The Exploit

Notes from the Front Lines of Penetration Testing

Category: Exploits

Discover expert insights on the latest exploits, penetration testing tactics, and real-world vulnerabilities to strengthen your cybersecurity defenses.
  • How to Create an Active Directory Test Environment
    How to Create an AD Test Environment to Use for Penetration Testing

    By

    Andrew Trexler
    Andrew Trexler walks us through creating a simple AD test environment to test new hacks before trying them on a penetration test.
    Read More
  • Exploiting GraphQL
    Exploiting GraphQL for Penetration Testing

    By

    bjager
    Exploiting GraphQL, a query language inspired by the structure & functionality of online data storage & collaboration platforms Meta, Instagram & Google Sheets.
    Read More
  • Log4 Exploit Walkthrough
    Log4j: How to Exploit and Test this Critical Vulnerability on Penetration Tests

    By

    Mark Puckett
    Raxis demonstrates how to obtain a remote shell on a target system during penetration tests using a Log4j open-source exploit available to all. (CVE-2021-44228)
    Read More
  • OPENSSL v3.0.x: Critical Threat Alert
    RAXIS THREAT ALERT: VULNERABILITY IN OPENSSL v3.0.x

    By

    Brad Herring
    In the cyberworld, news of a critical vulnerability affecting OpenSSL versions 3.0 – 3.0.6 will likely be the scariest part of Halloween ’22.
    Read More
  • CVE-2022-35739: PRTG Network Monitor Cascading Style Sheets (CSS) Injection
    CVE-2022-35739: PRTG Network Monitor Cascading Style Sheets (CSS) Injection

    By

    Raxis Research Team
    This CSS vulnerability, discovered by Raxis’ Matt Mathur, lies in a device’s properties and how they are verified and displayed within PRTG Network Monitor.
    Read More
  • CVE-2022-26653 & CVE-2022-26777: ManageEngine Remote Access Plus Guest User Insecure Direct Object References
    CVE-2022-26653 & CVE-2022-26777: ManageEngine Remote Access Plus Guest User Insecure Direct Object References

    By

    Raxis Research Team
    Raxis lead penetration tester Matt Dunn uncovers two more ManageEngine vulnerabilities (CVE-2022-26653 & CVE-2022-26777).
    Read More
  • CVE-2022-25373: ManageEngine Support Center Plus Stored Cross-Site Scripting (XSS)
    CVE-2022-25373: ManageEngine Support Center Plus Stored Cross-Site Scripting (XSS)

    By

    Raxis Research Team
    Matt Dunn discovers another ManageEngine Cross-Site Scripting vulnerability, this one in the Support Center Plus application.
    Read More
  • CVE-2022-25245: ManageEngine Asset Explorer Information Leakage
    CVE-2022-25245: ManageEngine Asset Explorer Information Leakage

    By

    Raxis Research Team
    Raxis lead penetration tester Matt Dunn discovers an information leakage vulnerability in ManageEngine’s Asset Explorer CVE-2022-25245
    Read More
  • Exploiting Dirty Pipe (CVE-2022-0847)
    Exploiting Dirty Pipe (CVE-2022-0847)

    By

    Andrew Trexler
    The Dirty Pipe vulnerability (CVE-2022-0847) allows any user to write to read-only files, including files that are owned by root, allowing privilege escalation.
    Read More
  • CVE-2022-24681: ManageEngine AD SelfService Plus Stored Cross-Site Scripting (XSS)
    CVE-2022-24681: ManageEngine AD SelfService Plus Stored Cross-Site Scripting (XSS)

    By

    Raxis Research Team
    Raxis’ Matt Dunn continues his prolific discovery of new CSS CVEs. This one affects ManageEngine AD SelfService Plus Stored Cross-Site Scripting.
    Read More
  • Submit Button
    Hackers See Opportunity Where You See Only a Button

    By

    Brad Herring
    In this post, Raxis VP Brad Herring explains how web proxy tools can turn even simple buttons and check-boxes into avenues for an attack.
    Read More
  • Cross-Site Scripting: Filter Evasion & Sideloading Payloads
    Cross-Site Scripting (XSS): Filter Evasion and Sideloading

    By

    Raxis Research Team
    In this second in a series, learn how to perform Cross-Site Scripting (XSS) attacks such as filter evasion and sideloading content.
    Read More