With cyberattacks on the rise, carrying out an IT security audit has never been a higher priority for businesses.
Web applications, mobile apps, APIs, cloud infrastructures, connected objects, networks and people – nothing is spared. As a result, security audits have become an essential tool for all types of business. Whether technical audits, organisational security audits or compliance audits, there are numerous solutions for securing an information system and countering risks.
We can’t talk about social engineering without mentioning phishing. Similarly, email is essential when it comes to phishing. Although there are other social engineering techniques, such as vishing, and multiple phishing vectors, such as SMS (smishing), email remains the preferred tool of attackers.
In this article, we will present three tools commonly used to carry out phishing campaigns: Gophish, Evilginx and Evilgophish.
Secure identity and access management has become a key challenge for organisations. Among the solutions available, Security Assertion Markup Language (SAML) has become an essential standard for single sign-on (SSO).
This XML-based protocol enables users to authenticate once and access multiple applications without having to log in again, simplifying the user experience. However, if poorly implemented, critical vulnerabilities can be exploited.
Developed in 2012 and made open source in 2015 by Facebook, GraphQL (Graph Query Language) has been under the umbrella of the GraphQL Foundation since 2019.
GraphQL is a query language, i.e. a language used to access data in a database or any other information system, in the same way as SQL (Structured Query Language).
Authentication and, by extension, user identification are central to web applications.
These two mechanisms are used to manage rights and access (for example, between an administrator and a standard user), to partition data between different accounts, to identify different users, etc.
During a penetration test, we generally consider 3 test conditions: black, grey or white box.
These test conditions correspond to the levels of information provided to the pentesters in order to carry out a pentest on a specific target. While a white box pentest will consist of providing as much information as possible, during a black box penetration test, the pentesters will have no data on the test target.
When pentesting a web application, an API or an internal network, there are generally 3 approaches: black box, grey box and white box testing.
These approaches or test conditions correspond to different levels of information provided to the pentesters to identify potential vulnerabilities and weaknesses that could compromise the integrity of a target system.
You will no doubt be familiar with phishing, which consists of sending malicious emails to encourage people to perform sensitive actions, such as entering their credentials on a fake authentication page.
Smishing is very similar, except that the attacker does not send emails, but text messages, hence the name smishing. Essentially, smishing is nothing more and nothing less than SMS phishing.
With cybersecurity risks on the rise, it is becoming more and more obvious to carry out a penetration test (pentest) to reassure customers, partners and investors.
Moreover, for companies involved in a certification process (ISO 27001, SOC2, HDS, PCI-DSS, etc.), a penetration test is an imperative. And for others, it is an essential prerequisite for satisfying the pentesting report requests of their customers and prospects.
APIs are prime targets for attackers because of their exposure and critical nature, particularly in terms of handling sensitive data. To minimise the risk of security breaches, it is essential to implement robust security measures, understand the types of attack and assess their potential impact.
There are several ways of assessing the security of an API. In this article, we present the “offensive” approach, which we believe to be the most effective: API penetration testing (or API pentesting). We detail the principles and objectives, as well as use cases for black box, grey box and white box pentesting.