Cyberis Blog

Reassuringly clear thinking.

  • Penetration testing
  • Tools and techniques

XSS is more than just <script>

Recently, we were examining an application that was protected by Cloudflare. We found a code injection point in a search field parameter where it was possible to introduce data of our choosing which looked like a good candidate for reflected cross-site scripting. With the protection afforded by control layers in place, however, demonstrating a credible proof-of-concept meant using alternative methods. 

Read more
  • Penetration testing
  • Tools and techniques

Sticky Keys - classic EUD device privilege escalation

Sticky Keys is an accessibility feature within Windows that assists users who have physical disabilities. Instead of having to press multiple keys at once, you can use one key by turning on Sticky Keys and adjusting the settings. However, the feature can be manipulated to elevate your local privileges. Now this technique is not new and has been around since the days of Windows XP but is still relevant if you have physical access to a device.

Read more
  • Cloud risk management
  • Research
  • Tools and techniques

Intune hacking: when is a "wipe" not a wipe

In this blog post we explore privilege escalation to SYSTEM with Intune managed devices, and how an Intune "Wipe" is not really a wipe at all.

Read more
  • News

Cyberis sponsors Cyber Scheme

Cyberis is pleased to be a sponsor of Cyber Scheme, a not-for-profit organisation providing examinations and training to develop the next generation of cyber security professionals.

Read more
  • Penetration testing

The password is dead.  Long live the password...

Passwords are bad.  We've known passwords are bad for decades, but the truth is that they're unlikely to go away for a very long time, even though we know all about their flaws. 

Read more
  • Detect and respond

The Software Supply Chain

There are many different ways in which supply chain attacks can impact your cyber security resilience.  We all appreciate that third-party service providers may have access to physical premises, or to technical infrastructure, and that a compromise of these providers can grant that access to an attacker.  If you have smaller, or less-mature, suppliers in your supply chain, we know that they may have immature information security practices.  Because we think about these areas a lot, most businesses have pretty mature processes aimed at managing these risks in their supply chains.   One area where we often see weakness in our customers, however, is in management of the software inventory and their software supply chain.

Read more
  • Penetration testing

Cyber security challenges facing schools

We all want our schools and educational institutions to be secure.  We all want to ensure that our children can learn and thrive in a safe environment, and that we keep their data protected from those who might misuse it.  Schools are under attack, though – almost constantly – from increasingly organised and sophisticated criminal gangs.

Read more
  • Penetration testing

Application testing and the OWASP Top 10

Quite often, a customer will ask us to "test our application against the OWASP Top 10". I'm going to start by saying that the OWASP Top 10 is a wonderful tool which has helped improve web application security globally since it first launched. But although it’s a common request to test applications against it, I think it's helpful to explain why it might not give you the security outcomes you want from a web application penetration test.

Read more

Improve your security

Our experienced team will identify and address your most critical information security concerns.

Contact us About Cyberis