Recent Posts



Continuous Security Monitoring using ModSecurity & ELK

June 22, 2020

Recently, NotSoSecure got an opportunity to explore the working of monitoring and alerting systems as a part of a project. In this blog post, Anand Tiwari will talk about his experience and challenges faced while setting up one such monitoring and alerting system.   Insufficient Logging and Monitoring In 2017, OWASP introduced… Read More

Exploiting VLAN Double Tagging

April 17, 2020

We have all heard about VLAN double tagging attacks for a long time now. There have been many references and even a single packet proof of concept for VLAN double tagging attack but none of them showcase a weaponized attack. In this blog Amish Patadiya will use VLAN double tagging… Read More

Automating Pentests for Applications with Integrity Checks using Burp Suite Custom Extension

March 17, 2020

During one of our recent web application penetration testing assignments, @realsanjay encountered a scenario where the application employed an integrity check on HTTP request content. The integrity check was maintained using a custom HTTP header that stored the HMAC of HTTP request content based on session-specific CSRF tokens. Any modification… Read More

Hacking AWS Cognito Misconfigurations

February 17, 2020

In this blog, Sunil Yadav, our lead trainer for “Advanced Web Hacking” training class, will discuss a case study of AWS account takeover via misconfigured AWS Cognito.  TL;DR The application under test only had a login page and no sign up feature exposed. Target application uses AWS Cognito JavaScript SDK… Read More

Cloud Services Enumeration – AWS, Azure and GCP

October 28, 2019

TL;DR: We have built cloud enumeration scripts now available @ This script allows pentesters to validate which cloud tokens (API keys, OAuth tokens and more) can access which cloud service. As cloud environments are becoming increasingly popular, we are seeing a rise in cloud environment usage in production. From… Read More