Blog

  • Evaluating Banking Apps’ Security Against Mobile Theft: A Monzo Case Study
    Intro & Motivation Every 10 minutes, someone steals a mobile phone in London, making phone security a critical concern for all of us. A recent Financial Times article highlights this surge in thefts, revealing our personal and financial information is at significant risk. As I learned from discussions with 2 of my neighbors that had
  • Phishing Like a Pro: A Guide for Pentesters to Add SPF, DMARC, DKIM and MX records to Evilginx
    In this blog post we will cover an update we did to the Evilginx tool. Specifically, this update introduces the capability to add SPF, DMARC, DKIM and MX records to Evilginx. As a result, you can significantly enhance your sender’s reputation and boost your chances of having your emails reach the recipient’s inbox. We normally
  • Password reset vulnerabilities in Grav CMS
    What is Grav CMS In the digital age, the security of web applications is a paramount concern, particularly when it comes to content management systems that power a significant portion of the internet. Grav CMS, a modern open-source flat-file CMS, is known for its flexibility and user-friendly approach. However, like any software, it is not
  • Red Team Ops II exam review
    In today’s ever-evolving cybersecurity landscape, staying ahead of the curve is important. That’s where certifications like the Red Team Ops II (or Red Team Lead or RTO II) Exam come into play. Having just completed this rigorous certification, I’m thrilled to provide you with an insider’s look at the course and my journey through it.
  • PSTIA 2024: Enhancing UK Cybersecurity – What You Need to Know
    Description Set to take effect on April 29, 2024, the Product Security and Telecommunications Infrastructure Act (PSTIA) introduces pivotal security mandates for connectable products in the UK. This legislation mandates robust security protocols for manufacturers, shaping a safer digital environment for consumers in England, Wales, Scotland, and Northern Ireland. This blog post provides an overview
  • Red Team Ops exam review
    Intro In the fast-paced world of cybersecurity, professionals must constantly outpace threats. The Red Team Ops Exam (RTO) certification is at the highest level of offensive security expertise. Having just completed this rigorous certification, I’m excited to share my in-depth review of the course and my personal experiences. Understanding the Red Team Ops Exam The
  • Understanding DORA: Implications for Penetration Testing Practices
    Description This blog post delves into the implications of the Digital Operational Resilience Act (DORA) on penetration testing, offering a curated summary of relevant DORA articles. It carefully highlights critical insights across key domains, including: General provisions (Chapter I) TLDR : This DORA chapter outlines key definitions crucial for understanding the regulation’s scope, including ‘digital
  • Reflected XSS in Kaspersky Security for Linux Mail Server
    We are proud to share insights on a recent pentest during which we effectively uncovered a high-severity issue in a Kaspersky product. Our team’s diligent efforts led to the discovery and resolution of CVE-2024-1619, a high severity vulnerability, reflected XSS in Kaspersky Security for Linux Mail Server.  Reflected XSS attacks compromise user data and session
  • FORTBRIDGE RECEIVES DESC ACCREDITATION FOR PENETRATION TESTING
    We are excited to announce that FORTBRIDGE has achieved yet another milestone by receiving DESC accreditation as a Penetration Testing provider. Our dedicated team, with a wealth of experience in top tech companies across the UK/EU & US, specialises in application security, API security, and cloud security, covering both offensive and defensive perspectives. As we broaden our
  • Compromising Plesk via its REST API
    Plesk is a commercial web hosting and server data center automation software developed for Linux and Windows-based retail hosting service providers. It’s the main choice of web hosting providers these days being used by 86.7% of the websites that use a web panel for administration. This is 4.4% of all websites and there around 2M Plesk installations in the US alone. As expected there are many interesting features to attack as an administrator, however we couldn’t find anything really exploitable and also it isn’t that interesting to begin with, if you’re already an administrator, right? We tried to see if we can escalate our privileges from one of the limited roles, but these seem solid. In the end we discovered a cookieless CSRF, which is basically a design issue in this case, because it affects all the POST requests and we could abuse most of the APIs with it.
  • A CSRF vulnerability in the popular csurf package
    One of our customers asked us to review one of their pentest reports where one of the issues was that a CSRF cookie was missing the secure flag. Interesting to see that some people are trying to fix the LOW severity findings as well, we didn’t expect that.
  • Mass Account Takeover in the Yunmai smart scale API
    Recently, during an internal IoT research project, we did a pentest of the Android and iOS Yunmai smart scale apps. Below are the 5 vulnerabilities that we discovered, and we chained 3 of these (#2,#3 and #4) to achieve mass account takeover. All vulnerabilities have been responsibly disclosed to Yunmai.
  • Multiple vulnerabilities in Concrete CMS – part2 (PrivEsc/SSRF/etc)
    We have previously wrote about Concrete CMS here. In that post we described how we managed to exploit a double race condition vulnerability in the file upload functionality in order to obtain remote command execution. In this blog post we will present multiple vulnerabilities in Concrete CMS that we have found at the end of last year during a pentest for one of our customers. For more info please see the “Mitigations” section regarding security tips for fixing the password poisoning issue and other tips on improving security for Concrete CMS.
  • Multiple Concrete CMS vulnerabilities ( part1 – RCE )
    Concrete CMS is designed for ease of use, for users with a minimum of technical skills. It enables users to edit site content directly from the page. It provides  version management for every page, similar to wiki software, another type of web site development software. Concrete5 allows users to edit images through an embedded editor on the page. As of 2021, there are over 62,000 live websites that use Concrete CMS under the hood. During a recent pentest, our team found a very interesting vulnerability. Discovery of the vulnerability was relatively simple (a race condition), however creating a POC was quite challenging, hence the reason for this post. You will need a low privileged user to exploit this vulnerability and gain RCE in Concrete CMS.
  • Independently secure, together not so much – a story of 2 WP plugins
    Recently we had to do a security assessment on a WordPress website. Obviously when dealing with a WordPress installation the best option is to always target the plugins. We’ve quickly enumerated the plugins using WPScan and then we recreated this setup in our local environment for easier testing & debugging. We found 2 interesting plugins which support file uploads and that is always interesting functionality to abuse, so we will study them one by one.
  • Multiple vulnerabilities in cPanel/WHM
    cPanel is a web hosting control panel software developed by cPanel, LLC. It provides a graphical interface (GUI) and automation tools designed to simplify the process of hosting a web site to the website owner or the “end user”. It enables administration through a standard web browser using a three-tier structure. While cPanel is limited to managing a single hosting account, cPanel & WHM allows the administration of the entire server. Our team has found multiple vulnerabilities in cPanel/WHM during a black-box pentest, the most important ones being an RCE and privilege escalation via stored XSS.
  • FORTBRIDGE receives CREST accreditation for Penetration Testing services
    We are delighted to announce that FORTBRIDGE receives CREST accreditation as a Penetration Testing Provider. Our dedicated team has experience in a wide range of industries, having worked previously in top tech companies in the UK/EU & US, focusing on application security and cloud security, both from an offensive as well as defensive perspective. Thus, being a
  • Drupal insecure default leads to password reset poisoning
    What is Drupal? Drupal is a free and open-source web content management framework written in PHP. It provides a back-end framework for at least 13% of the top 10,000 websites worldwide – ranging from personal blogs to corporate, political, and government sites according to Wikipedia. For this test we used the latest version of Drupal with
  • Joomla password reset vulnerability and a stored XSS for full compromise
    Joomla is one of the most popular CMS-es with over 1.5 million installations world-wide. We pentested Joomla 3.9.24 and found a password reset vulnerability which we chained with a set of vulnerabilities and features to achieve full compromise of the underlying server.