Blog

Webshells in Report Exports via String Replacement

We are back again with another fun finding from a recent assessment. During this assessment, one of our Ninjas found an interesting way to acquire remote code execution. In actuality, to get to this point there were a host of…

Blind SQL Injection from Bad JWT Tokens

Today, we have a fun one for you. I recently attended a conference and several college students kept asking me very similar questions. One of these questions was how can they transition from the examples they are learning in some…

matrix code

Escaping Citrix Prison

Let’s talk Citrix Virtual Applications. To do that, we first need to explain what a Citrix Virtual Application is. These applications are hosted on a Citrix Server that utilizes the Microsoft Remote Desktop Service (RDS) to publish virtual environments. Ideally,…

Cross Site Scripting Strikes Again

Not-So-Private Personal Data While browsing the internet looking for interesting things, I happened upon a site used for research purposes around DNA kits. The site was interesting; it lets users compare DNA kits to learn a range of information about…

Debugging in Production: Turn it Off!

Sometimes our assessments surprise us —not because of what issue we identified, but how we identified it. A client hired Packet Ninjas for a routine External Network Assessment. They gave us their external range, but it was not the most up to…

Cross Site Scripting and Rickrolling: Our Favorite Findings

Today, in our favorite finding series, I will be talking about one of my favorite vulnerability classes. Cross Site Scripting (XSS) and how untrustworthy actors can use it to do unexpected things to your website. Before we begin, I want…

Intuit Password Recovery Error

A few months ago, I was fiddling around with some Intuit applications as I had made a commitment to better track my finances. To my surprise, when I tried to make an account, I was receiving an error that there…

Mobile App Encryption Bad Practices

Recently at Packet Ninjas, we have been getting a lot of questions about the kind of testing we do here. I thought this would be a good opportunity to write a few articles about some of my favorite findings. I…

Seven Most Common Web and Mobile Application Issues

One of the first places to begin probing for vulnerabilities is your web or mobile applications. After all, these are often the public face of your organization. Unfortunately, people often miss crucial elements of application security. Whether they are web…

Scroll to Top