Technical Research

Technical Research

Using CloudTrail to Pivot to AWS Accounts

Jun 7, 2022

In this blog, we look at how we can utilize the AWS CloudTrail service to discover other AWS accounts that we could pivot to.

By Gerben Kleijn

Technical Research

ripgen: Taking the Guesswork Out of Subdomain Discovery

Jun 1, 2022

ripgen is a super-fast subdomain permutation discovery tool that helps map the full scope of an attack surface. Learn how our Cosmos team uses ripgen to uncover unknown subdomain findings in our clients' environments.

By Justin Rhinehart, Joe Sechman

Technical Research

Call of DeFi: The Battleground of Blockchain

May 24, 2022

Last year, decentralized finance (DeFi) grew tremendously, not only in usage, but also in cybersecurity attack. To understand the risks of these new blockchain technologies and use cases, we analyzed the main hacks that occurred in 2021.

By Dylan Dubief

Technical Research

Ruby Vulnerabilities: Exploiting Dangerous Open, Send and Deserialization Operations

May 17, 2022

Managing Sr. Consultant Ben Lincoln tested a Ruby on Rails application that was vulnerable to three of the most common types of Ruby-specific RCE vulnerabilities. Here is a walkthrough and new test harness that you can use to enable more efficient web application exploitation.

By Ben Lincoln

Technical Research

Our Top 9 Favorite Fuzzers

Apr 19, 2022

In keeping with our new tradition of crowdsourcing pen testing tool topics, it became clear that you wanted more on fuzzing! Learn which fuzzing tools are our pen testers' favorites to add to your security toolbox.

By Britt Kemp

Technical Research

Nuclei: Packing a Punch with Vulnerability Scanning

Apr 5, 2022

Nuclei is one of our favorite tools to run more speedy, efficient, customized, AND accurate multi-protocol vulnerability scanning. Learn how our teams use this tool to uncover risks in our clients' environments.

By Matt Thoreson, David Bravo, Zach Zeitlin, Sandeep Singh

Technical Research

Reports from the Field: Part 3

Mar 22, 2022

In the third part of our “Reports from the Field” series, we’ll explore how attackers utilize all tools available (including open source) to dig for an exploit.

By Wes Hutcherson

Technical Research

Reports from the Field: Part 2

Mar 8, 2022

In the second part of our “Reports from the Field” series, we’ll explore exposed configuration files. If you want to check out our first part on reused credentials, visit: Reports from the Field, Part 1.

By Wes Hutcherson

Technical Research

Reports from the Field: Part 1

Mar 1, 2022

In this three-part series, we’ll describe real-world examples that showcase how perceived ‘low-risk’ vulnerabilities can turn into critical, business-impacting issues – especially through attack chaining.

By Wes Hutcherson

Technical Research

Never, Ever, Ever Use Pixelation for Redacting Text

Feb 15, 2022

You can’t read what pixelated text says... right? Think again; Dan Petro explains how pixelation works, why it’s a terrible redaction technique, and how our tool Unredacter can actually reverse pixelated text.

By Dan Petro

Technical Research

Creating an Exploit: SolarWinds Vulnerability CVE-2021-35211

Jan 13, 2022

Sometimes, our Cosmos team creates custom exploits for particular CVEs as requested by clients. In this case, Carl Livitt created an exploit for CVE-2021-3521; here, he shares his thought process behind creating a ROP-based exploit for Serv-U FTP v15.2.3.717 on modern Windows systems.

By Carl Livitt

Technical Research

Zero-Day Collaboration: Working With Imperva to Eliminate a Critical Exposure

Jan 11, 2022

The Bishop Fox Cosmos Adversarial Operations experts identified a WAF rule bypass in the Imperva Cloud Web Application Firewall. Discover how offensive and defensive security organizations can combine forces to ensure the best outcomes for organizations and continually improve security.

By Carl Livitt

Technical Research

How Bishop Fox Has Been Identifying and Exploiting Log4shell

Dec 27, 2021

Like you, Bishop Fox was racing against the clock to identify as many instance of the Log4j vulnerability for our clients as we could. Take a look at last week's craziness and our testing methodology.

By Dan Petro

Technical Research

XMPP: An Under-appreciated Attack Surface

Dec 6, 2021

Misconfigured XMPP (aka Jabber) servers may not be the most common service you encounter during pen tests, but they can prove valuable. Misconfigured XMPP servers are an excellent way to retrieve sensitive data from a company, establish a foothold in their infrastructure, and inform further attacks.

By Zach Julian

Technical Research

Eyeballer 2.0 Web Interface and Other New Features

Nov 15, 2021

Eyeballer, our open source AI-powered tool, just got a few updates. See what that entails and learn how to effectively use the tool.

By Dan Petro

Technical Research

A Snapshot of CAST in Action: Automating API Token Testing

Oct 21, 2021

While investigating our clients’ attack surfaces, I find myself repeating tasks frequently enough to demonstrate a need for automation, yet not frequently enough to justify the time needed to develop an automated solution.

By Zach Zeitlin

Technical Research

An Intro to Fuzzing (AKA Fuzz Testing)

Sep 28, 2021

Learn everything you need to know about fuzzing, including who should fuzz, what types of fuzzers exist, how to write a good harness, and more.

By Matt Keeley

Technical Research

IAM Vulnerable - Assessing the AWS Assessment Tools

Sep 23, 2021

In a follow up to his IAM Vulnerable tool, Seth Art examines the identification aspect of IAM privilege escalation and reviews IAM privesc assessment tools

By Seth Art

Technical Research

IAM Vulnerable - An AWS IAM Privilege Escalation Playground

Sep 9, 2021

The IAM Vulnerable tool helps you learn how to identify and then exploit intentionally vulnerable IAM configurations that allow for privilege escalation.

By Seth Art

Technical Research

You're Doing IoT RNG

Aug 5, 2021

Learn why hardware random number generators (RNG) used by billions of IoT devices to create encryption keys don't always generate random numbers.

By Dan Petro, Allan Cecil

Technical Research

LEXSS: Bypassing Lexical Parsing Security Controls

Jun 22, 2021

Technical details of achieving cross-site scripting (XSS) attacks by using HTML parsing logic where lexical parsers are used to nullify dangerous content.

By Chris Davis

Technical Research

An Exploration of JSON Interoperability Vulnerabilities

Feb 25, 2021

Learn more about how the same JSON document can be parsed with different values across microservices, leading to a variety of potential security risks.

By Jake Miller

Technical Research

Bad Pods: Kubernetes Pod Privilege Escalation

Jan 19, 2021

Seth Art discusses the impact of overly permissive pod security policies and the importance of applying restrictive controls around pod creation by default

By Seth Art

Technical Research

Lessons Learned on Brute-forcing RMI-IIOP With RMIScout

Dec 8, 2020

New features that have been added to RMIScout, a pen testing tool that performs wordlist and brute-force attacks against exposed Java RMI interfaces .

By Jake Miller