Our best in class red team can deliver a holistic cyber attack simulation to provide a true evaluation of your organisation’s cyber resilience.
Leverage the team behind the industry-leading Web Application and Mobile Hacker’s Handbook series.
MDSec’s penetration testing team is trusted by companies from the world’s leading technology firms to global financial institutions.
Our certified team work with customers at all stages of the Incident Response lifecycle through our range of proactive and reactive services.
Oct 28th, 2024
Written by: Admin
All
Web Application Firewalls (WAFs) help to protect web applications by monitoring, filtering, and blocking HTTP traffic to and from a web service. However, WAFs are too often relied upon as…
Jun 28th, 2023
Written by: Admin
ActiveBreach
Overview During a recent adversary simulation, the MDSec ActiveBreach red team were performing a ransomware scenario, with a key objective set on compromising the organisation’s backup infrastructure. As part of…
Oct 19th, 2022
Written by: Admin
ActiveBreach
Microsoft’s Office Online Server is the next generation of Office Web Apps Server; it provides a browser based viewer/editor for Word, PowerPoint, Excel and OneNote documents. The product can be…
Mar 29th, 2022
Written by: Admin
ActiveBreach
This blog post details several recently patched vulnerabilities in the Veeam Backup & Replication and Veeam Agent for Microsoft Windows. We’ll detail MDSec’s process for identifying these 1Day vulnerabilities, writing…
Sep 15th, 2021
Written by: Admin
ActiveBreach
As part of Microsoft Exchange April and May 2021 patch, several important vulnerabilities were fixed which could lead to code execution or e-mail hijacking. Any outdated and exposed Exchange server…
Oct 15th, 2020
Written by: Admin
ActiveBreach
In a recent red team engagement, we discovered a SharePoint instance that was vulnerable to CVE-2020-1147. I was asked to build a web shell without running any commands to avoid…
May 10th, 2020
Written by: Admin
All
Introduction Microsoft patched a number of deserialisation issues using the XPS files. Although the patch for CVE-2020-0605 was released in January 2020, it was incomplete and an additional update was released in…
May 10th, 2020
Written by: Admin
All
Introduction LaTeX is a document typesetting system that takes a plaintext file, stylised using mark-up tags similar to HTML or CSS, and converts this into a high-quality document for displaying…
Apr 10th, 2020
Written by: Admin
Exploitation
The YSoSerial.Net project has become the most popular tool when researching or exploiting deserialisation issues in .NET. We have recently invested some research time to improve this tool to help ourselves and…
Mar 10th, 2020
Written by: Admin
All
Introduction If you have worked with SharePoint, you have seen two types of ASPX pages: Application pages are not customisable. They are stored on the file system and are used…