ONSEC: Boutique Penetration Testing Agency

Sign in Subscribe

ONSEC.io Research Team

ONSEC.io Research Team

Sandbox escape or How to catch all servers of the company

Sandbox escape or How to catch all servers of the company

We would like to describe how we discovered three RCE vulnerabilities, managed to escape the sandbox, and gained access to all of the company's servers. As part of the pentest, we identified a service for managing virtual and physical servers called Foreman. It appeared to be interesting to

CodeQL vs Semgrep: Fun and Friendly Showdown of SAST tools🥊

CodeQL vs Semgrep: Fun and Friendly Showdown of SAST tools🥊

In the world of application security, choosing the right Static Application Security Testing (SAST) tool can feel like a never-ending game of "Eeny, meeny, miny, moe." 🤔 But fear not, dear reader, for today we'll dive deep into the showdown of two popular SAST contenders: CodeQL and

Fresh Blood: Why Changing Pentest Providers Can Improve Your Security Posture

Fresh Blood: Why Changing Pentest Providers Can Improve Your Security Posture

Penetration testing (pentesting) is a crucial component of an effective security program. It involves simulating an attack on an organization's network or systems to identify vulnerabilities that could be exploited by malicious actors. A pentest can help identify security weaknesses that may have been overlooked or not yet

Getting ready for your first pentest: startup founders guide

Getting ready for your first pentest: startup founders guide

Congratulations on taking the next step toward ensuring the security of your startup! If you're reading this guide, chances are that you have received requests from your B2B sales partners or customers for SOC2 compliance, and you're now exploring your options to meet these requirements. As

Pentests Matrix for Top Security Compliances

Pentests Matrix for Top Security Compliances

The multitude of guidelines and regulations can be overwhelming, especially when it comes to understanding the penetration testing requirements for each. Determining what each compliance standard requires from a penetration test can be a headache, but it's crucial to get it right. To simplify the process, we'

A Guide to Resource Discovery for Penetration Testing

A Guide to Resource Discovery for Penetration Testing

Introduction Resource enumeration is an essential part of both the pentest preparation and reconnaissance during the pentest. Our team often finds customer internal resources in public access or vulnerable services that are not reflected in the original scope. It is always important to understand that there may be a resource/

White, black, gray, or crystal? Unpacking pentests.

White, black, gray, or crystal? Unpacking pentests.

We often hear about different types of penetration tests, however, it's still not clear how they are different and beneficial. In this article, you can find all these answers and comparison tables. There are several different types of pen testing, each with their own set of benefits and