Security Penetration Testing Blog

Advanced Authentication Flows
Apr 03, 2021 / Borislav Kiprin

How to configure advanced authentication flows such as HTTP Basic Authentication, Login Forms, OAuth2, or SAML for your application

How to scan an API
/ Borislav Kiprin

How to setup the Crashtest Security Suite to pentest Application Programming Interfaces (APIs).

Using Webhooks – Start DevSecOps
/ Borislav Kiprin

How to use webhooks to script the Crashtest Security Suite functionalities. Allows integration in your continuous integration / continuous deployment (CI/CD) pipeline to pentest every release.

How to use the Crashtest Security API
/ Borislav Kiprin

Setup and usage of the public API to automate creating projects and scans.

Current Scanner Overview
/ Borislav Kiprin

This article shows all current vulnerability scanners of the Crashtest Security Suite.

Team and Permission Management
/ Borislav Kiprin

To collaborate on security, you can create teams, invite your colleagues, and set permissions who can create and edit your projects.

Harden TLS Session Resumption
/ Borislav Kiprin

The TLS session resumption functionality is misconfigured. This opens attackers the possibility to steal existing TLS sessions from other users.

Certificate Revocation
/ Borislav Kiprin

The webserver is badly configured regarding revoked certificates. Certificate Revocation Lists (CRLs) and the Online Certificate Status Protocol (OCSP) make sure, that users can verify the integrity of a server certificate.

Configure Trusted Certificates
/ Borislav Kiprin

The X.509 certificate issued for this domain cannot be trusted. Clients such as browsers will show warnings or not be able to connect if they cannot trust the certificate. Read here, how you can configure trusted certificates.

Enable HSTS
/ Borislav Kiprin

The webserver does not offer HTTP Strict Transport Security (HSTS). HSTS enforces HTTPS connections. This prevents downgrade attacks to an insecure HTTP connection.