (XSS) vulnerability from a different perspective. Generally, XSS is when the application takes user supplied JavaScript and displays it without escaping/encoding. In this blog, we will see how can XSS be exploited even if the application properly escapes/encodes the user inputted JavaScript using different methods. Exploiting XSS in this way can […]

Memory Forensics & Reverse Engineering : Thick Client Penetration Testing – Part 4

Static Analysis/ Reverse Engineering for Thick Clients Penetration Testing 4 Hi Readers, let’s take a look into static analysis. The advantage which thick clients offer over web applications are the ability to inspect the code and perform code level fuzzing which is more interesting for me! How to inspect code at a static level? There […]

Java Deserialization Exploit Resulting RCE on Thick Client Penetration Testing – Part 3

Thick Client Penetration Testing – 3 covering the Java Deserialization Exploit Resulting Remote Code Execution Welcome Readers, in the previous two blogs, we have learnt about the various test cases as well as setting up traffic for thick clients using interception proxy. Among the plethora of test cases out here, one particularly interesting is about […]

Detailed Traffic Analysis for Thick Client Penetration Testing – Part 2

After getting the basics of thick client pentest, let’s delve into the very first steps you can take to commence thick client pentest. Interception and setting up proxy of application. Thick clients can be broken down into two types based on proxy settings: Proxy aware Proxy unaware Proxy aware are those applications which has settings […]

Introduction to Thick Client Penetration Testing – Part 1

Why thick client penetration testing? Thick client applications are not new having been in existence for a long time, however if given to perform a pentest on thick clients, it is not as simple as a Web Application Pentest. Thick clients are majorly used across organizations for their internal operations. In this series of articles, […]

How are work, life and things at SecureLayer7

What we do at SL7? In this blog post, we will see how are work, life and things at SecureLayer7. We are an enthusiastic pack of security consultants and developers. Our work profile involves: Working at customer site or remotely and pen testing web, mobile and infrastructure. Finding and making proof of concept for vulnerabilities. […]

OWASP TOP 10: Insufficient Attack Protection #7 – CAPTCHA Bypass

What is CAPTCHA? CAPTCHA is an acronym for “Computer Automated Public Turing test to tell Computers and Humans apart”. It is used to determine whether or not the user is human. Many times, a CAPTCHA is an image. A human has to solve it using the challenge response system. A human can usually read it […]

SecureLayer7 Gratis PenTest Summer 2017

Overview Under the Gratis Pentest 2016, we have evaluated security postures of two open source applications i.e. Refinery CMS, PageKit CMS. We perform the penetration testing for the deserving Open Source Application as SecureLayer7’s contribution to Open Source Community. We shall allocate two or three days full time from our working hours to yield a […]

OWASP Top 10 Details About WebSocket Vulnerabilities and Mitigations

Socket in a Nutshell A socket is an endpoint of a network communication. A socket always comes in 2 parts: An IP address and a port. For example: When you visit www.securelayer7.net, your computer and the website’s computer are communicating using sockets (endpoints). The endpoint of the website will be: www.securelayer7.net:80 and endpoint of your […]

PageKit Open Source CMS Penetration Test

Overview Under the SecureLayer7’s Gratis Pentest Summer 2016, our consultant “Saurabh Banawar” have performed the 2 days penetration testing on the PageKit open source CMS application. Following vulnerabilities Saurabh have found during the penetration testing. Vertical/Horizontal Authentication Bypass or Password Reset Vulnerability (Critical)  – CVE-2017-5594 Server side information disclosure (Medium) Misconfiguration Improper use of .htaccess […]