Breaking the Air Gap Through Hardware Implants
IoT security assessments expose diverse technologies, use cases, and protocols. While wireless components like WiFi and Bluetooth enhance functionality and enable features like OTA updates, they also increase the attack surface. This blog explores the challenges of assessing non-wireless IoT devices and considers the potential of adding wireless capabilities for comprehensive security testing.
Nosey Parker Turns Two: Celebrating Two Years of Open-Source Secrets Discovery
Praetorian’s open-source secrets detection tool, Nosey Parker, was released two years ago. Learn more about updates Nosey Parker and importance in today’s environment.
Skeletons in the Closet: Legacy Software, Novel Exploits
The Praetorian team recently discovered a new vulnerability in Ivanti Endpoint Manager (EPM) which serves as a reminder to be aware of legacy systems – patch regularly and test often.
Identifying SQL Injections in a GraphQL API
Overview Many vulnerabilities in modern web applications occur due to the improper handling of user-supplied input. Command injection, cross-site scripting, XML External Entity (XXE) injections, and SQL injections all emerge from the downstream effects of unsanitized user input. SQL injection has held a high-ranking spot on the OWASP top 10 list since its inception. Despite […]
3CX Phone System Local Privilege Escalation Vulnerability
Overview In an effort to safeguard our customers, we perform proactive vulnerability research with the goal of identifying zero-day vulnerabilities that are likely to impact the security of leading organizations. Recently, we decided to take a look at the 3CX Phone Management System with the goal of identifying an unauthenticated remote code execution vulnerability within […]
Exploiting Lambda Functions for Fun and Profit
Overview Praetorian recently performed an assessment of a platform responsible for downloading and building untrusted, user-supplied code. The client was concerned about the possibility of attackers leveraging this process to compromise the client’s AWS environment or gain access to sensitive data belonging to other users. Their solution to sandboxing untrusted code builds was to perform […]