Today I want to show you a demo that I recorded on how you can use the amazing tool Evilginx2 (by Kuba Gretzky) to bypass Multi-Factor Authentication (MFA). In the demo I used Evilginx on a live Microsoft 365/Office 365 environment but It can be used on almost any site that doesn’t use a more […] The post how to use Evilginx2 to grab session tokens and bypass Multi-factor authentication first appeared on TzuSec.com.| TzuSec.com
La ricerca del miglior sistema di backup può non essere facile, ed è strettamente dipendente dalle singole necessità e priorità. Ecco alcuni consigli ed esperienze.| Stefano Marinelli's Blog
This is a blog post by Erik Szinai, who worked with us as an intern during the last couple of months. We hope our readers will find his contribution to the Burp Suite ecosystem useful!| Silent Signal Techblog
Many of the web application tests we conducted had a registration form in the scope. In such cases, there’s usually a field that needs to be unique for each invocation, sometimes called username, in other cases, the e-mail address is used as such. However, launching the Scanner or Intruder of Burp Suite or a similar tool will send the same username over and over again, resulting in possible false negatives. We faced this problem long enough that we came up with a solution for it, and now yo...| Silent Signal Techblog
When faced with the problem of identifying entities, most people reach for incremental IDs. Since this requires a central actor to avoid duplicates and can be easily guessed, many solutions depend on UUIDs or GUIDs (universally / globally unique identifiers). However, although being unique solves the first problem, it doesn’t necessarily cover the second. We’ll present our new solution for detecting such issues in web projects in the form of an extension for Burp Suite Pro below.| Silent Signal Techblog
It’s been a steady trend that most of our pentest projects revolve around web applications and/or involve database backends. The former part is usually made much easier by Burp Suite, which has a built-in scanner capable of identifying (among others) injections regarding latter. However, detection is only half of the work needed to be done; a good pentester will use a SQL injection or similar database-related security hole to widen the coverage of the test (obviously within the project scop...| Silent Signal Techblog
Testing a website is usually considered just another day at work, Burp Suite is usually the tool of our choice for automating some of the scans that apply in this field. Assessing the authenticated part of the site is also common, and since Burp can be used as an HTTP proxy, it can capture our session tokens (usually HTTP cookies) and perform scans just like we’d do as humans. This token is usually remain unchanged over the time of the session, and the session itself is kept alive by the sc...| Silent Signal Techblog
I have already dealt with the problem of performing a correct backup. This time I will give you some insights into how I make backups and how I am able to guarantee a certain level of security.| IT Notes