Blogs & Articles
Cybersecurity News, Latest Vulnerabilities, Hacking Tutorials
Find and Exploit Server-Side Template Injection (SSTI)
Server-Side Template Injection (SSTI) is an attack that allows an attacker to inject malicious input into a templating engine, leading to code execution on the server. While this vulnerability can be quite impactful, understanding and exploiting it requires a good...
Find and Exploit Blind SSRF with Out-of-Band (OOB) Techniques
Server-Side Request Forgery (SSRF) is a vulnerability that let’s an attacker have a server make requests on their behalf. Typically this can allow the attacker to reach internal resources that would otherwise be unavailable. Whilst the typical SSRF is dangerous...
Understanding and Hacking GraphQL: Part 1
GraphQL, a query language for your API and a server-side runtime for executing those queries, is rapidly becoming a prevalent technology in modern web applications. This technology, developed by Facebook in 2012 and released as an open-source project in 2015, provides...
XPath Injection: A Beginners Guide
Overview XPath Injection, akin to other common injection attacks, specifically targets vulnerabilities within an application's user input processing system. But what sets XPath Injection apart is its exploitation of XPath queries. The fallout? Unauthorized access to...
Do I Need to Learn Linux?
Learning Linux can be valuable for individuals who want to become ethical hackers or offensive security specialists. Find out why Linux is good to learn.
Understanding, Detecting, and Exploiting SSRF
SSRF has emerged as a significant threat to web security. We discuss how to identify it, verify its presence, and responsibly exploit it for security testing.
Start your Journey with Bug Bounty
Bug bounty programs are an opportunity for anyone to identify vulnerabilities in a company’s software or infrastructure and get rewarded for their discoveries.
Understanding and Finding Open Redirects
An Open Redirect is a vulnerability in a web application that allows an attacker to redirect a user to an arbitrary website. At first glance, this might not seem harmful, but with a malicious intent, it can be used as part of phishing attacks, malware distribution, or...
Local File Inclusion: A Practical Guide
Local File Inclusion allows an attacker to read files from a server they should not have access to, leading to the exposure of sensitive information.
Should a Company Provide Credentials for Their Penetration Test?
Is giving credentials to a pentester considered cheating? Or is it an efficient use of resources during a limited engagement? Learn about both perspectives.
Penetration Testing - PCI Compliance - Auditing
See How We Can Secure Your Assets
Let’s talk about how TCM Security can solve your cybersecurity needs. Give us a call, send us an e-mail, or fill out the contact form below to get started.