What does an ethical hacker do? – And why it is a business question Spoiler: an ethical hacker – aka pentester – is not sitting in a dark basement wearing a black hoodie. Even if Hollywood has done a remarkably good job convincing us otherwise. So what does an ethical...
Clickjacking: When a click doesn’t mean what you think In the world of web security, many attacks rely on complex exploits, vulnerable code or poorly configured systems, but clickjacking belongs to a very different category. Here, the attacker’s goal is not to break...
Password policy explained: What makes a good password? Passwords remain the most widely used authentication mechanism in the digital world. That’s why the “good password” is kinda treated as the Holy Grail. Banking applications, enterprise systems, cloud platforms,...
A 20-year-old hacker identified a security flaw in the online booking systems of Spanish luxury hotels and managed to reserve rooms and premium apartments for just 1 cent each. The largest single loss exceeded €4,000, while the cumulative damage reportedly reached...
A poorly configured cookie is often the quiet enabler behind session hijacking, account takeover and cross-site attacks. Not because cookies are inherently insecure, but because their security controls are left at default settings. XSS protection and CSRF mitigation...
Port scanning: Why should you knock on every door? You may think port scanning requires no more expertise than reading a water meter. Port scanning is regularly the foundation of internet hygiene, so it definitely does. Port scanning is checking whether you locked the...
The Silence Before the Attack: The role of passive OSINT reconnaissance in pentesting A single domain, a few skilled analysts and passive OSINT reconnaissance can already be enough to outline an organisation’s digital exposure. We are not talking about exploits or...
Data Protection Day is observed every year on 28 January, marking the date on which the Council of Europe adopted Convention 108, the first international treaty on data protection. The purpose of the day is not to overwhelm people with legal jargon, but to help data...
A common question in web application tests is whether it is necessary to scan the admin interface. Users with an average level of rights can't log in anyway, so you can't expect a threat from that direction. But is that really so?Are we in danger?The admin...
The non-profit Open Web Application Security Project (OWASP) is a foundation which works to improve software security. It was launched on December 1, 2001 and since then it has been helping developers continuously with free guides and resources.WSTG 4.1, of courseThe...
