OWASP Top 10 Deep Dive: Identification and Authentication Failures
Security pros have made progress in mitigating identification and authentication failures — but that doesn't mean we can takes our eyes off the ball.
Login Authentication Goes Automated With New InsightAppSec Improvements
With our new automated login for InsightAppSec, even the most complex, modern applications can be accessed and scanned quickly and easily. Learn more.
InsightIDR Now Supports Multi-Factor Auth and Data Archiving
InsightIDR is now part of the Rapid7 platform. Learn more about our platform vision and how it enables you to have the SIEM solution you've always wanted.
Multiple vulnerabilities in Wink and Insteon smart home systems
Today we are announcing four issues affecting two popular home automation
solutions: Wink's Hub 2 and Insteon's Hub. Neither vendor stored sensitive
credentials securely on their associated Android apps. In addition, the Wink
cloud-based management API does not properly expire and revoke authentication
tokens, and the Insteon Hub uses an unencrypted radio transmission protocol for
potentially sensitive security controls such as garage door locks.
As most of these issues have not yet been addres
R7-2017-07: Multiple Fuze TPN Handset Portal vulnerabilities (FIXED)
This post describes three security vulnerabilities related to access controls
and authentication in the TPN Handset Portal, part of the Fuze platform. Fuze
fixed all three issues by May 6, 2017, and user action is not required to
remediate. Rapid7 thanks Fuze for their quick and thoughtful response to these
* R7-2017-07.1, CWE-284 (Improper Access Control)
[https://cwe.mitre.org/data/definitions/284.html]: An unauthenticated remote
attacker can enumerate through MAC addr
Better Credential Management for Better Vulnerability Results
Often the first time the security team knows that credentials have expired is
when their scans start to return dramatically fewer vulnerabilities.
We all know getting credentialed access yields the best results for visibility.
Yet, maintaining access can be difficult. Asset owners change credentials.
Different assets have different frequencies for credential updates. Security
teams are often left out of the loop.
Between the original scan run time, the time it takes the security team to
Metasploit Framework Valentines Update
Valentines day is just around the corner! What could be a nicer gift for your
sweetie than a bundle of new Metasploit Framework updates? The community has
been as busy as ever delivering a sweet crop of sexy exploits, bug fixes, and
interesting new features.
Everyone Deserves a Second Chance
Meterpreter Scripts have been deprecated for years
[https://github.com/rapid7/metasploit-framework/pull/3812] in favor of Post
Exploitation modules, which are much more flexible and easy to debug.
Under the Hoodie: Actionable Research from Penetration Testing Engagements
Today, we're excited to release Rapid7's latest research paper, Under the
Hoodie: Actionable Research from Penetration Testing Engagements
[https://www.rapid7.com/research/under-the-hoodie/], by Bob Rudis
[https://twitter.com/hrbrmstr], Andrew Whitaker
[https://www.linkedin.com/in/drewwhitaker/], Tod Beardsley
[https://twitter.com/todb], with loads of input and help from the entire Rapid7
This paper covers the often occult art of penetration testing, and seeks to
The Twelve Pains of Infosec
One of my favorite Christmas carols is the 12 Days of Christmas
[https://www.youtube.com/watch?v=oyEyMjdD2uk]. Back in the 90's, a satire of the
song came out in the form of the 12 Pains of Christmas
[https://www.youtube.com/watch?v=h4NlR5KQLQ8], which had me rolling on the floor
in laughter, and still does. Now that I am in information security, I decided it
is time for a new satire, maybe this will start a new tradition, and so I am
presenting, the 12 Pains of Infosec.
Avoiding Default Fail
As the Internet of Things (IoT) quickly flood into the market place, into our
homes and into our places of employment, my years of pen testing experience and
every research project I spin up reminds me IoT has weak defaults -- especially
default passwords, which will be the undoing of all of us.
You would think after pointing out the issues with default password for years
most of us would learn to start changing those passwords before deployment.
Unfortunately that's not the case. I think we
Breach Response News
NCSAM: You Should Use a Password Manager
October is National Cyber Security Awareness month and Rapid7 is taking this
time to celebrate security research. This year, NCSAM coincides with new legal
protections for security research under the DMCA
and the 30th anniversary of the CFAA - a problematic law that hinders beneficial
security research. Throughout the month, we will be sharing content that
enhances understanding of what independent security research
InsightIDR & Nexpose Integrate for Total User & Asset Security Visibility
Rapid7's Incident Detection and Response
[https://www.rapid7.com/solutions/incident-detection/] and Vulnerability
solutions, InsightIDR [https://www.rapid7.com/products/insightidr/] and Nexpose
[https://www.rapid7.com/products/nexpose/], now integrate to provide visibility
and security detection across assets and the users behind them. Combining the
pair provides massive time savings and simplifies incident investigation
800 Million Compromised Credentials Were Exposed This Month. Were You Notified?
In our previous post on third party breaches
, we talked about the risk of public compromised credential leaks providing
attackers with another ingress vector. This August, InsightIDR
[https://www.rapid7.com/products/insightidr/?CS=blog], armed with knowledge from
a partner, identified a “Very Large Credentials Dump”. Very large? Over 800
million compromised credentials
Credential Status in Reporting Data Model
The new version of Reporting Data Model (1.3.1) allows Nexpose
[https://www.rapid7.com/products/nexpose/] users to create CSV reports providing
information about credential status of their assets, i.e. whether credentials
provided by the user (global or site specific) allowed successful login to the
asset during a specific scan.
Credential Status Per Service
The new Reporting Data Model version contains fact_asset_scan_service enhanced
with the new column containing the information about creden
Pentesting in the Real World: Group Policy Pwnage
This is the third in a series of blog topics by penetration testers, for
penetration testers, highlighting some of the advanced pentesting techniques
they'll be teaching in our new Network Assault and Application Assault
certifications, opening for registration this week. For more information, check
out the training page at