Why is Source Code Disclosure dangerous?

Source code often contains some form of sensitive information—whether it be configuration related information (e.g. database credentials) or simply information on how the web application functions. If disclosed, such information can potentially be used by an attacker to discover logical flaws and escalate into a subsequent chain of attacks which would not be possible without […]

Read More →

An Introduction to Web-shells – Part 1

A web-shell is a malicious script used by an attacker with the intent to escalate and maintain persistent access on an already compromised web application. A web-shell itself cannot attack or exploit a remote vulnerability, so it is always the second step of an attack (this stage is also referred to as post-exploitation). An attacker […]

Read More →

Scanning non-public web applications with Acunetix OVS

The Software Development Life Cycle (SDLC) is full of challenges — developers have strict deadlines for creating functional, scalable, maintainable and testable code. What’s more, that code needs to be secure. Acunetix Online Vulnerability Scanner (OVS) can automatically test any Internet-facing website or web application for thousands of vulnerabilities. However, since automated security testing often […]

Read More →

Verizon Data Breach Investigations Report 2016

So, it’s that time of year again. The Verizon Data Breach Investigations Report is out and its time for us to take a good look and analyze their results. The cover, which is dark featuring an illuminati-style symbol and the pull out statistic of ‘89% of breaches had a financial or espionage motive’ promise some […]

Read More →

GoDaddy Blind XSS vulnerability – How to detect it and other Out-of-Band Vulnerabilities

Recently, security researcher Matthew Bryant discovered a blind cross-site scripting (BXSS) vulnerability in GoDaddy’s customer support portal —that is the portal accessible only to GoDaddy customer service representatives, not customers. New post: Poisoning the Well – Compromising GoDaddy Customer Support With Blind XSS – https://t.co/uEJWPU8Y4O — mandatory/MattBryant (@IAmMandatory) May 8, 2016 After disclosing the vulnerability to […]

Read More →