Published inAppseccoA Pentester’s Approach to Kubernetes Security — Part 2This is the second of the two-part blog series. Part 1 is covered here —…Nov 16, 20231Nov 16, 20231
Published inAppseccoA Pentester’s Approach to Kubernetes Security — Part 1This is the first of a two-part blog series based on vulnerabilities we usually identify during Kubernetes Penetration Tests that we run…Nov 8, 2023Nov 8, 2023
Published inAppseccoHacking an AWS hosted Kubernetes backed product, and failingTales from a recent pentest of a product hosted on the AWS cloud backed by Kubernetes (EKS) and a whole lot of secure design goodness that…Jun 2, 2022Jun 2, 2022
Published inkloudleCVE-2020–15257 What is it and how does it impact your Docker and Kubernetes environments?A new vulnerability named CVE-2020–15257 has been discovered in the networking namespace. Our blog covers the details.Feb 20, 2021Feb 20, 2021
Published inkloudleAre you sure you are not missing patching your clusters because of the new Docker hub limits?Docker announced new limits on image pulls from its Hub. We examine how it may impact your K8s operations.Feb 16, 2021Feb 16, 2021
Published inAppseccoZerologon (CVE-2020–1472) detection, patching and monitoringA quick post to describe CVE-2020–1472 a Critical flaw, christened as “Zerologon”, in Windows Domain controllers, along with exploitation…Sep 23, 2020Sep 23, 2020
Published inAppseccoFinding SSRF via HTML Injection inside a PDF file on AWS EC2Finding SSRF on app hosted on AWS EC2 allows for data theft from AWS account. Capital One lost 100M+ bank records due to an issue like…Apr 5, 20202Apr 5, 20202
Published inAppseccoAWS EC2 IMDSv2 versus an esoteric HTTP MethodOur investigation to see if the IMDSv2 can be attacked using the obscure X-HTTP-Method-Override HTTP header. The definitive answer is no.Jan 2, 2020Jan 2, 2020
Published inAppseccoServer Side Request Forgery (SSRF) and AWS EC2 instances after Instance Meta Data Service version…A short blogpost about the how introduction of IMDSv2 affects SSRF attempts on AWS EC2 instances, especially when attempting to retrieve…Dec 6, 20194Dec 6, 20194
Published inAppseccoSecurity Analysis of LastPass credential leak — By bypassing do_popupregister()This blogpost is about a recently disclosed security issue with the LastPass browser extension discovered by Tavis Ormandy from the Google…Sep 18, 2019Sep 18, 2019