NetSPI Blog

Eric Gruber

Eric has a BS and a Master's in Computer Science from the University of Minnesota, focusing on networking, security, and software engineering. He has done work in the education, information technology, and information security industries, designing and developing software, maintaining information systems, and researching security topics. At NetSPI, Eric's primary duties include network, web application, thick application, and mobile penetration testing. He also helps develop applications and scripts for the NetSPI penetration testing team. Eric currently holds the GCIH and GXPN certifications.

Eric Gruber
July 5th, 2017

Anonymous SQL Execution in Oracle Advanced Support

A little over a year ago I was performing a penetration test on a client’s external environment. One crucial step in any external penetration test is mapping out accessible web servers. The combination of nmap with EyeWitness make this step rather quick as we can perform port scanning for web servers and then feed those […]

Eric Gruber
March 2nd, 2016

Java Deserialization Attacks with Burp

The recent Java deserialization attack that was discovered has provided a large window of opportunity for penetration testers to gain access to the underlying…

Eric Gruber
May 26th, 2015

Debugging Burp Extensions

Burp is a very useful tool for just about any type of testing that involves HTTP. What makes it even better is the extension support that it offers. People can compliant the features that Burp has to offer with their own extensions to create a very powerful well-rounded application testing tool that is tailored to their […]

Eric Gruber
May 11th, 2015

Top 10 Critical Findings of 2014 – Mobile Applications

We saw a very large increase in the number of mobile applications we tested in 2014. Among them, there were slightly more iOS applications than Android ones. In this blog post I will cover high level trends and the top 10 critical vulnerabilities we saw in 2014 during mobile applications penetration tests. High Level Trends There […]

Eric Gruber
April 13th, 2015

Top 10 Critical Findings of 2014 – Thick Applications

2014 has come and gone, so we thought we’d put out a list of some of the most common critical findings that we saw during thick application penetration tests over the past year. We keep a massive amount of statistics for every assessment we do and in this blog I’ll cover high level trends and […]

Eric Gruber
April 6th, 2015

Decrypting WebLogic Passwords

The following blog walks through part of a recent penetration test and the the decryption process for WebLogic passwords that came out of it.

Eric Gruber
February 2nd, 2015

Dumping Git Data from Misconfigured Web Servers

Every so often when performing a penetration test against a web application or a range of external/internal servers I come across publicly accessible .git directories. Git is a revision control tool that helps keep track of changes in files and folders and is used extensively in the web development community. This blog isn’t going to […]

Eric Gruber
January 19th, 2015

Attacking Android Applications With Debuggers

In this blog, I am going to walk through how we can attach a debugger to an Android application and step through method calls by using information gained from first decompiling it. The best part is, root privilege is not required. This can come in handy during mobile application penetration tests because we can step into an application […]

Eric Gruber
June 23rd, 2014

Verifying ASLR, DEP, and SafeSEH with PowerShell

Update: This post is a little bit out-of-date in regards to using the PowerShell script. Refer to the Github repo ( for an updated script and instructions on how to use it. Today I am releasing a PowerShell script that easily displays whether images (DLLs and EXEs) are compiled with ASLR (Address Space Layout Randomization), DEP (Data Execution […]