Blog posts

CVE-2024-24915 is an insecure credential storage flaw in Check Point SmartConsole (R81.20) that leaves user credentials in plaintext memory.

Welcome to the comprehensive guide on Java Remote Method Invocation (RMI) tailored for penetration testers. This article aims to demystify RMI interfaces encountered during infrastructure penetration testing. Due to the depth of this topic, we’ve divided it into two parts. In this initial section, we’ll provide a concise overview of RMI interfaces, demonstrate how to create one for testing purposes, and guide you through the manual construction of an RMI Client to invoke remote methods.

This article explains how SQL injection vulnerabilities can still occur in applications using modern ORM frameworks. It describes how to identify insecure patterns and write safer code, providing practical examples to illustrate common pitfalls and secure practices.

This article examines how the misconfigured get-task-allow entitlement in macOS apps enables code injection and TCC bypass. It builds on large-scale testing of notarized applications and highlights the risks of weakened security boundaries.

From phreaking roots to cutting-edge research, Phrack has always been a space where hackers teach hackers. Forty years on, the mission hasn’t changed—it’s only grown stronger. This article dives into Phrack Magazine’s remarkable journey and its milestone 40th anniversary. From its beginnings in the 80s underground to its global presence today, we’ll look at how Phrack shaped hacker culture, what the latest issue means for the community, and how contributors—past and present—continue to keep the signal alive.

Desktop application security lacked unified standards—until now. DASVS provides a structured approach to securing Windows, macOS, and Linux applications with clear verification levels and technical security controls. Our roadmap includes the Desktop Application Security Testing Guide (DASTG) and an automated security assessment tool. Join the community and help shape the future of desktop security!

Are you testing desktop app security and need to know what process to follow? That’s what this desktop application security testing checklist is for. Desktop applications are fundamentally different from web and mobile apps – and those differences create unique security challenges. Web applications run mostly server-side, behind your firewalls and security controls. The browser […]

Thick-client penetration testing is a critical gap in most enterprise security programs. Banking software, trading platforms, healthcare systems, and manufacturing tools – these desktop applications handle your organization’s most sensitive data and critical operations. But when was the last time you actually tested their security? If you’re relying on the same penetration testing approach you […]

SAP GUI scripting automation guide: Python + Windows API for security testing. Includes practical examples of transaction validation and control extraction for penetration testers.

Invoker is a Burp Suite extension that automates external tools like dosfiner, sqlmap, nuclei, or ffuf, bridging the gap between captured requests and CLI commands.