Hack Responsibly

Browse Hack Responsibly, a technical blog by The NetSPI Agents. Dive deep into the latest CVEs and vulnerabilities our team uncovers, and how we help NetSPI customers protect against the most important threats today.

Adversary Simulation

From linen to silk – Using Microsoft Service Fabric to elevate privileges 

The NetSPI Agents discovered a local privilege escalation path in Microsoft Service Fabric Runtime. Learn how the vulnerability was discovered and exploited.

Learn More
Cloud Pentesting

Elevating Privileges with Azure Site Recovery Services

Discover how NetSPI uncovered and reported a Microsoft-managed Azure Site Recovery service vulnerability and how the finding was remediated.

Learn More
Blockchain Pentesting

Web2 Bugs in Web3 Systems

Discover how attackers use vulnerabilities in off-chain components to achieve critical impact against on-chain systems.

Learn More
Cloud Pentesting

Azure Deployment Scripts: Assuming User-Assigned Managed Identities

Learn how to use Deployment Scripts to complete faster privilege escalation with Azure User-Assigned Managed Identities.

Learn More
Adversary Simulation

CVE-2024-21378 — Remote Code Execution in Microsoft Outlook 

NetSPI discovered that Microsoft Outlook was vulnerable to authenticated remote code execution (RCE) via synced form objects. Learn how NetSPI discovered and exploited the vulnerability.

Learn More
Cloud Pentesting

Extracting Sensitive Information from the Azure Batch Service 

The added power and scalability of Batch Service helps users run workloads significantly faster, but misconfigurations can unintentionally expose sensitive data.

Learn More
Adversary Simulation

The Silk Wasm: Obfuscating HTML Smuggling with Web Assembly

A new technique for HTML smuggling using Web Assembly helped us bypass potential malware detection.

Learn More
Web Application Pentesting

Why TOTP Won’t Cut It (And What to Consider Instead)

Time-Based One-Time Password (TOTP) is a common method for two factor authentication (2FA) but its lack of rate limiting can create security gaps.

Learn More
Cloud Pentesting

Automating Managed Identity Token Extraction in Azure Container Registries

Learn the processes used to create a malicious Azure Container Registry task that can be used to export tokens for Managed Identities attached to an ACR.

Learn More
Web Application Pentesting

Exploiting XPath Injection Weaknesses

Defend your web applications from XPath Injection: Explore the intricacies of this critical threat, understand its impact, and learn effective mitigation strategies.

Learn More
Cloud Pentesting

Mistaken Identity: Extracting Managed Identity Credentials from Azure Function Apps 

NetSPI explores extracting managed identity credentials from Azure Function Apps to expose sensitive data.

Learn More
Cloud Pentesting

Abusing Entra ID Misconfigurations to Bypass MFA

While conducting an Entra Penetration Test, we discovered a simple misconfiguration in Entra ID that allowed us to bypass MFA.

Learn More