New Warning — Microsoft Copilot AI Can Access Restricted Passwords
https://www.forbes.com/sites/daveywinder/2025/05/14/new-warning---microsoft-copilot-ai-can-access-restricted-passwords/
#cybersecurity #copilot #Sharepoint #password #cracking #pentests

@tessarakt
Korrekt.

Nach der mir zugänglichen Presse-Darstellung ist die Bedrohung (#Threat) bislang noch nicht realisiert worden.

Nach weit verbreiteter "#VW-Denke" existiert diese #Gefahr damit nicht.

Ich muss zugeben, wirkliches #RisikoManagement habe ich auch erst bei einem der Marktbegleiter aus dem #Premium-Segment gelernt.

Und dort hätte dieses Setup den Betriebsreife-Index nicht erreicht, weil die #Pentests entweder fehlten oder fehlgeschlagen wären.

If you want coverage aka get the maximum out of tests such as #Pentests, Scans and #testing in general, you shouldn't have only DEV, TEST, STAGE/INT and PROD environments, you should also provide an AUTO environment. The AUTO environment would be focused on supporting automation, meaning in the web app case simplifying authentication for scanners, don't aggressively invalidate sessions, remove CSRF protection etc.
Same for mobile apps btw.
#devsecops #devops

Została wydana nowa wersja dystrybucji Parrot Security OS 6.2. Parrot Security OS to specjalistyczna dystrybucja Linuksa stworzona do testów penetracyjnych, informatyki śledczej, łamania zabezpieczeń, testów zabezpieczeń https://linuxiarze.pl/parrot-6-2/ #linux #debian #cybersecurity #pentests

When GRC asks the red team "What tools do you use to conduct your penetration tests?"

Ummm.... I don't know.... All of them?

....I just wrote some new ones this morning...

#infosec #pentests #redteam #hacking

Was super fun to attend #aws #reinforce but this guy and another are glad I’m home and I think some customers want me to get busy on their #pentests!

Our #usdHeroLab professionals have uncovered a vulnerability in the online store software #Gambio during their #pentests.

Our analysts discovered a vulnerability in the password reset functionality. Exploiting this vulnerability would enable an attacker to change the password for any account and take over, for example, the administrator account of the application.

The vulnerability was reported to the vendor under the Responsible Disclosure Policy.

👉 More details: https://herolab.usd.de/en/security-advisories/usd-2024-0002/

Our #usdHeroLab analysts examined the #SONIX Technology Webcam during their #pentests.

1️⃣ Vulnerability Type: Incorrect Permission Assignment for Critical Resource (CWE-732)

🚨 Security Risk: High

The vulnerability was reported to the vendor under the Responsible Disclosure Policy.

👉More Details: https://herolab.usd.de/security-advisories/usd-2023-0029/

#Announcement: On Friday, our #usdHeroLab colleagues published a major release of our BurpSuite Plugin #FlowMate: https://github.com/usdAG/FlowMate/releases/tag/v1.1

During BlackHat USA 2023 and DEF CON 31, our colleagues received a lot of helpful feedback on their #tool: The new version 1.1 contains bug fixes and some new features. In our video, Florian Haag explains the advantages and possible use cases in the context of #WebApplication #Pentests: https://www.youtube.com/watch?v=BJhRhGmDATw

#CheckItOut #Security #Pentesting #Hacking #Tools #Community #moresecurity

The #BurpSuite extension #CSTC by @usdAG saved my a** during several web app #pentests.

It allows you to easily transform HTTP requests and responses.

Use it to save time when you would otherwise have to write a bunch of custom code!

Here's everything you need to know about it 👇

#Pentesting #AppSec #InfoSec #CyberSecurity #BugBounty #Hacking #Burp

The #usdHeroLab analysts examined #ThingsBoard while conducting their #pentests.
1⃣Vulnerability Type: Server-Side Template Injection
🚨Security Risk: High
🧵👇 More Details

🧐ThingsBoard is an open-source IoT platform for data collection, processing, visualization, and device management.

During an assessment a Server-Side Template Injection (SSTI) vulnerability has been discovered. It enables attackers to dynamically create and modify templates, that are used for automated generation of mail content, which results in the execution of arbitrary system commands.

The vulnerability was reported to the vendor under the Responsible Disclosure Policy and subsequently fixed for #moresecurity. More information can be found here 👩‍💻​👨‍💻​👇

https://herolab.usd.de/en/security-advisories/usd-2023-0010/

The #usdHeroLab analysts examined the Content Management System #SuperWebMailer while conducting their #pentests.
1⃣Vulnerability Type: Improper Neutralization of Input During Web Page Generation (CWE-79)
🚨 Security Risk: Medium
👇🧵 More Details

🧐SuperWebMailer is an online application for managing e-mail newsletters. The vulnerability enabled attackers to execute requests on behalf of other users.

The vulnerability was reported to the vendor under the Responsible Disclosure Policy. More information can be found here 👩‍💻🧑‍💻 👇

https://herolab.usd.de/security-advisories/usd-2023-0011/

The #usdHeroLab analysts examined the Content Management System #Contao while conducting their #pentests.
1⃣Vulnerability Type: Improper Neutralization of Input During Web Page Generation (CWE-79)
🚨 Security Risk: Medium
👇More details

🧐Contao is an open source Content Management System that allows you to create professional websites and scalable web applications.

The vulnerability enabled attackers with a low-privileged role to use a modified HTTP request to create an article with a JavaScript payload of their choice, which was client-triggered on the frontend and backend. For example, such an attack could upgrade a low-privileged account to an administrator account.

The vulnerability was reported to the vendor under the Responsible Disclosure Policy and subsequently fixed for #moresecurity. More information can be found here 👩‍💻👇

https://herolab.usd.de/en/security-advisories/usd-2023-0020/

The #usdHeroLab analysts examined the #SAP HTTP Content Server while conducting their #pentests.
1⃣Vulnerability Type: Improper Neutralization of HTTP Headers for Scripting Syntax #CWE644 #CVE202326457
🚨 Security Risk: High
👇🧵 More details

The SAP HTTP Content Server returns error messages in the header x-errordescription of the #HTTP Response. When invalid input is provided in a HTTP request, it is also placed in the error message inside this header.

During this process the input is URL-decoded, therefore for example %41 is translated to A and %0a is translated to a newline. This enables an #attacker to add new headers and change the content of the response.

The vulnerability was reported to the vendor under the Responsible Disclosure Policy and subsequently fixed for #moresecurity. More information can be found here 👩‍💻​👨‍💻​👇​
https://herolab.usd.de/security-advisories/usd-2022-0046/

The #usdHeroLab analysts examined the #SAP Partner Portal while conducting their #pentests.
1⃣ Vulnerability Type: Improper Neutralization of Input During Web Page Generation #CWE79 #CrossSiteScripting
🚨 Security Risk: High
👇🧵 More details

In cases where users do not have sufficient permissions to view a specific URL within the #SAP Partner Portal, they get redirected to an error page. During this redirection, the requested URL is passed to the error message as a parameter without any filtering or encoding.
Therefore it is possible to include HTML-Tags and JavaScript in the URL, making it possible for malicious actors to launch #XSS attacks.

The vulnerability was reported to the vendor under the Responsible Disclosure Policy and subsequently fixed for #moresecurity. More information can be found here 👩‍💻👇​
https://herolab.usd.de/security-advisories/usd-2023-0017/

Is there any #DAST tools for dummies? Preferably open source. Goal is for developers with no pen testing experience to find some low hanging fruit early, before doing a real test by a professional.
#Pentests

"Hey Ma, Where Do #Pentests Come From?" @dnsprincess explains #pentesting via a storybook at this year's #GRRCon.

Don't miss this informative and fun presentation at one of the Midwest's premier #infosec conferences!

https://bfx.social/44B6WrG

Website update finally. Figured might be a good idea due to an upcoming announcement. At least doesn’t say next cloud security class is November 2019 in Melbourne, Australia 😆

#2ndSightLab #Cyber #Cloud #Security #pentests #assessments #training

https://2ndsightlab.medium.com/2nd-sight-lab-website-update-cc08e61754c6

To counteract the increasing complexity of #hacker attacks, high-quality #pentests are essential. This is best achieved when the knowledge and instinct of #pentest professionals are complemented by suitable #tools. 🛠️​

That's why our extensive experience with #TechnicalSecurityAnalyses is continuously contributes to the development of helpful tools. As a result, we proudly present our in-house developments #FlowMate, #SNCScan and #CSTC to the global #SecurityCommunity at #BlackHat and @support. We are proud to provide international security experts with tools for #moresecurity

Our Colleagues Matthias Göhring, Nicolas Schickert and Florian Haag are fine-tuning the very last details before heading to #LasVegas next week. We wish our Heroes great presentations and keep our fingers crossed!🤞​

#CyberSecurity #Innovation #ExcitedToPresent #usdHeroLab

Another #cloudsecurity tool we're fans of: ScoutSuite, a multi-cloud security #auditing tool. Use it across all major #cloudcomputing platforms. Save time on your #cloud #pentests with this tool! https://bfx.social/43C7Dkn