Category Archives: Application Security

Oracle EBS Security auditing

So this is my attempt to improve on this post I wrote last year and other tests that I find helpful. Whatever is outlined here really is a tip of the iceberg and further tests should definitely be done depending on scope, objectives… Application testing: Controls to test: Default application account credentials Weak application passwordContinue reading “Oracle EBS Security auditing”

Blackhat Europe 2017 – conference notes

I had the pleasure to attend the Blackhat Europe 2017 in London – and it was enlightening! In this post, I shall provide links to the slide decks, videos and tools shared during the demonstrations, briefings and various talks. The abstracts for the briefings can be found on the official Blackhat Europe website.   1.Black HatContinue reading “Blackhat Europe 2017 – conference notes”

From Shodan to Remote Code Execution #1 – hacking Jenkins

In this era of extreme automation, whether for development, programming deployment or even security management are we getting closer to security maturity or are we better off without the automation? In the next posts, I hope to uncover some of the tools/ applications employed on enterprises geared towards automation and better security but end upContinue reading “From Shodan to Remote Code Execution #1 – hacking Jenkins”

From Shodan to Remote Code Execution #2 – hacking OpenDreambox 2.0.0

A sequel to the last post of what is now becoming a series of “From Shodan to remote code execution”, we now take a look at how to hack misconfigured Dreambox installations. Dreambox is a company which offers Digital TV set top boxes and other related services. Shodan search: Perform a shodan search as below:Continue reading “From Shodan to Remote Code Execution #2 – hacking OpenDreambox 2.0.0”

Penetration testing Sharepoint

Like any normal web application, Sharepoint may fall prey to OWASP Top 10 vulnerabilities with a special focus on XSS, mostly due to inadequate patching and misconfiguration. On this post, we focus on recon / what sharepoint is exposing. Google Dorks FTW!: Some google dorks to help you find sharepoint installations exposed to the webContinue reading “Penetration testing Sharepoint”

Do you know what your ERP is telling us?

Interesting engagement I had a few weeks ago, a client wanted assurance on their ERP – Oracle E-Business suite, to be specific. I spent a few weeks just to formulate an efficient strategy and be able to cover most controls from an insider threat perspective and an external authenticated attacker angle. For this post, IContinue reading “Do you know what your ERP is telling us?”