Author: VSec
-
NoSQL Injection in the Real World: Breaking Mongoose with CVE-2025-23061
NoSQL has spent years enjoying a strangely comfortable reputation, almost as if removing the word SQL also removed the chance of turning user input into a security problem. Sadly, attackers never signed that agreement. This article explores NoSQL Injection through a controlled lab based on CVE-2025-23061, a critical Mongoose flaw tied to “populate().match”. The vulnerable…
-
Burp Suite Guide: The Heimdall of the Web
Burp Suite is the standard toolkit for intercepting, inspecting, and modifying HTTP traffic between a client (browser or mobile app) and a web server. If you can see the request and the response, you can test what matters: authentication, authorization, input handling, session behavior, and the real security posture of the application. This tutorial focuses…
-
How AI Is Actually Helping Pentesters Today
If the internet is to be believed, AI is either replacing every pentester next week or doing nothing beyond rewriting payloads with extra confidence. As usual, both takes are a little dramatic and a lot less useful than reality. This article is not about attacking AI systems themselves. That angle was already covered in The…
-
The n8n Nightmare: Exploiting CVE-2026-21858
Automation is supposed to save time, reduce mistakes, and make teams look far more organized than they really are. Then a critical vulnerability shows up and reminds everyone that giving one platform access to files, workflows, secrets, and integrations was definitely a bold lifestyle choice. That is exactly why CVE-2026-21858 got so much attention. It…
-
Using Shodan – Attack Surface Discovery & Monitoring
Shodan is a search engine for internet-exposed systems. Instead of indexing web pages, it indexes services (SSH, HTTP, databases, VPNs, remote admin panels, etc.) and their banners/metadata, which makes it extremely useful for attack surface discovery and continuous exposure monitoring. This tutorial focuses on authorized, defensive use: mapping what your company exposes to the internet,…
-
Container Security Isn’t Just Image Scanning
Containers made software delivery faster, cleaner, and much easier to scale. Teams package an app, ship it, and move on. Security shows up, adds image scanning to the pipeline, and suddenly everyone sleeps better. Fair enough. Green checks are comforting. Sadly, attackers do not care how pretty your dashboard looks. Why Image Analysis Matters Image…
-
IAM Isn’t Just SSO: The Team, the Process, and the Tools
Identity and Access Management (IAM) is one of those topics that feels painfully boring, right up until someone gets access they shouldn’t, and suddenly it’s everybody’s “top priority.” At its core, IAM is simply how a company manages identities and controls who can access what, when, and under which conditions. In this article on VSec,…
-
SQLMap: Automating SQL Injection
sqlmap is an open-source penetration testing tool that automates the detection and exploitation of SQL injection (SQLi) vulnerabilities in web applications and databases. This tutorial focuses on responsible, low-impact validation: confirm whether a parameter is injectable, identify the back-end DBMS and technique used, and collect just enough evidence to help engineering fix the issue—without turning…
-
Understanding LFI Attacks: The CVE-2024-32982 Example
LFI (Local File Inclusion) is the tiny coding mistake that quietly hands attackers access to files they shouldn’t see — and sometimes to code execution if the app processes the included content. Different from Path Traversal, which typically only exposes files, LFI can let the application use or execute those files. This article explains how…
-
From Upload to RCE: CVE-2023-3491 Explained
File uploads are one of those “simple” features that everyone wants and nobody wants to think too hard about. “Just let the user upload a logo, what’s the worst that happen?” — said every future incident report ever. In this article, we’ll unpack what Unrestricted File Upload (UFU) is, why it continues to surface in…