The Exploit

Notes from the Front Lines of Penetration Testing

Category: Exploits

Discover expert insights on the latest exploits, penetration testing tactics, and real-world vulnerabilities to strengthen your cybersecurity defenses.
  • Exploiting GraphQL
    Exploiting GraphQL for Penetration Testing

    By

    bjager
    Exploiting GraphQL, a query language inspired by the structure & functionality of online data storage & collaboration platforms Meta, Instagram & Google Sheets.
    Read More
  • Log4 Exploit Walkthrough
    Log4j: How to Exploit and Test this Critical Vulnerability on Penetration Tests

    By

    Mark Puckett
    Raxis demonstrates how to obtain a remote shell on a target system during penetration tests using a Log4j open-source exploit available to all. (CVE-2021-44228)
    Read More
  • OPENSSL v3.0.x: Critical Threat Alert
    RAXIS THREAT ALERT: VULNERABILITY IN OPENSSL v3.0.x

    By

    Brad Herring
    In the cyberworld, news of a critical vulnerability affecting OpenSSL versions 3.0 – 3.0.6 will likely be the scariest part of Halloween ’22.
    Read More
  • CVE-2022-35739: PRTG Network Monitor Cascading Style Sheets (CSS) Injection
    CVE-2022-35739: PRTG Network Monitor Cascading Style Sheets (CSS) Injection

    By

    Raxis Research Team
    This CSS vulnerability, discovered by Raxis’ Matt Mathur, lies in a device’s properties and how they are verified and displayed within PRTG Network Monitor.
    Read More
  • CVE-2022-26653 & CVE-2022-26777: ManageEngine Remote Access Plus Guest User Insecure Direct Object References
    CVE-2022-26653 & CVE-2022-26777: ManageEngine Remote Access Plus Guest User Insecure Direct Object References

    By

    Raxis Research Team
    Raxis lead penetration tester Matt Dunn uncovers two more ManageEngine vulnerabilities (CVE-2022-26653 & CVE-2022-26777).
    Read More
  • CVE-2022-25373: ManageEngine Support Center Plus Stored Cross-Site Scripting (XSS)
    CVE-2022-25373: ManageEngine Support Center Plus Stored Cross-Site Scripting (XSS)

    By

    Raxis Research Team
    Matt Dunn discovers another ManageEngine Cross-Site Scripting vulnerability, this one in the Support Center Plus application.
    Read More
  • CVE-2022-25245: ManageEngine Asset Explorer Information Leakage
    CVE-2022-25245: ManageEngine Asset Explorer Information Leakage

    By

    Raxis Research Team
    Raxis lead penetration tester Matt Dunn discovers an information leakage vulnerability in ManageEngine’s Asset Explorer CVE-2022-25245
    Read More
  • Exploiting Dirty Pipe (CVE-2022-0847)
    Exploiting Dirty Pipe (CVE-2022-0847)

    By

    Andrew Trexler
    The Dirty Pipe vulnerability (CVE-2022-0847) allows any user to write to read-only files, including files that are owned by root, allowing privilege escalation.
    Read More
  • CVE-2022-24681: ManageEngine AD SelfService Plus Stored Cross-Site Scripting (XSS)
    CVE-2022-24681: ManageEngine AD SelfService Plus Stored Cross-Site Scripting (XSS)

    By

    Raxis Research Team
    Raxis’ Matt Dunn continues his prolific discovery of new CSS CVEs. This one affects ManageEngine AD SelfService Plus Stored Cross-Site Scripting.
    Read More
  • Submit Button
    Hackers See Opportunity Where You See Only a Button

    By

    Brad Herring
    In this post, Raxis VP Brad Herring explains how web proxy tools can turn even simple buttons and check-boxes into avenues for an attack.
    Read More
  • Cross-Site Scripting: Filter Evasion & Sideloading Payloads
    Cross-Site Scripting (XSS): Filter Evasion and Sideloading

    By

    Raxis Research Team
    In this second in a series, learn how to perform Cross-Site Scripting (XSS) attacks such as filter evasion and sideloading content.
    Read More
  • 2021 OWASP Top 10
    OWASP Top 10: Broken Access Control

    By

    Raxis Research Team
    In this blog post, Raxis lead penetration tester Mark Fabian discusses broken access control and why it’s the most prevalent issue among the OWASP Top 10.
    Read More