Your Schema is Showing

Your Schema is Showing


Here’s a look at the results from our recent effort analyzing GraphQL API endpoints across the web, and the percentage of those endpoints that allowed an unauthenticated user to view the query & data schema. The intent of this article is to address the implications of allowing this schema to be retrieved, similar technologies that allow access to their schema, what can be done about it, and the trend of those who have prevented such a disclosure.

(more…)

Building a Security Testing Business

Building a Security Testing Business


I am often asked, “How did you get started with your security testing business?” “What are some lessons learned?” “What are your current challenges?” I have been asked enough times that I decided to post my thoughts in blog format.

(more…)

HTTP Response Headers

HTTP Response Headers


While preparing for a monthly Lunch-and-Learn lesson for a client, I wanted to collect various examples of good, bad, faulty, and missing HTTP response headers. As is typical, I went a little overboard and collected all of the headers for the top one million websites. This article will describe some interesting findings and the raw data collected, as well as provide other researchers with the script created and used.

(more…)

MFA Implementation Attacks

MFA Implementation Attacks


Most Multi-Factor-Authentication (MFA) implementations do not protect your password from brute forcing or from account level DoS attacks. This article will demonstrate various attacks that exploit weaknesses found in nearly every industry Identity and Access Management (IAM) provider/solution as well as offer solutions on how to mitigate.

(more…)

Coronavirus

Coronavirus


The Coronavirus outbreak should be taken for what it is, an outbreak that deserves our attention and precautionary measures, but not panic.

(more…)

MFA – Without the FUD

MFA – Without the FUD


Ditch SMS-based MFA now – it’s no better than single factor authentication!

Have you seen headlines similar to this recently? A tip: Follow the money. The majority of those articles are paid advertisements for a hardware or software based MFA solution. Here’s an non-vendor biased opinion from the perspective of an attacker who has contended with MFA for many years.

(more…)

Paired Visitor/Escort Proximity Badges

Paired Visitor/Escort Proximity Badges


How confident are you that visitors within your organization are constantly supervised by an employee? How often does an employee fail to properly hand off their escort duties to another employee?

This is a solution we came up in response to a recent physical Social Engineering Assessment we preformed for a client. It is an all too common mistake in need of a solution. Our hope is this article will help us locate a provider of this (or similar) solution or spur a provider to create this solution.

(more…)

© PEN Consultants, LLC 2013 -