The Coalfire Blog

Welcome to the Coalfire Blog, a resource covering the most important issues in IT security and compliance. You'll also find information on Coalfire's insights into the unique cybersecurity issues that impact the industries we serve, including Cloud Service Providers, RetailFinancial Services, Healthcare, Higher Education, Payments, Government, Restaurants, and Utilities.

The Coalfire blog is written by the company's leadership team and our highly-credentialed security assessment experts. We look forward to your comments, so please join the conversation.


  • How I Found CVE-2018-8819: Out-of-Band (OOB) XXE in WebCTRL

    June 11, 2018, Darrell Damstedt, Senior Consultant, Coalfire Labs, Coalfire

    I like to do bug bounties from time  to time, mostly when I am sacrificing sleep once the kids are finally out cold.  This seemed like a worthy experience to document. Let me just start by saying I  don't plan on going into the whole recon bits too deeply here. Maybe I will someday if I ever have enough time to give the topic the justice it deserves. 

    Read more
  • Pro Tips: Testing Applications Using Burp, and More

    June 08, 2018, Esteban Rodriguez, Consultant, Coalfire Labs, Coalfire

    Burp Suite is one of my favorite tools for web application testing. The feature set is rich, and anything that it does not do by default can usually be added with an extension. There are a few things, however, that while they exist in Burp Suite, are not completely intuitive. Below are a few pro tips to help you get the most out of your web application tests.

    Read more
  • PowerShell: In-Memory Injection Using CertUtil.exe

    May 31, 2018, Shane Rudy, Senior Security Consultant, Coalfire Labs

    Have you ever heard the old saying,” The only constant in life is change?” Nothing is truer in the world of penetration testing and information security than the certainty of change. New defenses are always emerging, and the guys and gals in the red team game are always having to evolve our efforts to evade defenses. This week was one of those weeks for me.

    Read more
  • Exploiting an Unsecured Dell Foglight Server

    May 23, 2018, Esteban Rodriguez, Consultant, Coalfire Labs, Coalfire

    Dell Foglight for Virtualization is an infrastructure performance monitoring tool that can also be used to manage systems as well. It comes configured with a default username and password of “foglight.”

    Read more
  • Pro Tip: The Right Way to Test JSON Parameters with Burp

    May 21, 2018, Dan McInerney, Senior Security Consultant, Coalfire

    Here’s a Burp trick you might not know, which helped find this instance of command execution and lots of SQL injection in other applications. Despite PortSwigger claiming otherwise, Burp does not parse JSON very well, especially nested JSON parameters and values like you see below.

    Read more
  • Displaying results 1-5 (of 61)
     |<  < 1 - 2 - 3 - 4 - 5 - 6 - 7 - 8 - 9 - 10  >  >| 

Recent Posts

Post Topics

Archives

RSS Feed

The Coalfire BlogSubscribe to Feed
Chrome users will need to install RSS Subscription Extension (by Google)

Tags