The PasteBin Treasure Hunter

Introduction Malicious actors have multiple ways to share data they have stolen from websites or services. Some might post to popular forums to gain notoriety while others might post anonymously to paste sites like PasteBin. Combing through all the pastes being posted is beyond the ability of humans, so I’ve created a tool that helps […]

Read More The PasteBin Treasure Hunter

Information Disclosure in JForum 2.1.x

Version Tested 2.1.8 CVE Number CVE-2019-7550 Security Advisories None Background While conducting a penetration test for a customer, I encountered an unused developer forum using JForum version 2.1.8 and started looking for vulnerabilities within the application. Issue When creating a new user within the application, the browser sends a GET request to the server to […]

Read More Information Disclosure in JForum 2.1.x

Enterprise Password Security Scores

LogMeIn did a really cool report they’re nicknaming “The State of the Password“, which breaks down a company’s security score by size and industry. They took a census of 43,000 companies to gather all of this data. Here are some highlights of the report: The bigger the company, the worse the score This one should […]

Read More Enterprise Password Security Scores

Antivirus Bypass Technique

A lot of users think having an antivirus is the silver bullet to all of their security problems. Plot twist: It isn’t.  There is a relatively simple way to bypass antivirus and execute code on a remote machine, and the whole process takes less than 30 minutes. First, you need a Kali VM that has […]

Read More Antivirus Bypass Technique

Playing in Sandboxes

For researchers getting into malware analysis, or organizations that need somewhere to test suspicious files, sandboxes are a great way to isolate and run potentially malicious attachments or files before letting them get into your network. You can use any of the available cloud services like Cisco’s ThreatGrid, any.run, or Joe Sandbox. The downside to […]

Read More Playing in Sandboxes