January 20, 2025

Purple Teaming: What Not to Do in OT & IoT Testing to Avoid Halting the Factory or Sinking the Oil Rig

Umair Ahmed, a Senior Security Engineer at HelloFresh, shares insights on pen-testing operational and IoT systems, emphasizing the importance of preparation, threat modeling, stakeholder alignment, and execution. He highlights the need for careful examination of systems to mitigate risks and ensure compliance while providing best practices for effective testing. Post-engagement, thorough reporting and follow-ups are essential for continuous improvement and vulnerability management.

October 22, 2024

From Staging to Full Admin Control In Prod: A Breakdown of Critical Authentication Flaws

In this blog, I explore a real-world case of an Admin Panel Takeover caused by broken authentication and insecure configurations. By exploiting a misconfigured JWT token from a staging environment, full administrative access was gained to a production system, exposing sensitive user data and critical application controls. This case study emphasizes the dangers of default credentials, unsecured staging environments, and improperly scoped tokens, providing key lessons in security hygiene and best practices to prevent such vulnerabilities.

June 28, 2024

Finding Hidden Threats: How I Found Leaked AWS Credentials in an Android App API Using DAST

Found a critical vulnerability involving leaked AWS credentials within an Android App API during a bug bounty hunt. by utilizing Dynamic Application Security Testing (DAST) and the Mobile Security Framework (MobSF) to uncover the vulnerability. This blog post provides a step-by-step guide for newcomers to set up their own testing environments and utilize MobSF.