Penetration into the target network is just the first stage of a hacking attack. At the next stage, you have to establish a foothold there, steal users’ credentials, and gain the ability to run arbitrary code in the system. This article discusses techniques used to achieve the above goals and explains how to perform lateral movement in compromised networks.

Analysis of all kinds of vulnerabilities is one of the main HackMag topics. In this article, I will use four classical pentesting tasks to explain how to identify bugs in web apps.

News portals report large-scale data leaks nearly on a daily basis. Such accidents occur with all kinds of computer systems all over the world; the severity of their consequences varies from devastating to disastrous. In this article, I will show how easy it is to gain access to vast arrays of data.

Amid the COVID-19 pandemic, plenty of products supposed to protect you against COVID-19, or ease the course of the disease, or even heal you became available on the darknet (as well as on legitimate marketplaces). Because the shady segment of the global network is of utmost interest to hackers, I decided to examine the assortment of goods offered there and compare the prices on the darknet and in ‘regular’ stores.

There are many ways to show the user only the data they need. Row level security (RLS) is one of the most universal, simple, and reliable mechanisms ensuring that the data are presented only to persons having the required access rights. In this article, I will show that there is nothing really difficult in RLS and will explain how to set up an access rights differentiation system using the database tools and without affecting the performance much.

For the last five years, I’ve been using fuzzing to find vulnerabilities in the Linux kernel. During that time, I implemented three major projects: fuzzed the network subsystem through system calls (and wrote several exploits for the identified bugs), then fuzzed the network externally, and, finally, fuzzed the USB subsystem from the device side.

In September 2019, the CVE-2019-16759 vulnerability was discovered in the vBulletin forum engine. The bug enabled any user to execute arbitrary commands in the system and even resembled a backdoor. The developers have promptly fixed it, but in August 2020, a new possibility to bypass the patch and exploit the last year’s security hole was found.