Serverless Authentication FTW

Many applications you find on GitHub that can be used for one off tasks, or for simple automation don’t have built in authentication. Typically, I just run it on localhost and port forward, or just run the application locally. This can be a pain and doesn’t scale very well. With...
Read More

Synthesis Of Vectors

If you are only as strong as your weakest link, don’t let that weak link be your detection and response capabilities.. There will always be multiple gaps in each layer of your defense in depth model. Make sure finding those gaps takes longer than your detection and response times. Visualizing...
Read More

Phishing with SAML and SSO Providers

Phishing is getting harder. Email firewalls, user training and a host of endpoint controls are making phishing something that many Red Teams no longer perform. Instead, many Red Teams are using something called Assume Breach or White Carding, this allows the Red Team to skip certain portions of the initial...
Read More

Violating Your Personal Space with Webex

Some time ago Karl Fosaaen with NetSpi came out with some pretty interesting research around Federated Services and Skype for Business. One of the attack vectors was being able to access other companies address books and sending them direct Skype for Business messages, including all the features that Skype for...
Read More