Blogs & Articles
Cybersecurity News, Latest Vulnerabilities, Hacking Tutorials
Understanding, Detecting, and Exploiting SSRF
The rapidly evolving world of cybersecurity brings with it an ever-expanding catalogue of threats. One such vulnerability, which has been gaining traction recently in the API space, is Server-Side Request Forgery (SSRF). Though it's not a new concept, SSRF has emerged...
Start your Journey with Bug Bounty
Bug bounty programs have been a popular phenomenon in the tech industry for the last decade or so. They're an opportunity for anyone to identify vulnerabilities in a company's software or infrastructure and get rewarded for their discoveries. But, how do you get...
Understanding and Finding Open Redirects
An Open Redirect is a vulnerability in a web application that allows an attacker to redirect a user to an arbitrary website. At first glance, this might not seem harmful, but with a malicious intent, it can be used as part of phishing attacks, malware distribution, or...
Local File Inclusion: A Practical Guide
Local File Inclusion (LFI) is a vulnerability that allows an attacker to read files from a server they should not have access to. This can lead to to the exposure of sensitive information and often enables the attacker to progress further towards their goals. It’s...
Should a Company Provide Credentials for Their Penetration Test?
On occasion, we get clients who are concerned about some of the stereotypes that they may read about or hear when it comes to a penetration test. While a penetration test may be us attacking your infrastructure, we are not your adversaries. Your company made the...
Secure Web Development Part 1: Common Mistakes
Web development is a dynamic landscape that's constantly evolving with new technologies, trends, and security threats. Unfortunately, the crucial aspect of web security is often overlooked. There are many reasons for this, and they vary from team to team and...
API Discovery with Kiterunner
Content discovery is often focussed on finding files and folders. However, modern applications not longer conform to this hierarchical approach and specifically applications that use APIs. Kiterunner is a tool that can be used to discover routes and endpoints used in...
Encoding and Decoding Primer
When testing web applications, the understanding and use of various encoding schemes is a fundamental skill. In particular, we often see Base64, URL encoding, and HTML encoding used across many applications both as part of the application’s general functionality and...
BFLA: Broken Function Level Authorization
Application Programming Interfaces (APIs) are at the heart of modern applications, enabling functionality, communication and acting as a bridge between different software components. A common issue that’s found though is Broken Function Level Authorization (BFLA), and...
The Best Apps for Keeping Notes: Pros & Cons
What is the best note-taking application for pentesters? It’s a hot debate, and if you prefer to watch than read then we recently compared many of the popular options in this video (https://www.youtube.com/watch?v=KpX7v5Ym3wg). Otherwise, let’s take a look at what...
Penetration Testing - PCI Compliance - Auditing
See How We Can Secure Your Assets
Let’s talk about how TCM Security can solve your cybersecurity needs. Give us a call, send us an e-mail, or fill out the contact form below to get started.