Many web application firewalls (WAFs) can be bypassed by simply sending large amounts of extra data in the request body along with your payload. Most WAFs will only process requests up to a certain size limit. How the WAF is configured to handle these large requests determines exploitability, but some common WAFs will allow it by default.

The post Bypassing WAFs Using Oversized Requests appeared first on Black Hills Information Security, Inc..

In my journey to explore how I can use artificial intelligence to assist in penetration testing, I experimented with a security-focused chat bot created by Jason Haddix called Arcanum Cyber Security Bot (available on https://chatgpt.com/gpts). Jason engineered this bot to leverage up-to-date technical information related to application security and penetration testing.

The post Augmenting Penetration Testing Methodology with Artificial Intelligence – Part 3: Arcanum Cyber Security Bot appeared first on Black Hills Information Security, Inc..

A common use case for LLMs is rapid software development. One of the first ways I used AI in my penetration testing methodology was for payload generation.

The post Augmenting Penetration Testing Methodology with Artificial Intelligence – Part 2: Copilot appeared first on Black Hills Information Security, Inc..

In this video, Kent Ickler and Jordan Drysdale discuss Attack Tactics 9: Shadow Credentials for Primaries, focusing on a specific technique used in penetration testing services at Black Hills Information Security

The post Attack Tactics 9: Shadow Creds for PrivEsc w/ Kent & Jordan appeared first on Black Hills Information Security, Inc..

In this video, experts delve into the intricacies of desktop application penetration testing methodologies.

The post Intro to Desktop Application Testing Methodology appeared first on Black Hills Information Security, Inc..

In today’s world, security is more important than ever. As organizations increasingly rely on technology to drive business, digital threats are becoming more sophisticated, varied, and difficult to defend against. […]

The post What Is Penetration Testing? appeared first on Black Hills Information Security, Inc..

shenetworks // The Black Hills Information Security YouTube channel has over 400 videos available. Over the past year, I have attended many webcasts and explored plenty of the videos. I […]

The post Shenetworks Recommends: 9 Must Watch BHIS YouTube Videos appeared first on Black Hills Information Security, Inc..

Jeff Barbi // *Guest Post Background Unless you’re pentesting mobile apps consistently, it’s easy for your methodologies to fall out of date. Each new version of Android brings with it […]

The post Start to Finish: Configuring an Android Phone for Pentesting appeared first on Black Hills Information Security, Inc..

Dakota Nelson // Unknown Unknowns: So you’ve been pentested. Congrats! It might not feel like it, but this will eventually leave you more confident about your security, not less. The […]

The post What You Should Actually Learn From a Pentest Report appeared first on Black Hills Information Security, Inc..

Melisa Wachs// The first day of school has started for your school-age kiddos. What better time to run through some of our basic reporting guidelines with y’all? Here is a […]

The post DOs and DON’Ts of Pentest Report Writing appeared first on Black Hills Information Security, Inc..

Matthew Toussain// Join Matt Toussain as he talks about Mailsniper, a tool written by our very own Beau Bullock. Wouldn’t you like to START your pen tests knowing every username […]

The post WEBCAST: Testing G Suites with MailSniper appeared first on Black Hills Information Security, Inc..

This is the audio only version of John’s webcast about how we would attack your company during a pentest. Grab his slides here:  https://blackhillsinformationsecurity.shootproof.com/gallery/6843799/

The post PODCAST: Attack Tactics Part 1 appeared first on Black Hills Information Security, Inc..

Dakota Nelson// For a lot of our customers, their first introduction to pentesting is a vulnerability scan from BHIS. This is after talking to the testers, of course, and setting […]

The post What to Expect from a Vulnerability Scan appeared first on Black Hills Information Security, Inc..

Rick Wisser// Here at BHIS we are always on the lookout for new toys. Especially if we can use them during a pentest. As a pentester, we all have a […]

The post New Toy Alert: A Quick Review of Keysy appeared first on Black Hills Information Security, Inc..

Jordan Drysdale// Physical Pentest Upcoming? Bring a Badgy. While badge reproduction may not be the intended use of this product, if you are a physical tester and you don’t own […]

The post Performing a Physical Pentest? Bring This! appeared first on Black Hills Information Security, Inc..

Brian Fehrman // Privilege escalation is a common goal for threat actors after they have compromised a system. Having elevated permissions can allow for tasks such as: extracting local password-hashes, […]

The post Digging Deeper into Vulnerable Windows Services appeared first on Black Hills Information Security, Inc..

Joff Thyer // If you have been penetration testing a while, you likely have ended up in a Red Team situation or will be engaged in it soon enough. From […]

The post A Morning with Cobalt Strike & Symantec appeared first on Black Hills Information Security, Inc..

Carrie Roberts* // Can you think of a reason why you might want to put a lengthy comment into the properties of an MS Office document? If you can, then […]

The post Hide Payload in MS Office Document Properties appeared first on Black Hills Information Security, Inc..

Beau Bullock, Brian Fehrman, & Derek Banks // Pentesting organizations as your day-to-day job quickly reveals commonalities among environments. Although each test is a bit unique, there’s a typical path […]

The post WEBCAST: CredDefense Toolkit appeared first on Black Hills Information Security, Inc..

Derek Banks // I want to expand on our previous blog post on consolidated endpoint event logging and use Windows Event Forwarding and live off the Microsoft land for shipping […]

The post End-Point Log Consolidation with Windows Event Forwarder appeared first on Black Hills Information Security, Inc..