CloudBrute - Awesome Cloud Enumerator

A tool to find a company (target) infrastructure, files, and apps on the top cloud providers (Amazon, Google, Microsoft, DigitalOcean, Alibaba, Vultr, Linode). The outcome is useful for bug bounty hunters, red teamers, and penetration testers alike. The complete writeup is available. here Motivation we are always thinking of something we can automate to make black-box security testing easier. We…

View On WordPress

Detect Vulnerabilities Faster With Website Scanner

Website scanners play a crucial role in accelerating the detection of security vulnerabilities within web applications. AI-driven vulnerability management and pentesting solution, automate the entire scanning process, starting with mapping the website’s structure, including URLs, forms, scripts, and third-party components. They then simulate real-world attack techniques using predefined test cases, heuristics, and vulnerability databases to identify issues such as SQL injection, cross-site scripting (XSS), CSRF, insecure configurations, and outdated components.

Top Red Team Tools by Category

Cybersecurity professionals constantly need to stay ahead of potential threats. Red teaming, an exercise where security experts simulate real-world attacks to test an organisation’s defences, requires a specialised toolkit. This comprehensive guide examines the most effective top Red Team Tools by category currently available, categorised by their function in the attack lifecycle. Red teaming…

Why Vulnerability Scanner Tool is Essential?

Consistent use of vulnerability scanner tool enables organizations to uphold a robust security posture by continuously tracking new vulnerabilities and environmental changes. This proactive approach helps you stay ahead of potential threats and fosters a vigilant security mindset.

Are You Sure Your Mobile Apps are Secure?

Your mobile app is in the hands of thousands, maybe millions! Are you sure it’s secure? In today’s mobile-first world, your app is your brand. A single vulnerability can cost more than just data, it can cost trust. AutoSecT, a mobile pentest tool, empowers your team with next-gen mobile app security testing, blending automation, collaboration, and intelligence into one seamless experience.

Your Web App is Not A Grey Area: Importance of Web App Pentest

Apart from regular manual penetration testing, it is essential to use an automated VMDR tool equipped with vulnerability scanning and pentesting capabilities to ensure the holistic security of your web applications. AutoSecT is equipped with all the indispensable features that are needed in a modern web pentest tool to redefine web security, from identifying vulnerabilities in the source code to securing the final application.

Best Cloud Pentesting Tool in 2025 for Azure, AWS, GCP

AutoSecT offers a comprehensive and efficient approach to vulnerability management. It provides automated scanning and penetration testing across web, mobile, cloud, and API platforms, ensuring thorough coverage of potential security risks. With features like real-time vulnerability analysis, customizable reports, and seamless integration with CI/CD pipelines, AutoSecT helps organizations stay ahead of cyber threats.

poob has it for you.

didn't ubuntu fork their base from debian years ago to be their own, worse thing now? what about void? what about lfs? what about gentoo?

I am so tired of these distros identifying as "ubuntu" or "manjaro" or whatever the fuck. It doesn't matter how much you change, you will always have an Arch install or a Debain install.

anyone here heard of the flipper zero

i love this thang, it's a little pentester/hacking tool but it looks like one of those cheap petsim games from the 00's

I just love the little guy in it. I could be coerced to break into secure buildings if this guy told me to

Wshlient - A Simple Tool To Interact With Web Shells And Command Injection Vulnerabilities

Web Shell Client Description & Demo Wshlient is a web shell client designed to be pretty simple yet versatile. One just need to create a text file containing an HTTP request and inform where Wshlient inject the commands, then you can enjoy a shell. In the case the above video does not works for you: Installation Out of python’s included batteries Wshclient only uses requests. Just install it…

found this and couldn't reblog so I'm reposting

image id:

first image: two-part meme of joey from friends. first part is a picture of him smiling at something out of frame, captioned "The hotel's free WiFi is really fast". second part is him staring wide eyed in horror, captioned "Your IP address starts with 172.16.42.x".

second image: lain from the anime "serial experiments lain" sitting in a chair in a dim room, in front of a glowing computer screen, and smiling at the camera. the text boxes in the image say:

Hey, guys. Lain Iwakura here to explain the joke.

You see, when a computer like your laptop or smartphone connects to wifi, the router assigns it a "local IP address" to distinguish it from other machines on the network.

Most routers use IPv4 for this, where an IP address is four numbers separated by periods. The first two or three numbers of your local IP address are usually the same for all machines on the LAN, and the most common schemas for local IP addresses are 192.168.0.x or 10.0.0.x. Those are just common defaults - they can be set to anything in the router's configuration.

The address schema 172.16.42.x is not a common default for a normal router. It is the default for a device called a "WiFi Pineapple", which is a hacking tool primarily intended for "pentesting", i.e. finding exploitable vulnerabilities in a computing or networking system. The WiFi Pineapple acts as a router from the perspective of the computers on the local network, but a malicious actor can use it to passively scan those computers for vulnerabilities, and can even spy on network traffic going through it. Thus, the joke is that the person in the hotel, finding that their local IP address is under 172.16.42.x., realizes to their horror that the hotel's LAN has been pwned by a (likely malicious) rogue access point, possibly causing their computer to be cracked and their sensitive information to be stolen by cybercriminals. In light of this breach, their panic is understandable! Always keep your software up to date and never connect to a suspicious or unsecured wifi network!

/end id

Welcome to Danny’s Cyber Lab – Let’s Hack Responsibly!

Hey everyone, Danny here!

I’m a cybersecurity geek and ethical hacker on a mission to break things (the legal way) so they can be built stronger. Think of me as your friendly neighborhood hacker—except I work for the good guys.

What’s coming your way?

- Hands-on hacking tutorials (from noob to ninja)

- Real-world pentesting stories (with permission, of course)

- Security tools & tricks to level up your cyber skills

- Bug bounty tips & how I scored my first $$$ finding flaws

- Cyber news breakdowns (because threats evolve fast)

Why stick around?

Whether you’re just starting with Kali Linux or you’re a seasoned red teamer, let’s make hacking ethical and accessible. No gatekeeping—just knowledge.

Drop a comment: What’s the #1 thing you want to learn? (Password cracking? WiFi hacking? Social engineering? Let me know!)

P.S. First demo drops soon—I’ll show you how I found my first critical vulnerability. Hit follow so you don’t miss it!

Prevent Command Injection in Symfony: Secure Your Code

Symfony is a powerful PHP framework trusted by thousands of developers, but like any framework, it's not immune to security threats. One of the most dangerous—and often overlooked—threats is a Command Injection Attack.

In this blog post, we’ll break down what a command injection attack is, how it can be exploited in a Symfony application, and—most importantly—how to prevent it. We’ll also include code examples and offer you a Website Vulnerability Scanner online free to scan your website for vulnerabilities like this one.

➡️ Visit Our Blog for More Cybersecurity Posts: 🔗 https://www.pentesttesting.com/blog/

🧨 What is Command Injection?

Command Injection is a type of security vulnerability that allows attackers to execute arbitrary system commands on your server. If user input is improperly sanitized, attackers can exploit functions like exec(), system(), or shell_exec() in PHP.

This can lead to:

Data breaches

Server hijacking

Total application compromise

🐘 Symfony Command Injection Example

Let’s start with a naive Symfony controller that might fall victim to command injection.

❌ Vulnerable Symfony Code

// src/Controller/BackupController.php namespace App\Controller; use Symfony\Component\HttpFoundation\Request; use Symfony\Component\HttpFoundation\Response; use Symfony\Bundle\FrameworkBundle\Controller\AbstractController; class BackupController extends AbstractController { public function backupDatabase(Request $request): Response { $filename = $request->query->get('filename'); // ⚠️ Dangerous input $output = shell_exec("mysqldump -u root -psecret mydb > /backups/{$filename}"); return new Response("Backup created: $filename"); } }

If an attacker sets filename=backup.sql;rm -rf /, this code could delete your entire server. Yikes!

🔐 Secure It With Escaping & Whitelisting

Let’s see how we can secure this.

✅ Safe Symfony Version

public function backupDatabase(Request $request): Response { $filename = $request->query->get('filename'); // Sanitize the filename using a whitelist or regex if (!preg_match('/^[\w\-\.]+$/', $filename)) { return new Response("Invalid filename", 400); } $safePath = escapeshellarg("/backups/" . $filename); $output = shell_exec("mysqldump -u root - psecret mydb > $safePath"); return new Response("Backup created: $filename"); }

By using escapeshellarg() and validating the input, we reduce the risk significantly.

🛠️ Automate Detection with Our Free Tool

Want to check if your website is vulnerable to command injection and other critical flaws?

🎯 We’ve built a Free Website Vulnerability Scanner that checks for command injection, XSS, SQLi, and dozens of other issues—all in seconds.

🖼️ Screenshot of our Website Vulnerability Scanner:

Screenshot of the free tools webpage where you can access security assessment tools.

👉 Try it now: https://free.pentesttesting.com/

📋 Sample Output Report

Our scanner doesn’t just find issues—it gives you a detailed, developer-friendly report you can act on.

🖼️ Screenshot of a sample scan report from our tool to check Website Vulnerability:

An Example of a vulnerability assessment report generated with our free tool, providing insights into possible vulnerabilities.

💼 Need Help Fixing It? We've Got You Covered

🔐 Web App Penetration Testing Services If you're looking for expert-level help to secure your Symfony or PHP application, our team is ready to assist.

➡️ Learn more: https://www.pentesttesting.com/web-app-penetration-testing-services/

🤝 Are You a Tech Company or Agency?

We offer white-label cybersecurity services so you can resell pentesting to your clients without hiring a full team.

📦 Get the full service suite here: 🔗 https://www.pentesttesting.com/offer-cybersecurity-service-to-your-client/

💌 Stay Ahead of Threats—Subscribe Now!

Don’t miss future posts, case studies, and cybersecurity tips.

📬 Subscribe to our LinkedIn Newsletter

🔁 Final Thoughts

Command injection remains one of the most dangerous web application vulnerabilities. Symfony gives you the tools to secure your app—but only if you use them correctly.

Don’t wait until you’re hacked. Take 2 minutes to scan your website with our free Website Security Scanner tool.

📝 Originally written by the Pentest Testing Corp. team 📌 Visit our blog for more: https://www.pentesttesting.com/blog/

Move over, Cobalt Strike. Splinter’s the new post-exploit menace in town

Source: https://www.theregister.com/2024/09/23/splinter_red_team_tool/

More info: https://unit42.paloaltonetworks.com/analysis-pentest-tool-splinter/