Tag: web applications

The Real Impact of Cross-Site Scripting

Cross-site scripting (XSS) is probably the most prevalent high risk web application vulnerability nowadays, and yet it is still one of the most overlooked by developers and defenders alike.  At Dionach we have experienced a few situations when reporting XSS in penetration test reports as a critical or high risk issue, and the client would […]

What is the Risk if You Don’t Fix Perceived Meaningless Vulnerabilities?

In a recent external penetration test, I was able to chain multiple vulnerabilities together allowing me to fully compromise one of the client’s servers. Whilst many of these vulnerabilities were low risk it is important to take care of every security vulnerability to minimise risk to systems. The scope was large and the organisation had […]

From 0 to 100: Innocuous Source Code to Web Server Compromise

Antonio Sánchez, Lead Consultant In a recent web application penetration test I was challenged with figuring out how to fully compromise a client’s website. The site was using the latest version of WordPress, and although they had a few plugins installed, they seemed to be patched as well. However, I did find an interesting web […]

A case of a misconfigured CORS implementation

During a recent penetration test I conducted against one of our client’s websites, I found an interesting case of a misconfigured CORS implementation that I would like to quickly showcase in this post. From Wikipedia, cross-origin resource sharing (CORS) is a mechanism that allows restricted resources (e.g. fonts) on a web page to be requested […]

Risk based Application Penetration Testing

Risk based Application Penetration Testing

It is generally accepted within the information security world that penetration testing is a good way to provide assurance as to the security of applications or infrastructures. With numerous companies offering these testing services, how do you differentiate and evaluate which company uses the best approach for your organisation? At Dionach we perform a large […]

Should I allow my pentester on my IPS?

Should I allow my penetration tester’s IP address range on my intrusion prevention system? Variations of this question have featured in numerous information security forums and mailing lists. Unfortunately, the factors and variables in play here are considerable so a worthy response is unlikely to be short or universal. This blog post aims to highlight […]

Splunk Web Shell

Now and then, while performing internal penetration tests we come across Splunk default installs where system users can log in as “admin” and are granted the associated privileges without having to authenticate. Splunk is based on Django, and among the options it gives you when accessing the admin panel is one that is particularly attractive […]

Umbraco CMS Local File Inclusion

Umbraco CMS <= 7.2.1 is vulnerable to local file inclusion (LFI) in the ClientDependency package included in a default installation. Whether this vulnerability is exploitable depends on a number of configuration options, and on the exact version of Umbraco installed. The ClientDependency package, used by Umbraco, exposes the “DependencyHandler.axd” file in the root of the […]

Contact Us

Contact Us Reach out to one of our cyber experts and we will arrange a call