In cybersecurity engagements, there are occasions when attack techniques may leave traces within a client’s infrastructure or, in more concerning cases, involve the use of malicious, backdoored tools.

This post provides brief examples that responsible professionals should be aware of to ensure they exercise proper caution during and after the engagement.

Malicious Tools

During a web application pentest, imagine gaining remote access to your client’s Linux server but with limited privileges. The client then permits you to attempt privilege escalation to sudo.

4D is a company that provides a platform for developing applications. It can help with tasks like building websites, running a web server, managing an SQL server, and much more.

The technology is relatively unknown in the world of web frameworks. Together with Enzo Cadoni, we decided to explore it and examine the 4D attack surface for penetration testing.

This series is divided into two parts. The first part introduces the technology, explains its core functionalities and explores template injection vulnerabilities. The second part delves into advanced template injection techniques and examines a range of related security issues: 4D Attack Surface — Part 2.