Pentesting, System Hardening & IT Security Blog

Our passion for testing and defending infrastructures, applications and companies often leads us to the point where we want to share our thoughts and experience with the world. Here you can read all about our exploits and research and enjoy our posts, from useful howtos, to published CVEs, management strategies, new exciting tools and much more. As a provider of offensive and defensive IT services, we always welcome readers to reach out to us and ask questions or provide feedback, be it about our blog or our services, which include web-application and network penetration tests, system defense and hardening and management consulting, among others.

In preparation for a new web security training course (german, coming soon), I had another look at the current version of the Damn Vulnerable Web App (DVWA). As I documented the solution for the command injection vulnerability on high, I found something that sparked a tiny idea how this part might b...

OverviewA stored XSS vulnerabily was discovered in the ShoutBox module of the enterprise application "BlueSpice Wiki".Title BlueSpice Shoutbox – Stored Cross-Site Scripting Product BlueSpice for MediaWiki Plugin: ShoutBox Vulnerable version 2.23.1 Fixed version 2.23.1.1 Vendor...

Client side access control is at hand, when the process or mechanism that enforces a users set permission is implemented on the users end of the application. The issue with this approach is, that a user has full control over their machine, and therefore the upper hand when it comes to protective mec...