The Cyber Threat Perspective Episode 45: Our Most Common External Pen Test Findings
9 snips
Jun 14, 2023 Tyler and Brad delve into the most frequent vulnerabilities found during external penetration tests. They unpack user enumeration issues on law firm websites and the risks of exposing personal information. The conversation shifts to cross-site scripting vulnerabilities, stressing the dangers of outdated web libraries. They also analyze security flaws in WordPress and the critical need for patch management. Finally, they highlight how implementing DMARC records can significantly bolster email security against attacks and domain misuse.
AI Snips
Chapters
Transcript
Episode notes
User Enumeration on Law Firms
- Law firms often list their lawyers' emails openly on their websites, enabling easy user enumeration.
- Personal info on sports pages can reveal answers to security questions, posing risks beyond exposure.
Cross-Site Scripting Risks Persist
- Cross-site scripting (XSS) remains common, often via outdated jQuery libraries, despite decades of awareness.
- XSS is usually a part of larger attacks, enabling phishing and exploitation when combined with other vulnerabilities.
Patch Management Gaps Cause Risk
- Outdated libraries like jQuery and WordPress plugins point to poor patch management.
- Updating core software isn't enough if dependent components remain vulnerable.