Got any questions?
We do our best to respond within 2 business hours (GMT)
Aptive Consulting
Aptive are a UK application security testing company based in London providing security testing services to the UK and the rest of the world. Aptive specialise in modern mobile app and web app penetration testing.
Professional Security Testing Services
Identify Web App Threats
Application Penetration Testing
Aptive provide application security testing using our internal methodology based on the OWASP testing methodology. The service identifies security issues within apps and provides clear remediation instructions, allowing your organisation to easily fix identified security issues. For more information, see our app security audit service page.
Learn More →
Identify Mobile App Threats
Mobile App Security Testing
Aptive’s mobile application security testing is a deep dive security assessment against iOS and Android apps, to help identify potential security issues, logic flaws or vulnerabilities.
Learn More →
Identify Internal & External Infrastructure Threats
Network Penetration Testing
Aptive provide internal or external network pen tests, which help identify and quantify security issues in an easy to understand report.
Learn More →
Proactively identify the latest vulnerabilties
Our services help identify the latest vulnerabilties.
VMware VRealize Network Insight
Remote Code Execution CVE-2023-20887
MOVEit Transfer
Remote Code Execution CVE-2023-34362
Fortra GoAnywhere MFT
Authentication Bypass CVE-2024-0204
WordPress Elementor Lite 5.7.1
Arbitrary Password Reset CVE-2023-32243
Redis Sandbox Escape
Remote Code Execution CVE-2022-0543
GitLab 16.0.0
Path Traversal CVE-2023-2825
CouchDB Erlang Distribution
Remote Command Execution CVE-2022-24706
WatchGuard Fireware AD Helper Component
Credentials Disclosure Critical
Security Assessment Services
Learn more about Aptive's other security security assessment services.
Reviews from our clients
Aptive conduct regular penetration testing of our web applications as part of our on-going cyber security testing commitment. The delivered reports are always professional, concise and make it easy for both stake holders and developers to understand.
Aptive performed a web app pen test against our .NET applications. Throughout the project Aptive were extremely accommodating with our questions and demands and very flexible with timings to ensure no disruption of systems.
The team at Aptive provided excellent advice and demonstrated a large depth of knowledge regarding security aspects and vulnerabilities within our environment. We were very pleased with the level of effort and advice given throughout the engagement.
Apache Security Hardening Guide (Apache Config)
Our team provide a guide on Apache security hardening and configuration. We provided this guide to help with practical configuration steps to help mitigate vulnerabilities and strengthen the Apache web servers default configuration.
Find the Best App Penetration Testing Companies
Our team have put together a guide to help you find the Best Penetration Testing Company for your security assessment.
Cheap Penetration Testing: A Recommended Read Before You Buy
We document the potential pitfalls of obtaining cheap pentesting: Understand the potential dangers of buying a cheap pentesting service.
What is a Lateral Movement: Lateral Movement Explained (2024)
We provide an overview of Lateral Movement and how it is used by Cyber Attackers and threat actors during a penetration test or redteam engagement.
LLMNR / NBT-NS Spoofing Attack Explained
We explain the LLMNR / NBT-NS spoofing attack: how to use LLMNR & NetBIOS poisoning to capture credentials from the network using Kali + Responder.py and how to fix LLMNR & NBT-NS (NetBIOS) spoofing / poisoning attacks.
Local File Inclusion (LFI)
Our team explain what Local File Inclusion (LFI) is with real world examples, and learn how to perform security testing for LFI vulnerabilities. The intent of this document is to assist with web app security assessments engagements by consolidating research for LFI testing techniques. LFI vulnerabilities are typically discovered during application assessments or penetration testing using the techniques contained within this document.
Log Injection Attack Explained: Risks, Exploits, and Defences
We explain what log injection attacks are, their risks, and how to defend against them with strategies like input sanitisation, secure logging practices, and defence-in-depth approaches.
Remote Code Execution via Log Injection: Understanding the Threat and Mitigations
We explain how Remote Code Execution (RCE) through log injection attacks work, how they occur, and effective mitigation strategies.
Log Injection vs Log Forgery: Learn the Differences and Implications
Our team explains the differences between log injection and log forgery, how each attack works, and the security implications for organisations.
XSS Log Injection: Risks and Defences Explained
We explain how Cross-Site Scripting (XSS) can be exploited through log file injection attacks, the mechanisms behind these vulnerabilities, and effective best practices for prevention and mitigation.
OWASP MASTG: Mobile Security Testing Cheat Sheet & Checklist ✅ (iOS & Android)
We have produced the following OWASP Mobile App Security Testing Guide (MASTG) Cheat Sheet & Checklists ✅
OWASP Mobile Top 10 (2024) - Explained
Our team explains the key updates in the OWASP Mobile Top 10 for 2024, highlighting the most critical mobile app security risks. We explain emerging threats, new vulnerabilities, and best practices for safeguarding mobile applications.
OWASP Top 10 (Web 2021) - Explained
We explain the key updates in the OWASP Top 10 Web (2021). Our team have explained the OWASP Top 10 categories with examples. Learn about emerging threats, new vulnerabilities.
OWASP WSTG: Web Security Testing Guide Checklists ✅
Our team have produced the following OWASP Web Security Testing Guide (WSTG) Checklists ✅
Understanding Rootkits: Detection, Prevention, and Defence
We explain what rootkits are, types, how they work, and the dangers they pose.
Does SameSite Provide Sufficient CSRF Defence?
Our team answers a common question on what the SameSite cookie attribute is, and if it provides sufficient protection against CSRF on it's own (without other mitigations).
What Was SSLeay? The History of SSLEay
We explain what SSLeay was, and how the the cryptographic library laid the groundwork for SSL/TLS protocols. Our team explain it's creators, legacy, and the projects that forked it, including OpenSSL and LibreSSL.
SSL & TLS HTTPS Testing Guide
Aptive explain how to approach SSL / TLS security testing. This article documents the process of using semi automated tools to perform SSL & TLS security assessments and how to validate the tool findings using manual testing methods. Our team have shared this resource in an effort to optimise the TLS & SSL security testing process when performing security assessments, (hopefully) reducing the time spent on TLS security testing.
Unrestricted File Upload Testing & Bypass Techniques
Our team explains how to test for Unrestricted File Upload Vulnerabilities including filter bypass techniques for Windows, Linux, Apache and IIS.
Website Security Audit Explained
We explain what a website security audit is, and how it may differ from an application assessment (spoiler alert, it's the same thing).
What Is a Business Logic Vulnerability? Attacks Explained
We explain business logic vulnerabilities, their impact, and how to prevent them. Discover key strategies like threat modelling, input validation, and secure access controls.
What are Default Credentials? Detection, Risks, and Prevention
Our team explain what Default Credentials are, how they occur, and the security risks it introduces. We provide examples and practical methods to detect and prevent this vulnerability.
What are Hardcoded Credentials?
Our team explain what Hardcoded Credentials are, how they occur, and the security risks it introduces. We provide practical methods to detect and prevent this vulnerability.
What are Misconfigured HTTP Headers?
We explain what misconfigured HTTP headers are, how they occur, and the potential security risks they introduce. Our team documents practical methods to detect and prevent this misconfiguration.
What are Exposed Verbose Error Messages?
Our team explain what Verbose Error messages are, how they occur, and the security risks it introduces. We provide practical methods to detect and prevent this vulnerability.
What are Vulnerable and Outdated Components?
We explain what Vulnerable and Outdated Components are, how they occur, and the security risks it introduces. Discover practical methods to detect and prevent this vulnerability.
What is Account Takeover (ATO)?
Our team explains what account takeover is, how it may occur, and the security risks it introduces. Discover practical methods to detect and prevent this vulnerability.
What is Blind SQL Injection? Attack Explained
We explain what Blind SQL Injection is, how attackers exploit it to deceive users into unintended actions, the security risks involved, and effective mitigations.
What Is Blind SSRF? Blind SSRF Attack Explained with Examples
We explain blind SSRF attacks, how they occur, their risks, and how manual web app security testing can help identify these vulnerabilities. Understand the potential impact and mitigations.
What is Blind Cross-site Scripting (Blind XSS / BXSS) ? Detection, Risks, and Prevention
We explain what Blind Cross-site Scripting (BXSS) is, how it occurs, and the security risks it introduces. Discover practical methods to detect and prevent this vulnerability.
What is Boolean Based SQL Injection? Attack Explained
We explain what Boolean Based SQL Injection is, how attackers exploit it to deceive users into unintended actions, the security risks involved, and effective mitigations.
What is Broken Authentication? Detection, Risks, and Prevention
We explain what Broken User Authentication is, how it occurs, and the security risks it introduces. Discover practical methods to detect and prevent this vulnerability.
What is a Brute Force Attack? Methods, Examples, and Prevention
We explain what a brute force attack is, how adversaries use it to crack passwords, and learn effective methods and best practices.
What Is a Buffer Overflow? Attack, Types & Examples
We explain what a buffer overflow vulnerabity is within the context of application security, the languages most susceptible to them, and the potential impact of exploitation.
What Is Clickjacking? Clickjacking Attack Explained
Oue team explains what clickjacking is, how it works, its potential impacts, and effective mitigation strategies to protect web applications from this attack.
What is Cloud Metadata Exposure?
We explain what cloud metadata exposure is, how it may occur, and the security risks it introduces. Discover practical methods to detect and prevent this vulnerability.
What Is Code Injection? Attack Explained with Examples
We explain about code injection vulnerabilities, how it differs from OS command injection, and the best practices for mitigating these security risks to protect your applications from attacks.
What is Credential Stuffing?
We explain what a credential stuffing attack is, how it may occur, and the security risks it introduces. Discover practical methods to detect and prevent this vulnerability.
What Is CRLF Injection? Attack Explained
We explain what a CRLF injection attack is, how it works, and the security risks it poses. Discover effective mitigation strategies, including input validation, output encoding, and secure HTTP header handling.
What Is Cross Frame Scripting (XFS)? Attack Explained with Examples
Our teams explains what Cross-Frame Scripting (XFS) attacks are and some effective mitigations, including HTTP headers, Content Security Policies, iframe sandboxing, and more.
What Is Cross Site Request Forgery (CSRF)? Attack Explained with Examples
Our team explains what Cross-Site Request Forgery (CSRF) is, how attackers exploit it, and the best security measures to prevent it, including CSRF tokens, SameSite cookies, and origin validation.
What Is CSV Injection? Formula Injection Attack, Types & Examples
We explain CSV Injection, how it works, its associated risks, and a practical example of a proof of concept (PoC). Discover best practices for securing web applications against this threat.
What is a Dependency Confusion Attack?
Our team explains what a Dependency Confusion Attack is, how they occur, and the security risks it introduces. Discover practical methods to detect and prevent this vulnerability.
What is a Directory Listing Vulnerability: Understanding & Prevention
We explain what makes a directory listing a vulnerability (it's not always!), how they could expose sensitive data, and best practices for disabling them on common web servers such as Apache, Nginx, and IIS.
What is a Directory Traversal Attack? Path Traversal Explained
We provide an overview of directory traversal attacks also know as a path traversal attack and commonly found in web applications, mobile apps and API’s.
What is a DKIM Replay Attack? Real World Example (Google Sites)
Our team explain a DKIM Replay Attack: A DKIM replay attack is a cyberattack technique where an attacker intercepts a legitimate email that has been signed with a DomainKeys Identified Mail (DKIM) signature and then resends it to a large number of recipients.
What Is DNS Rebinding? Attack Explained with Examples
Aptive provide an overview of how DNS rebinding attacks work, how they can be combined with other vulnerabilities to exploit internal networks, and the methods attackers use to bypass security measures. Understand the process, examples, and preventive techniques in this detailed guide.
What is DOM based Cross-site Scripting (DOM XSS)? Detection, Risks, and Prevention
Aptive explain what DOM based Cross-site Scripting is, how it occurs, and the security risks it introduces. Discover practical methods to detect and prevent this vulnerability.
What is DoubleClickJacking? Attack Explained
We explain what DoubleClickJacking is, how attackers exploit it to deceive users into unintended actions, the security risks involved, and effective mitigations.
What is Error Based SQL Injection? Attack Explained
Our team explains Error Based SQL Injection is, how attackers exploit it to deceive users into unintended actions, the security risks involved, and effective mitigations.
What is Excessive Data Exposure? Detection, Risks, and Prevention
We explain what Excessive Data Exposure is in our experiance, detailing: how it occurs, and the security risks it introduces. Discover practical methods to detect and help prevent this vulnerability.
What is Forced Browsing: Learn Forced Browsing a Web Application Vulnerability
We explain what forced browsing is within the context of web application security, risks, methods of identification, and best practices for mitigation.
What is Fuzzing: Learn Techniques, Benefits, and Best Practices in Cybersecurity
We explain what fuzzing is within the context cybersecurity testing, key techniques, tools, benefits.
What is Horizonal Privilege Esclation (PrivEsc)? Attack Explained
Our team explains what Horizontal Privilege Escalation is, how attackers exploit it to deceive users into unintended actions, the security risks involved, and effective mitigations.
What Is Host Header Injection? Host Header Attacks Explained
Aptive explain Host Header Injection, a critical web security vulnerability that can lead to phishing, cache poisoning, and account takeover. Discover how attacks occur, their risks, and effective mitigation strategies to help protect web applications.
What is HTTP Request Smuggling (HRS)? Attack Explained
Aptive explain what HTTP Request Smuggling (HRS) is, how attackers exploit it to deceive users into unintended actions, the security risks involved, and effective mitigations.
What Is HTTP Response Splitting? HTTP Response Header Injection Attack Explained
The team at Aptive explain HTTP Response Splitting, a web security vulnerability that enables attackers to manipulate HTTP responses. This guide explains how it works, its security risks, and effective mitigation strategies to protect web applications.
What is Insecure Direct Object Reference (IDOR)? Detection, Risks, and Prevention
Aptive's team explain what Insecure Direct Object Reference is, how it occurs, and the security risks it introduces. Discover practical methods to detect and prevent this vulnerability.
What is In-Band SQL Injection? Attack Explained
Our team at Aptive explain what In-Band SQL Injection is, how attackers exploit it to deceive users into unintended actions, the security risks involved, and effective mitigations.
What is Ineffective Role-Based Access Control (RBAC)?
We explain what Ineffective Role-Based Access Control (RBAC)? is, how it occurs, and the security risks it introduces. Discover practical methods to detect and prevent this vulnerability.
What Is Insecure Deserialization? Attack Explained
Our team explains insecure deserialization, its risks, and how it can be exploited in applications. Discover strategies to mitigate this vulnerability and secure your systems.
What is Insufficient Account Lockout Policy?
Our team provides an overview of what an Insufficient Account Lockout Policy is, how it occurs, and the security risks it introduces. Discover practical methods to detect and prevent this vulnerability.
What is LDAP Injection
Aptive explains how LDAP Injection exploits insecure query handling, enabling authentication bypass, data exfiltration, and privilege escalation. Learn key attack techniques, detection methods, and best practices for securing LDAP based applications.
What is Missing Authorisation?
Our team explains what a Missing Authorisation Check is, how attackers exploit it to deceive users into unintended actions, the security risks involved, and effective mitigations.
What is Missing Multifactor Authentication (MFA)?
Aptive explain what Missing Multifactor Authentication is, how it occurs, and the security risks it introduces. Discover practical methods to detect and prevent this vulnerability.
What is No Rate Limiting? Detection, Risks, and Prevention
Our testing team explain what Missing Rate Limiting is, how it occurs, and the security risks it introduces. Discover practical methods to detect and prevent this vulnerability.
What is Out-of-Band (OOB) SQL Injection? Attack Explained
Our team explain what Out-of-Band (OOB) SQL Injection is, how attackers exploit it to deceive users into unintended actions, the security risks involved, and effective mitigations.
What is an Open Redirect: Understanding Open Redirect Vulnerabilities in Web Applications
Our team explain open redirect vulnerabilities, how they are exploited, and the best practices for detecting and mitigating these security flaws in web applications to protect against phishing and other malicious activities.
What Is OpenSSL?
Our team explain what OpenSSL is and how it works, along with modern protocols that have replaced it.
What is OS Command Injection?
Our team provide an overview of what OS Command Injection is, how to detect, exploit and help prevent the web vulnerability.
What Is Password Reset Poisoning?
Our team explain what Password Reset Poisoning is, a host header attack that exploits weak password reset mechanisms. Understand how attackers manipulate reset links and discover effective mitigation strategies to help protect web applications.
What is Port Scanning? Port Scans Explained
Our team explain the basics of port scanning, a network security technique used to identify open ports, services, and potential vulnerabilities on a system. Discover different types of port scans, their uses in cybersecurity, and how they help assess and secure network infrastructures.
What is Privilege Escalation (PrivEsc)? Identification, Risks, and Prevention
Our team explain what Privilege Escalation is, how it occurs, and the security risks it introduces. Discover practical methods to detect and prevent this vulnerability.
What is a Race Condition? Race Condition Web Vulnerability Explained
Aptive explain how race conditions occur in web applications, effective strategies for mitigations, including locks, atomic operations, transactions, and optimistic concurrency control.
What is Reflected Cross-site Scripting (Reflected XSS)? Detection, Risks, and Prevention
Aptive explain what Reflected Cross-site Scripting is, how it occurs, and the security risks it introduces. Discover practical methods to detect and prevent this vulnerability.
What is Remote Code Execution? RCE Vulnerability Explained
Our team explain Remote Code Execution (RCE) vulnerabilities, how they occur, their potential impact, and effective mitigation strategies to protect your systems from exploitation.
What is Reverse Tabnabbing? Tabnabbing Web Vulnerability Explained
We explain reverse tabnabbing, a web attack that manipulates browser tabs to steal sensitive information. Learn how it works, its potential impacts, and effective mitigation strategies to enhance online security.
What Is Same Site Scripting? Attack Explained With Examples
Aptive explain Same Site Scripting, a critical web security threat that allows attackers to manipulate cached content and serve malicious responses to users. This guide explains how the attack works, provides a diagram example, and outlines mitigation strategies to help protect web applications.
What is Security Testing?
Our team detail what security testing is and the differnt types: including web app, mobile app, penetration testing, IoT, API, cloud, and vulnerability testing to safeguard your digital assets.
What Is Server Side Request Forgery (SSRF)? Attack Explained With Examples
Our team explains what Server Side Request Forgery (SSRF) is, how it impacts web applications, and practical techniques for identifying and mitigating SSRF vulnerabilities to protect sensitive internal systems.
What Is Server Side Template Injection (SSTI)? Attack Explained with Examples
The team at Aptive explains what Server-Side Template Injection (SSTI) is, how it works, its impact, and how to prevent it. This practical guide covers SSTI detection, exploitation risks, and security best practices to help protect web applications.
What Is Session Fixation? Attack Explained
We explain what session fixation is, how it works, and the impacts it can have on web security. Discover effective strategies for mitigating session fixation attacks and protecting your application.
What is a Session Hijacking Attack?
We explain what a Session Hijacking attack is, how it occurs, and the security risks it introduces. Discover practical methods to detect and prevent this vulnerability.
What is SQL Injection? SQLi Explained
Our team explains what SQL Injection is, understand the attack, and the potential risk to your organisation.
What is SSL? SSL Explained
Our team dives into explaining what SSL (Secure Sockets Layer) is, how it works, and its role in securing online communications. Learn about SSL certificates, the differences between SSL and TLS, and why modern websites use TLS encryption instead.
What is Stacked Queries SQL Injection? Attack Explained
Our team explain what Stacked Query SQL Injection is, how attackers exploit it to deceive users into unintended actions, the security risks involved, and effective mitigations.
What is Stored Cross-site Scripting (Stored XSS)? Detection, Risks, and Prevention
Our assessment team explain what Stored Cross-site Scripting is, how it occurs, and the security risks it introduces. Discover practical methods to detect and prevent this vulnerability.
What is Time Based SQL Injection? Attack Explained
Our security testing team explain what Time Based SQL Injection is, how attackers exploit it to deceive users into unintended actions, the security risks involved, and effective mitigations.
What is Transport Layer Security (TLS)?
Our team explain what TLS (Transport Layer Security) is, how it works, its importance for organisations, and how to securely implement it on your web server.
What is UNION SQL Injection? Attack Explained
We explain what UNION SQL Injection is, how attackers exploit it to deceive users into unintended actions, the security risks involved, and effective mitigations.
What are Unverfified Software Updates?
We explain what Unverfied Software Updates are, how they occur, and the security risks it introduces. Discover practical methods to detect and prevent this vulnerability.
What is Username Enumeration? Detection, Risks, and Prevention
Our team explain what username enumeration is, how it occurs, and the security risks it introduces. Discover practical methods to detect and prevent this vulnerability.
Vulnerability and Penetration Testing (VAPT) Explained
Our team at Aptive provide an overview of VAPT, understand the benefits, and how it could improve your organisations security posture.
What is Vertical Privilege Esclation (PrivEsc)? Attack Explained
Our team explain what Vertical Privilege Escalation is, how attackers exploit it to deceive users into unintended actions, the security risks involved, and effective mitigations.
What Is Vulnerability Scanning?
We dive into explaining what vulnerability scanning is, how it works, and why it is essential for cybersecurity. Learn about different scan types, their role in risk management, and best practices for maintaining a secure IT environment.
What is a Weak Password Policy?
We explain what a Weak Password Policy is, how it occurs, and the security risks it introduces. Discover practical methods to detect and prevent this vulnerability.
What Is Web Cache Poisoning? Attack Explained
The team at Aptive explain what Web Cache Poisoning is, a critical web security threat that allows attackers to manipulate cached content and serve malicious responses to users. This guide explains how the attack works, provides a diagram example, and outlines mitigation strategies to help protect web applications.
What Is Website Vulnerability Scanning? Importance, Process, and Tools
Our team explain what website vulnerability scanning is and how they are used to identify potential threats, the common vulnerabilities they detect, and the tools and techniques used.
What is XPath Injection?
Our team explain what XPath Injection, a critical web security vulnerability that exploits improper handling of user input in XML queries. Discover how to prevent attacks with secure coding practices, input validation, and parameterised queries.
What is XXE Injection? Detection, Risks, and Prevention
Our team explain what XXE Injection is with real world examples, how it occurs, and the security risks it introduces. Discover practical methods to detect and prevent this vulnerability.
What is Cross-site Scripting (XSS)? XSS Explained
Our team provides an overview of what Cross-site Scripting is, understand the attack, and the potential risk to your organisation.
