Skip to main content

Search form

  • USA

    Choose Your Destination

    Union FlagUK
    Drapeau françaisFR
    Schwarz-Rot-GoldDE
    Bandeira Verde-RubraPT
    Bandera de EspañaES
    Marine Geus or PrinsengeusNL
    Bandiera d'ItaliaIT
    Bandeira do BrasilBR
    Stars and StripesUSA
    Flag of SwitzerlandCH
  • Contact
Claranet Cyber Security
  • Testing
    • Penetration testing
    • Continuous Security Testing
    • Red team exercises
  • Training
    • Our training roadmap
      • Black Hat
      • Hacking 101
      • The Art of Hacking
      • Web hacking training
      • Infrastructure hacking training
      • Advanced web hacking training
      • Advanced infrastructure hacking training
      • Hacking cloud infrastructure training
      • DevSecOps training
      • AppSec training for developers
    • About our training
    • Attend from Anywhere
  • Protect and detect
    • Application security
    • Managed detection and response
  • Events
  • Blogs & Insights
  • About
    • Claranet facts
    • NotSoSecure and Claranet
    • Accreditations
  • Testing
    • Penetration testing
    • Continuous Security Testing
    • Red team exercises
  • Training
    • Our training roadmap
      • Black Hat
      • Hacking 101
      • The Art of Hacking
      • Web hacking training
      • Infrastructure hacking training
      • Advanced web hacking training
      • Advanced infrastructure hacking training
      • Hacking cloud infrastructure training
      • DevSecOps training
      • AppSec training for developers
    • About our training
    • Attend from Anywhere
  • Protect and detect
    • Application security
    • Managed detection and response
  • Events
  • Blogs & Insights
  • About
    • Claranet facts
    • NotSoSecure and Claranet
    • Accreditations
  • USA
  • Contact
  • Home
  • >
  • All
    • All
    • Technical Blog
    • Security Insights

    Email: still the favourite route of attack

    Is your email security up to the challenge?

    Blog

    Cybersecurity Toolkit

    Cybersecurity is a fast-expanding field spanning network infrastructure, remote services, device diversity, even the nuances of human interaction and behaviour within the enterprise. Today’s IT expert is part technician, part detective, and part sociologist. This SlideShare presentation is a blow-by-blow account of the issues that matter in today’s hyperlinked, cross-connected, time-shifted organisation—with each threat backed up by some key statistics. Download PDF

    Blog

    UK Exposed: Cybersecurity skills shortage putting businesses in the firing line

    While businesses across the country grapple with post-BREXIT contingency planning, a lack of experienced and qualified professionals with the right cyber skills is presenting an additional major challenge. Back in 2014, Jon Oltsik, principal analyst at Enterprise Strategy Group ESG, predicted a growing cybersecurity skills shortage panic over the coming years, saying:

    Blog

    Growth in leaked exploit attacks means penetration testing should be a front-line defensive measure, warns Sec-1

    Author: Jack Kerr Actively rooting out vulnerabilities is the most effective way of preventing attacks of this nature

    Blog

    Automating Pentests for Applications with Integrity Checks using Burp Suite Custom Extension

    During one of our recent web application penetration testing assignments, @realsanjay encountered a scenario where the application employed an integrity check on HTTP request content. The integrity check was maintained using a custom HTTP header that stored the HMAC of HTTP request content based on session-specific CSRF tokens. Any modification in the HTTP request would result in a “499 Unknown” HTTP error response.

    Blog

    Exploiting VLAN Double Tagging

    We have all heard about VLAN double tagging attacks for a long time now. There have been many references and even a single packet proof of concept for VLAN double tagging attack but none of them showcase a weaponized attack.

    Blog

    Continuous Security Monitoring using ModSecurity & ELK

    Recently, NotSoSecure got an opportunity to explore the working of monitoring and alerting systems as a part of a project. In this blog post, Anand Tiwari will talk about his experience and challenges faced while setting up one such monitoring and alerting system.

    Blog

    Semgrep A Practical Introduction

    Static Application Security Testing or SAST is a testing methodology that analyses application source code to identify security vulnerabilities (such as, but not limited to, the Injection vulnerabilities, any Insecure Functions, Cryptographic Weaknesses and more). Typically, SAST includes both manual and automated testing techniques which complement each other.

    Blog

    Cloud Services Enumeration - AWS, Azure and GCP

    TL;DR: We have built cloud enumeration scripts now available @ https://github.com/NotSoSecure/cloud-service-enum/. This script allows pentesters to validate which cloud tokens (API keys, OAuth tokens and more) can access which cloud service.

    Blog

    Cyber security checklist for remote working

    As many organisations settle into the new way of working for everyone, connectivity and collaboration are important discussion points, but another factor can obviously not be ignored… security.> Relying on remote workers to address this on their own is not an option and, for many, the right processes, training, and technology may not be in place anyway. In this blog we look at some of the key issues and how you can help your colleagues to work from home and stay secure.

    Blog

    Claranet | If you’re not looking, who is?

    Unfortunately, the story usually goes “we got infected with ransomware, it was only when we got in on Monday that we realised, and by then it was too late.” Most organisations are aware of the importance of good cyber security practices, but many are still underprepared for the “when and not if”. Keeping a constant eye on what is taking place on your network is the best way to contain an attack.

    Blog

    Identifying & Exploiting Leaked Azure Storage Keys

    In this blog, Sunil Yadav, our lead trainer for “Advanced Web Hacking” training class, will discuss a case study of Remote code execution via Azure Storage when the Azure Function deployment is configured to run from Storage Account using WEBSITE_CONTENTSHARE app setting.

    Blog

    Achieving DevSecOps using AWS Cloud Native Services

    In our previous article Achieving DevSecOps using Open-Source Tools we explored what “DevSecOps” really meant and how that can be achieved using simple Open-Source tools integrated into an existing DevOps pipeline orchestrated with Jenkins and deployed on docker in an ad hoc on-premises architecture. In this article Rohit Salecha and Anand Tiwari explain how DevSecOps can be achieved for an environment which is completely operated on AWS and their native offerings.

    Blog

    Exploiting ViewState Deserialization using Blacklist3r and YSoSerial.Net

    In this blog post, Sanjay talks of various test cases to exploit ASP.NET ViewState deserialization using Blacklist3r and YSoSerial.Net. Blacklist3r is used to identify the use of pre-shared (pre-published) keys in the application for encryption and decryption of forms authentication cookie, ViewState, etc. We discussed an interesting case of pre-published Machine keys, leading to an authentication bypass. Read more How to obtain MachineKey? There are multiple ways but not limited to the following to obtain the Machine Key used by a .NET application:

    Blog

    Achieving DevSecOps with Open-Source Tools

    Today, DevOps is enabling organisations to deploy changes to production environments at blazing speeds. A typical DevOps process flow through the following stages.

    Blog

    Exploiting SSRF in AWS Elastic Beanstalk

    In this blog, Sunil Yadav, our lead trainer for "Advanced Web Hacking " training class, will discuss a case study where a Server-Side Request Forgery (SSRF) vulnerability was identified and exploited to gain access to sensitive data such as the source code. Further, the blog discusses the potential areas which could lead to Remote Code Execution (RCE) on the application deployed on AWS Elastic Beanstalk with Continuous Deployment (CD) pipeline.

    Blog

    Hunting the Delegation Access

    Active Directory (AD) delegation is a fascinating subject, and we have previously discussed it in a blog post and later in a webinar. To summarize, Active Directory has a capability to delegate certain rights to non (domain/forest/enterprise) admin users to perform administrative tasks over a specific section of AD.

    Blog

    Project Blacklist3r

    TL;DR The goal of this project is to accumulate the secret keys / secret materials related to various web frameworks, that are publicly available and potentially used by developers. These secrets will be utilized by the Blacklist3r tools to audit the target application and verify the usage of these pre-published keys.

    Blog

    Out of Band Exploitation (OOB) CheatSheet

    Out-Of-Band (OOB) technique provides an attacker with an alternative way to confirm and exploit a vulnerability which is otherwise “blind”. In a blind vulnerability, as an attacker you do not get the output of the vulnerability in the direct response to the vulnerable request. The OOB techniques often require a vulnerable entity to generate an outbound TCP/UDP/ICMP request and that will then allow an attacker to exfiltrate data. The success of an OOB attack is based on the egress firewall rules i.e.

    Blog

    NotSoSecure joins the Claranet Group

    The acquisition puts the NotSoSecure business in a position of significantly greater strength, with a broader portfolio of services now available to our customers.

    Blog

    Speak to our experts about your needs today

    Claranet USA

    • Services
      • Testing - We hack
      • Training - We teach
      • Protect and detect - We protect

    Quick Links

    • Events
    • Blogs and insights
    • Privacy policy
    • Legal information
    • Covid-19 Statement

    About us

    • Claranet facts
    • NotSoSecure and Claranet
    • Accreditations

    © Copyright Claranet limited 1996-2022