Offensive
Security Blog

Technical Research

Call of DeFi: The Battleground of Blockchain

May 24, 2022

Last year, decentralized finance (DeFi) grew tremendously, not only in usage, but also in cybersecurity attack. To understand the risks of these new blockchain technologies and use cases, we analyzed the main hacks that occurred in 2021.

By Dylan Dubief

Technical Research

Ruby Vulnerabilities: Exploiting Dangerous Open, Send and Deserialization Operations

May 17, 2022

Managing Sr. Consultant Ben Lincoln tested a Ruby on Rails application that was vulnerable to three of the most common types of Ruby-specific RCE vulnerabilities. Here is a walkthrough and new test harness that you can use to enable more efficient web application exploitation.

By Ben Lincoln

Advisory

CVE-2022-1388: Scan BIG-IP for Exact Release Versions

May 10, 2022

Worried about your BIG-IP devices and if they are impacted by CVE-2022-1388? We built a scanner that can help you quickly determine if they are running versions that need to be patched. Check it out!

By Caleb Gross

Industry

Getting Schooled in Security: Bishop Fox Academy

May 10, 2022

We recently launched Bishop Fox Academy, a company-wide career development and continuous learning program to uphold our position as an offensive security leader.

By Andrew Wilson

Industry

The Foxes of Mexico: A Security Roundtable

May 1, 2022

In honor of Dia del Trabajo (Labor Day) on May 1, we talked to Foxes in Mexico about their cybersecurity journeys, life at Bishop Fox, Mexico as a tech leader, and any advice they have to fellow Mexicans who want to join the industry.

By Beth Robinson

Industry

Ransomware: How Adversaries are Upping the Ante

Apr 27, 2022

During the last few years, no other cyber threat has dominated headlines as much as ransomware, with SANS even declaring 2020 and 2021 “the years of ransomware”. Explore the latest ransomware trends, including ransomware as decoys, RaaS, and attacks on supply chains.

By Trevin Edgeworth

Technical Research

Our Top 9 Favorite Fuzzers

Apr 19, 2022

In keeping with our new tradition of crowdsourcing pen testing tool topics, it became clear that you wanted more on fuzzing! Learn which fuzzing tools are our pen testers' favorites to add to your security toolbox.

By Britt Kemp

Culture

Cybersecurity Mentors: Why & How to Find Your Match

Apr 12, 2022

We dispel some misconceptions of finding a mentor and provide some straightforward ideas for developing a mentor-mentee relationship, no matter the stage of your career.

By Britt Kemp

Technical Research

Nuclei: Packing a Punch with Vulnerability Scanning

Apr 5, 2022

Nuclei is one of our favorite tools to run more speedy, efficient, customized, AND accurate multi-protocol vulnerability scanning. Learn how our teams use this tool to uncover risks in our clients' environments.

By Matt Thoreson, David Bravo, Zach Zeitlin, Sandeep Singh

Culture

Cyber Talent: Exploring the Ongoing Shortage & Great Resignation

Mar 29, 2022

See how talent shortage and the Great Resignation movement is impacting the cybersecurity workforce, and learn how Bishop Fox approaches recruiting and retention of cybersecurity talent.

By Beth Robinson

Technical Research

Reports from the Field: Part 3

Mar 22, 2022

In the third part of our “Reports from the Field” series, we’ll explore how attackers utilize all tools available (including open source) to dig for an exploit.

By Wes Hutcherson

Culture

Women of the Fox Den: A Security Roundtable

Mar 15, 2022

In honor of Women’s History Month and the paths ladies are forging in cybersecurity, we talked to Foxes about their cybersecurity journeys, their experiences at Bishop Fox, and any advice they have to other women who may be new to the field.

By Britt Kemp

Technical Research

Reports from the Field: Part 2

Mar 8, 2022

In the second part of our “Reports from the Field” series, we’ll explore exposed configuration files. If you want to check out our first part on reused credentials, visit: Reports from the Field, Part 1.

By Wes Hutcherson

Technical Research

Reports from the Field: Part 1

Mar 1, 2022

In this three-part series, we’ll describe real-world examples that showcase how perceived ‘low-risk’ vulnerabilities can turn into critical, business-impacting issues – especially through attack chaining.

By Wes Hutcherson

Industry

Cloud 9: Top Cloud Penetration Testing Tools

Feb 24, 2022

You spoke, and we listened! Earlier this year, we asked what pen testing tool list we should publish next. A list that focused on the cloud was the clear crowd favorite. So that being said, here are nine of our favorite tools for cloud pen tests.

By Britt Kemp

Technical Research

Never, Ever, Ever Use Pixelation for Redacting Text

Feb 15, 2022

You can’t read what pixelated text says... right? Think again; Dan Petro explains how pixelation works, why it’s a terrible redaction technique, and how our tool Unredacter can actually reverse pixelated text.

By Dan Petro

Culture

CactusCon 10: Five Security Talks to Watch

Feb 10, 2022

Check out a few of our favorite talks from CatcusCon 10.

By Britt Kemp

Culture

Music To Hack To: Volume 2

Feb 2, 2022

We open-sourced our list by asking some of our Discord members to contribute their favorites in addition to folks in the Fox Den.

By Britt Kemp

Industry

Perceptual Analysis: A Look at Bishop Fox’s New Technology Patent

Jan 26, 2022

We’ve achieved a significant milestone in transforming the offensive security space with the recent patent grant award of our innovative technique known as perceptual analysis (US Patent No. 11,218,496). Get the technical details of our patent and learn more about perceptual analysis.

By Joe Sechman

Technical Research

Creating an Exploit: SolarWinds Vulnerability CVE-2021-35211

Jan 13, 2022

Sometimes, our Cosmos team creates custom exploits for particular CVEs as requested by clients. In this case, Carl Livitt created an exploit for CVE-2021-3521; here, he shares his thought process behind creating a ROP-based exploit for Serv-U FTP v15.2.3.717 on modern Windows systems.

By Carl Livitt

Technical Research

Zero-Day Collaboration: Working With Imperva to Eliminate a Critical Exposure

Jan 11, 2022

The Bishop Fox Cosmos Adversarial Operations experts identified a WAF rule bypass in the Imperva Cloud Web Application Firewall. Discover how offensive and defensive security organizations can combine forces to ensure the best outcomes for organizations and continually improve security.

By Carl Livitt

Industry

Taking Home Gold: The Best InfoSec Talks & Research of the Year

Jan 4, 2022

Lots of research, security talks, and vulnerabilities caught our attention this past year. In this recap, we’ll provide an overview of some of the research we found interesting, some of the talks we found the most compelling, and some of the vulnerabilities we won’t (or can’t) forget anytime soon.

By Britt Kemp

Technical Research

How Bishop Fox Has Been Identifying and Exploiting Log4shell

Dec 27, 2021

Like you, Bishop Fox was racing against the clock to identify as many instance of the Log4j vulnerability for our clients as we could. Take a look at last week's craziness and our testing methodology.

By Dan Petro

Advisory

Log4j Vulnerability: Impact Analysis

Dec 10, 2021

Affecting enterprise software, web applications, and well-known consumer products globally, the CVE-2021-44228 zero-day vulnerability impacts any organization using the Apache Log4j framework. Read our official Bishop Fox response as we unfold and report on Log4j's impact.

By Wes Hutcherson