The Australian Cyber Security Centre has issued urgent warnings about actively exploited vulnerabilities in Microsoft SharePoint Server (CVE-2025-53770) that enable unauthenticated remote code execution. With Chinese state-aligned actors and ransomware groups already compromising Australian organisations, this threat represents an immediate and severe risk to business-critical data and infrastructure.
Across AWS, Google Cloud, and Microsoft Azure environments in Australia and globally, 59% of IAM users maintain access keys that have never expired—credentials that have been active for more than one year. These long-lived credentials represent a silent but catastrophic vulnerability in your cloud infrastructure. This blog explores why long-lived credentials have become the primary attack vector for identity-based breaches, how red teams exploit them during penetration tests, and what you must do today to eliminate this ticking time bomb.
Critical authentication bypass vulnerabilities in Fortinet FortiGate and related products (CVE-2025-59718 and CVE-2025-59719) are now under active attack, allowing "ghost" SSO logins that completely sidestep normal controls and logs. For Australian organisations, this is more than a VPN or firewall problem – it is a board-level exposure that directly tests whether your external penetration testing, internal penetration testing, and red team assessment services are capable of simulating SSO abuse, identity takeovers, and lateral movement across hybrid networks.
A new security flaw called React2Shell (CVE-2025-55182) puts Australian businesses at extreme risk. It has a severity score of CVSS 10.0, which is the highest possible rating. This flaw lets hackers take full control of your servers without needing a password. It affects the popular tools React and Next.js.
A critical vulnerability in Adobe Commerce and Magento (CVE-2025-54236), dubbed "SessionReaper," is being ruthlessly exploited by threat actors using AI-driven tools to automate attacks at machine speed. With the Australian holiday trading season in full swing, this unauthenticated remote code execution (RCE) flaw poses an immediate existential threat to retail and B2B organizations. This alert outlines the mechanics of the attack, the role of AI in its weaponization, and the urgent defensive actions required to prevent a catastrophic data breach.
According to leading insurance company, Lloyd’s Australia was vulnerable to a $16 billion cyber attack risk last year. While many companies averted the risk, the need to keep developing even better security systems is ever growing.
With the growing number of online security threats and evolving nature of data breaches, the challenges involved in maintaining website security parameters keep advancing as well. For instance, if you download, run and install a product from a website and expect to get a report highlighting its vulnerabilities, you are probably wrong.
The right automated application security testing tools should be able to let you play around with the configurations so that you can adjust them for your website.
Here are some of the common challenges faced by application security testing tools:
Flash, XML and JavaScript, all have come a long way since they were first introduced. They continue to become complicated, presenting a set of unique challenges when it comes to testing them for security.
Code isn’t as simple anymore. It now contains conditional behavior based on user preferences, website environments, dynamic links, etc. The download code is likely to change frequently depending on the function performed and the order of those functions as well.
There are many websites that still require users to navigate in a certain order before enabling them to use a function. The right example would be the checkout page across most ecommerce websites.
Many websites still rely on crawlers that fetch a page, identify links and fetch them without the idea of actually filling a cart before checking out. These websites bring a set of unique challenges when it comes to testing them for security.
Perhaps some of the most complicated problems are faced in session state management. Websites use cookies and different tracking mechanisms to track user identity and activity. For vendors, this can be quite difficult considering that developers implement session tracking systems in their own way.
One common problem automated application security testing tools face is staying logged onto the website. When an attack is sent against application parameters it may end up logging out the tool. Another problem is when multiple requests for sharing a session token are sent simultaneously. They often invalidate themselves and you need to send them manually. The drawback of sending one request at a time takes up a lot of effort and might not be practical in some cases.
As the leading web application security and penetration testing service provider in Australia, we understand all of these challenges and work our way around them proactively.
Over the past years, we have helped countless number of clients stay vigilant, and safeguarded them from hacks and breaches. Get in touch with us to discuss your needs and find out how we can help.
There are many security concerns when it comes to client-side use of any web application just as there are for the business providing the online service. Session hijacking is just such an issue.
It is the malicious act of taking control of user session after successful generation or obtainment of an authentication session ID. Session hijacking typically involves use of captured, forced, or reversely engineered session Ids by the attacker. The goal: to take control of the session in progress from a legitimate user’s web application session.
Session hijacking is split into two types, active and passive session hijacking. The main difference between these two types is the degree of hacker’s involvement in the attack. Another essential difference between the two types of session hacking are:
The hacker finds and takes over an active session, i.e. the session is still in progress.
The hacker hijacks a session but sits back, observes and records incoming traffic.
There are a number of ways user-side web application session token could be compromised. The most common are:
Following are some helpful techniques that can be used to avoid session hacking.
SSL is used commonly to protect login pages by many websites today however applying a standard, unencrypted HTTP protocol after client’s authentication is also not a good idea. Why? Hacker can read the unencrypted HTTP traffic (passing between server and client) and steal its session cookie very easily. Of course the session hijacker must also have access to the same network as authenticated client’s or know/guess name of session cookie.
You must understand how this works and employ an effective strategy after consulting with Lean Security.
Often the first and only line of defence against session hacking is network security. You know that all non-encrypted HTTP communications can easily be hijacked. Employ only trusted and reliable people for gaining access to oncoming and going traffic. This will significantly reduce the threat of session hijacking.
Another issue online businesses must look into is client’s connection with vulnerable points such as public networks. Anyone can connect and capture communication on unprotected private WLAN access points. Effective steps must be taken to ensure all access and connection points are secure.
Adopting a rigid and strict stance when it comes to your web application’s security is the only way forward. Session hijacking is an extremely grave cybercrime that adversely affects businesses and their reputations along with misuse of untold amounts of sensitive client data. Take the right steps towards better security by undergoing your web application through a security health check by Lean Security!
There are a lot of things that must be kept in mind when in the process of securing your network. Unfortunately, most network security processes don’t go beyond patch management and installing antivirus software! There’s a lot more that can and should be done when it comes to implementing network security i.e. checking configurations, troublesome and default configured hardware, and dealing with known issues in third-party applications. It is these processes that make up web or network vulnerability assessment.
Making mistakes is human nature however not paying attention to your web application’s security needs when performing web vulnerability assessment can become quite a costly error! We have outlines some of the most common mistakes made by in-house IT professionals and administrators when it comes to web application vulnerability assessments.
Learn from them and make your web application’s security your highest priority, in theory and practice.
You will of course have some high-level vulnerability within the web application that is given highest priority by network administrators and in-house specialists. Nothing is wrong in labelling particular vulnerabilities high priority as they can pose a direct and immediate adverse impact to your web application. The real issue lies with not paying attention to the low priority vulnerabilities. This automatically leads to unequal allotment of resources for all web applications and vulnerabilities.
Network administrators need to search, identify and fix all web security vulnerabilities that can even potentially cause problems. What more does this include?
Following-up is really important especially if it’s for something as important as your web application’s vulnerability assessment report. Keep in mind: assessing or scanning vulnerability within a web application isn’t the same as fixing it! You developers likely won’t even know of the identified issues because management may not deem them important enough. Almost always management of any business has their own set of priorities which is given precedence over addressed or identified security issues.
In such a case, it’s a better idea to partner with developer and follow-up accordingly. This will make sure all identified and crucial vulnerabilities are remediated.
Contrary to popular belief, a so-called compliant termed web application security assessment doesn’t necessarily make a web application secure and vice versa. Why are compliance and security not the same? Quite simply, compliance in website applications is merely a guideline of how a particular security program meets specific security requirements.
Compliance managers and auditors should sit down together and make sure all known risks are removed by making a website security plan based on requirements set by chosen security program.
Web application is indeed an important aspect for many business’s IT compliance programs. As such, you must hire the best third party managed service provider in your city. Consider signing up for Lean Security’s free trial.
We have all heard about cybercriminals and the havoc they create for online businesses and corporations. In the last few years, we have seen a new generation rising to the digital forefront. Hacktivists… they are the digital activists of this era and have just started making their presence known. With social media and a wide internet infrastructure, IT savvy hacktivists make their passionate opinions known on social and political issues on a global scale. They hack their way into government operated websites with the intent of shutting them down or exploiting content that would aid in their cause.
Arguably, the most dangerous part of hacktivism is the intent. Many do fight for social and political change but there are entities only interested in personal and financial gain.
What does this mean for the multi-national or even local business (with an online presence) in Australia? Web application security has become an even important component that should never be overlooked. SQL injections are the second thing that mustn’t be ignored when making your website or web application more secure.
There are plenty of reasons why attackers prefer hacking into a web application with the help of SQL injections. This attack allows hacktivists or malicious attackers to inject their own commands into databases. Such databases are usually not configured properly for attack detection which makes it easier for hackers to obtain access to information on the database.
Given the right circumstances, an attacker can leverage SQL injection vulnerability by bypassing web application’s authentication and authorization process completely. This makes it easier to retrieve information even for an entire database! Additionally, hackers can also add, modify, and delete from sensitive information and records.
Online businesses must know about the 3 main categories of SQL injection attacks against databases to devise an effective web application security strategy. They are:
This is a process where SQL statements are modified with the help of operations like UNION. Changing clause of SQL statement is another way to inject this vulnerability through SQL manipulation. Different results are derived from this SQL manipulation method.
It’s a process of inserting new SQL statements (or database commands) into an already vulnerable SQL statement. There are many different strategies used by hackers to achieve malicious code injection. The most commonly used is to write SQL server EXECUTE command at the end of the vulnerable SQL statement. This type of SQL attack can only take place if multiple SQL statements are supported per database request.
This is caused by using function call injection. Additionally, patches are available for most of open source and commercial databases, which are important for a server’s security. This type of SQL injection attack happens when server is un-patched.
Protecting your web application against such vulnerabilities should be every business’s highest priority. As such, you must know where to look when searching for the best managed service provider for your business’s online application. Lean Security is a good option and here’s why!
Are you responsible for the security of your company’s web applications?
What are the steps usually taken when it comes to removing vulnerabilities from web applications and websites?
Many IT managers rely on a web application security scan to help identify anomalies, this being the first step towards vulnerability removal.
Not having enough time and budget forces many IT managers to choose between vulnerabilities, i.e. try to fix highest priority risks first.
This is where the real problem begins.
SQL Injection is often given precedence over other vulnerabilities especially cross-site scripting. In fact, many in the web application security industry think XSS vulnerability isn’t as dangerous for web applications and websites, and can be identified and fixed last.
In XSS vulnerability, the victim of an attack isn’t the actual web application, web server, or data stored in a database but the user/visitor. What does this mean? If a forum or WordPress blog post is injected by XSS vulnerability, the hacker will only gain access to the private messages, forum posts, and user’s profile. Such a hack attack won’t give access to sensitive data (credit card numbers, customer details) that can be stolen or enable the hacker to tamper the web application.
Malicious scripts are injected by hackers into an otherwise trusted website, in a cross-site site (XSS) attack. This vulnerability can then be exploited by the attacker in the form of a malicious code (usually a browser side script) that is sent to a different user of the same web application.
Web developers and company’s in-house IT specialists think XSS vulnerability is relatively harmless and can be placed as the lowest priority. In reality, cross-site scripting can do some serious damage:
In the end, no vulnerability should be considered low priority. If possible, all should be identified and fixed within a reasonable timeframe so that end-users and customers don’t suffer.
It is also a good idea to undergo monthly web application security scanning and assessment by a reliable managed service provider. Lean Security is always ready for the test! Try our free trial today.
New Years has come and gone but the air is still filled with expectations that this year will be the best. If you are an online business owner and have suffered security hacks, liabilities and losses last year – 2017 is the time to redeem yourself in the eyes of customers. Keeping with tradition, did you write down a list of New Year’s resolutions that you intend to follow to the letter? Did those resolutions include web application pentesting? More importantly – isn’t it time to resolve and code review your business’s IT infrastructure and web applications via manual/automatic penetration testing?
Very few businesses with an online presence realize the importance and value of penetration testing, for their web/mobile applications and software security. There are a lot of misconceptions about this, like:
Penetration testing conducted due to the above mentioned reasons don’t explore the full capacity of the security testing service. There are actually other benefits of pentesting that you can enjoy!
Not all of them though! In fact, number of found vulnerabilities is connected to certain factors namely:
Moreover, high risk vulnerabilities are focused first then medium-low risk ones (if none found). This is why for maximum results; a combination of automatic and manual pentesting should be performed. Some additional benefits of pentesting from a certified and experienced vendor are:
Businesses often question the best way to conduct pentesting of software, web applications and the rest of their IT infrastructure. What they forget is penetration testing should accomplish placed business goals and objectives, not merely check for random holes in security.
Choosing a good or right pentesting vendor is only half of the battle. Make sure the security assessment is conducted properly by:
Now that you know the importance of penetration testing for your web application’s or IT infrastructure’s security evaluation, are you going to scour the market for a pentesting software that doesn’t offer accurate results or are you choosing Lean Security?
When was the last time your company’s IT department conducted a security compliance and audit on infrastructure, web applications and software? Why is this necessary? Explained in simple terms – a security audit is usually carried out to ensure full working capability of your security systems and IT infrastructure.
A compliance audit on the other hand is a comprehensive review detailing adherence to regulatory guidelines of a company. Independent security or IT consultants offer compliance audits to clients, who then fix the gap holes in their security with the help of finished report. These professionals review user access controls, risk management procedures, and security policies over the course of the audit.
There are a few points that you should know about choosing security compliance and audits for your IT infrastructure for better results. Keep the following in mind:
Does your security program’s design rely heavily on initial audit gap report? If yes, the programs might not be sustainable. In the end your auditor will try and target a specific requirement first which means compliance and security audits don’t deal with sustainability, holistic approaches, and existing business requirements integration.
An audit is strictly conducted in accordance with independent review of your existent security program. There is no need to go through if you feel your organization doesn’t meet all aspects of the security audit. In fact, discrepancies and vulnerabilities within the IT framework should be fixed first! Remember, security and compliance audit results shouldn’t be measured but this evaluation does help fix issues.
Going above and beyond when it comes to IT security can be a good thing. Requirements are placed at a minimum standard, by which businesses with an online presence can operate and work to exceed in. When making the budget for security and compliance audit, don’t just focus on meeting the standard requirement but try to provide everything that is needed by your organization to effectively mitigate risk.
Identify vulnerabilities and fix your web application’s security by effective assessment of IT infrastructure with the help of advance web security testing. Security and compliance will follow automatically afterwards. Lean on Lean Security for your entire web and mobile application’s security needs.
When it comes to IT infrastructure’s and web application’s security, there are two ways businesses and companies with an online presence can establish thorough security. The good and bad way, i.e. you can either wait for your organization’s web application and IT infrastructure to get hacked or work with a professional penetration testing service before disaster strikes. The latter is the better option.
Contrary to belief, penetration testing is utilized to scan and find existing vulnerabilities within the framework of a web application. This vulnerability is then addressed and duly removed. Evaluation and penetration scanning is carried out by pentesting companies or individuals. The exact same techniques as ones used by hackers and cyber criminals are used by these professionals, to safely exploit vulnerabilities and highlight issues within infrastructure’s security. With pentest vendors operating in Australia (Lean Security is of them) how will you know you have partnered with the right one?
Extensive training and experience are two important factors all the best pentesters have in common. Your chosen penetration testing vendor must have the following certifications that promise both training and experience. There are:
Additional credentials to look out for are pentest’s background in network, systems management or developing applications before moving into this field.
You must get at least three quotes or recommendations for pentest vendors or companies, with complete information about services. This will help determine if the asked price package is worth the service. In any case, knowing what you are paying for will help.
Not all pentest companies are equal, either with services or certification. Don’t forget, you will get what you pay for which means choosing a low priced service will offer nothing but under qualified or inexperienced pentesting professionals.
Choosing the right pentesting vendor has been made easy with the following summation of important questions to ask:
With help from the above, finding the right pentesting vendor for your online business or web application will become easier. Just know what you want done i.e. security assessment and evaluation only or something concrete. Look at what Lean Security has to offer when it comes to Penetration testing services.
Companies and businesses with online presences are more vulnerable than ever, to exploitation and hacking. Today’s rapid explosion of internet-based commerce guarantees it. Besides various aspects of a corporate network that are vulnerable to attack, web application servers and their managed transitions are especially open to criminal hackers. Web application security has become even more important than ever however traditional testing of security controls (firewalls) are no longer sufficient or efficient in protecting organizations and companies doing business on the internet.
Yes – it goes without saying that businesses today need something extra when it comes to managing their web application security. Now the mantra for effective web application for companies has changed. Now the e-commerce sector believes simply ‘avoid being hacked’ isn’t enough especially when failure to properly manage security is linked to serious liabilities such as:
What type of security assessment you should look into for you IT infrastructure. There are commonly three types, i.e. penetration test, vulnerability assessment, and security audit.
It simply refers to evaluating an application or system’s risk level, against certain set standards or baselines. Standards are actually mandatory or compulsory compliance rules while even minimal effort is an acceptable level of security for baselines. What do they do? Both standards and baselines help achieve a certain level of consistency when it comes to security implementation. These set of rules can also be specific to industries, technologies and processes.
Important Note:
Security audits in any cases give businesses a false sense of security as most rules for both standards and baselines are unable to keep up with rapid changes in cyber security, vulnerabilities and threats.
Also know as vulnerability analysis, it’s a process through which security holes or vulnerabilities are defined, identified and classified in a computer, network, or IT infrastructure. Most people don’t know this but assessment is stopped once vulnerability is found. This means a full-fledged attack against the vulnerability doesn’t follow, to verify if it is a legitimate threat or a false positive.
Pen tests are conducted to simply evaluate an IT infrastructure’s security. This is done by safely or ‘ethically’ exploiting vulnerabilities within a web application, operating system, improper configurations, or even due to risky end-user behavior.
Important Note:
A popular misconception about pen testing services is that web application security is enhanced since these services are more expensive than others. It is important to remember penetration testing doesn’t make IT networks and applications more secure since existing security is evaluated only.
Whether you choose pen testing, security audit, or website evaluation and assessment from Lean Security, know this that we will offer the very best in managed security services and advanced web security testing. Try it out today!
