Insider Threats: Dealing with the Enemy Inside

For companies, threats come from two sources—outside the organization and inside (reads: disgruntled, unethical employees). Insider threats can be very difficult to handle and the number of annual incidents is on the rise. The insider threat can come in several forms: Employees who steal intellectual property Unhappy IT professionals who damage data and systems Professionals […]

Read More →

BREACH attack

The BREACH attack, abbreviated from Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext, is an attack similar to the CRIME attack. Both attacks are compression side channel attacks, however CRIME targets information compressed in HTTP requests through TLS compression, whilst BREACH targets information compressed in HTTP responses through HTTP compression. HTTP compression is normally […]

Read More →

Server Side Request Forgery (SSRF)

A Server Side Request Forgery (SSRF) attack gives an attacker the ability to use your web application to send requests to other applications running on the same machine, or to other servers which can be on the same or on a remote network. Since the requests are being piggybacked via your server, the target might […]

Read More →

Automatic detection of XXE vulnerabilities in OpenID implementations using Acunetix AcuMonitor

Reginaldo Silva recently uncovered a very interesting bug affecting Facebook (and received $33,500 for this discovery). The bug is caused by improper handling of XML documents in OpenID implementations causing XML External Entity Expansion vulnerabilities. He mentioned in his article that many OpenID implementations/libraries are affected by this bug. I was curious to learn more […]

Read More →

Understanding the value of the OWASP Top 10 2013

Find out how IT security professionals can benefit from the free resources available from the OWASP Top 10 2013 List of Risks. As IT security professionals we certainly have our fair share of information available to simplify the work we do. There’s the CVE dictionary, the Special Publications from NIST, and even certain regulations such […]

Read More →

Web Security Vulnerabilities Exposed by Google Searches (Google Hacking)

Google Hacking is a hacking technique used by hackers to identify web security vulnerabilities on web applications or gather information for general or individual targets. Mostly this information includes configuration and source code files, sensitive data, database information, etc. This technique makes use of the Google Search engine to search for specific information regarding an […]

Read More →

WordPress Caching Plugins Remote PHP Code Execution

Two very popular WordPress caching plugins: WP Super Cache (4,373,811 downloads) and W3 Total Cache (1,975,480 downloads) have been affected by a vulnerability that allows remote users to execute arbitrary PHP code. The affected versions are: WP Super Cache (version 1.2 and below,  version 1.3.x and up are OK) W3 Total Cache (version 0.9.2.8 and below, version 0.9.2.9 is […]

Read More →