Pentest Chronicles

If you’re interested in the world of cybersecurity, the related technical issues, and what’s challenging right now, you’re in the right place! This part talks about IT security more broadly and has the latest information, tips, and advice.

Latest insight

Credentials exposure in tinycontrol devices

Paweł Różański

23 March, 2026

It seemed to be a usual LAN test, but the network contained some non-typical devices. One of them was an IoT device (LAN controller), which looked interesting. It had separate admin and user accounts. The user had only read-only permissions, but a default password. The password for the admin was changed from the default one. We decided to check if there is a possibility to perform command injection or read sensitive files. Instead, I found something more interesting: during the opening of the login page by an unauthorized user, the file login.json was fetched from the device.

READ article

Other articles

(Not) Easy authorization

Jacek Siwek

14 March, 2025

Vulnerabilities from the broken access control group according to OWASP TOP TEN 2021 are among the most common in web applications. They give users with lower privileges the ability to, among other things, access data or functions that are not intended for such a role. It also happens that an ordinary user can use functionalities belonging to the administrator, which can also lead to privilege escalation. Sometimes, these vulnerabilities are unusual in nature because they are not always related to flaws in the application logic... In such cases, testing should also include more complex scenarios that go beyond the classic approach.

READ article

Breaking license validation in a desktop application – how business logic flaw can enable unauthorized activations

Piotr Ćwikliński

07 March, 2025

During one of my security audits, I discovered a business logic flaw in the license verification process of a macOS desktop application. This flaw made it possible for an ordinary user with basic hacking skills to bypass restrictions and activate the software on multiple devices, even though the license was meant for just one machine. The issue was caused by insufficient server-side validation. While some parameters and their values in the activation request were correctly validated, others were either ignored or not used at all for verification.

READ article

Possible Misconfigurations in Active Directory – Security Audit Findings

Jarosław Kamiński

28 February, 2025

Active Directory (AD) is a critical component of IT infrastructure, serving as the backbone for user authentication, access control, and identity management within an organization. However, misconfigurations and weak security controls in AD can expose an environment to severe risks, including privilege escalation, unauthorized access, and even full domain compromise.

READ article

How Secure Are Your Application Secrets? Lessons from Years of Real-World Penetration Tests

Mateusz Lewczak

21 February, 2025

In the context of web applications, 'secrets' refer to sensitive data used to secure communication, authenticate users, or access restricted resources. These are critical pieces of information that must be protected to maintain the security and integrity of the application. First and foremost, it's important to acknowledge that the secure storage of secrets in applications is still an unresolved challenge. Many developers find this aspect unclear or challenging.

READ article

Vishing – How It Works and Why It's So Effective: Insights from Commercial Social Engineering Tests

Jacek Siwek

14 February, 2025

Vishing is a type of social engineering attack in which scammers call their victims, pretending to be trusted individuals or institutions (such as IT departments, banks, or service providers) to extract confidential information or manipulate them into performing specific actions. While the conversation may seem harmless, it can lead to the disclosure of login credentials to company systems or even the execution of malicious software.

READ article

From temporary solutions to insecure security practices.

Adam Borczyk

06 February, 2025

When auditing security posture of our clients' Azure and Entra ID infrastructures, we always verify what are the current Multi-Factor Authentication (MFA) rules and policies. We check what does the Conditional Access enforce, who is covered by which policy and what are the exclusions, if any.

READ article

The Hidden Danger in PDFs: How Misconfigurations Can Expose Sensitive Data?

Patryk Bogdan

28 January, 2025

Recent security audit revealed a critical vulnerability in the way WeasyPrint processes user-provided data for generating invoices in PDF format. The issue occurs because of insufficient input validation, allowing attackers to inject malicious HTML tags that are rendered within the generated PDF. This flaw opens the door to extracting sensitive files from the application's infrastructure or querying remote resources, posing significant security risks.

READ article

Ex-Employee Private Code Repository Accounts: A Breach Waiting to Happen?

Adam Borczyk

22 January, 2025

A recent application audit revealed several concerns regarding source code management practices. The most significant finding involves the storage of code in a private GitHub repository that remains tied to a former employee's account. This configuration poses potential risks to code access and management.

READ article

From SPI Sniffing to Keys: Extracting Clevis/BitLocker Secrets from TPM Traffic #HardwareHacking

Mateusz Lewczak

10 January, 2025

In September 2024, a real-world penetration test was conducted to assess the security of a laptop using LUKS disk encryption on Linux, with Clevis facilitating automatic disk unlocking. The tested device relied on a TPM (Trusted Platform Module) to secure the decryption key used by Clevis. The focus of the test was to explore potential vulnerabilities to SPI Sniffing attacks.

READ article

Featured articles

Two new CVEs: FooGallery's WordPress plugin

Robert Kruczek

05 July 2024

During some happy hunting, I found two XSS vulnerabilities in the FooGallery WordPress plugin (version 2.4.14), which made 50k instances vulnerable on the day of discovery! These can allow attackers to execute malicious code and gain unauthorized access to administrative functionalities. Below is a detailed explanation of these vulnerabilities and how they can be exploited.

READ article

XSS in WordPress via open embed auto discovery

JAKUB ŻOCZEK

29 May 2023

Users often assume that known software is free of security flaws because it has been checked by a sufficient number of tools and security testers. However, this is not an assumption that a pentester or bug hunter can afford to make. Vulnerabilities may lurk in various places, and finding an interesting bug often requires patient searching.

READ article

A professional cybersecurity consultant ready to assist with your inquiry.

Any questions?