Post AQNPWYSlwECQI2a96e by admin@2br02b.online
(DIR) More posts by admin@2br02b.online
(DIR) Post #AQNJtCUzARyd6X24OW by tek@freeradical.zone
2022-12-07T20:58:33Z
0 likes, 0 repeats
Our pentest seems to be going pretty with, with lots of tester interactions like “can you please turn off such-and-such system which is automatically blocking me?”
(DIR) Post #AQNPWYSlwECQI2a96e by admin@2br02b.online
2022-12-07T22:01:42Z
0 likes, 0 repeats
@tek Good to see someone is taking the time to pentest. I haven't done any serious pentesting yet, still fiddling around with basic vulnerability scans.Does your blog have updates on what you're doing with your instance?
(DIR) Post #AQNPasTPTxwzVcwRJA by admin@2br02b.online
2022-12-07T22:02:29Z
0 likes, 0 repeats
@tek Good to see someone is taking the time to pentest. I haven't done any serious pentesting yet, still fiddling around with basic vulnerability scans and seeing how hard it is to break and fix.Does your blog have updates on what you're doing with your instance?
(DIR) Post #AQNQHKk4lnAbLUyuhM by tek@freeradical.zone
2022-12-07T22:10:07Z
0 likes, 0 repeats
@admin Oh, sorry: "we" = "my employer", not my instance.
(DIR) Post #AQNTeP8isyg9VWCcgy by yojimbo@hackers.town
2022-12-07T22:47:56Z
0 likes, 0 repeats
@tek I'm not convinced that turning off a blocking system is fair, unless you have explicitly asked for an evaluation of your defence-in-depth.Nothing better than a report from a pentester that details what they tried to do that failed.Not many testers will put that sort of content into their reports by default though, we always make sure to explicitly ask.
(DIR) Post #AQNUCVtyFcZgKEZCpk by tek@freeradical.zone
2022-12-07T22:54:07Z
0 likes, 0 repeats
@yojimbo I've gone both ways. One hand: "hey, mind not using an ORM for a little while to I can test against SQL injection?" Other: it'd be good know know if rate limiting were *the only* thing saving us from disaster.
(DIR) Post #AQNUMucvB9BTu8YCJ6 by thegibson@hackers.town
2022-12-07T22:49:16Z
0 likes, 0 repeats
@yojimbo @tek The number of panicked "Please ignore alerts from XXX-XXXXX."IS TOO DAMNED HIGH.
(DIR) Post #AQNUMv3VaIS3EazQkS by yojimbo@hackers.town
2022-12-07T22:50:51Z
0 likes, 0 repeats
@thegibson @tek Yeah, "the service" is the code plus the environment, and if the environment doesn't permit an action, that counts as an effective control in my eyes.If you want to evaluate the code absent the environment (which isn't a bad idea) that should be an explicit and separate request/test.
(DIR) Post #AQNUMvU5zRicZ3QfBo by tek@freeradical.zone
2022-12-07T22:55:57Z
0 likes, 0 repeats
@yojimbo @TheGibson I like that they're doing it it, while still being ready to say "this item you found is something we should fix, but completely mitigated by those controls you had us turn off".
(DIR) Post #AQNUVS2kovAdrRhnW4 by tek@freeradical.zone
2022-12-07T22:57:31Z
0 likes, 0 repeats
@yojimbo @TheGibson I mean, in this scenario we're paying them to find things we'll want to fix. This isn't a customer audit where we're trying to prove that all the controls work. I'm curious to see what's vulnerable if it didn't have external protections.