Author Archives Ian Muscat

THE AUTHOR

Ian Muscat

Ian Muscat used to be a technical resource and speaker for Acunetix. More recently, his work centers around cloud security and phishing simulation.

What is Code Injection (Remote Code Execution)

Web Security Zone | April 15, 2019 by Ian Muscat

Code Injection or Remote Code Execution (RCE) enables the attacker to execute malicious code as a result of an injection attack. Code Injection attacks are different than Command Injection attacks. Attacker capabilities depend on the limits of the server-side interpreter (for example, PHP, Python, and…

Recommendations for TLS/SSL Cipher Hardening

Web Security Zone | April 10, 2019 by Ian Muscat

Transport Layer Security (TLS) and its predecessor, Secure Socket Layer (SSL), are widely used protocols. They were designed to secure the transfer of data between the client and the server through authentication, encryption, and integrity protection. Note: At the time of writing of this article,…

How to Prevent SQL Injection Vulnerabilities in PHP Applications

Web Security Zone | March 27, 2019 by Ian Muscat

What Is SQL Injection? SQL Injection (SQLi) is a type of injection attack targeting a backend relational database. An attacker can use it to make a web application process and execute injected SQL statements as part of an existing SQL query. This article assumes that…

Out-of-band XML External Entity (OOB-XXE)

Web Security Zone | March 25, 2019 by Ian Muscat

As with many types of attacks, you can divide XML External Entity attacks (XXE attacks) into two types: in-band and out-of-band. In-band XXE attacks are more common and let the attacker receive an immediate response to the XXE payload. In the case of out-of-band XXE…

What Are XML External Entity (XXE) Attacks

Articles | March 24, 2019 by Ian Muscat

An XML External Entity (XXE) attack (sometimes called an XXE injection attack) is a type of attack that abuses a widely available but rarely used feature of XML parsers. Using XXE, an attacker is able to cause Denial of Service (DoS) as well as access…

What is Local File Inclusion (LFI)?

Web Security Zone | March 11, 2019 by Ian Muscat

An attacker can use Local File Inclusion (LFI) to trick the web application into exposing or running files on the web server. An LFI attack may lead to information disclosure, remote code execution, or even Cross-site Scripting (XSS). Typically, LFI occurs when an application uses…

DAST vs SAST: A Case for Dynamic Application Security Testing

Web Security Zone | March 6, 2019 by Ian Muscat

Dynamic Application Security Testing (DAST) is a black-box security testing methodology in which an application is tested from the outside. A tester using DAST examines an application when it is running and tries to hack it just like an attacker would. On the other end…

Cross-site Flashing (XSF) WordPress Vulnerability, Unpatched and Exploitable

Web Security Zone | October 24, 2017 by Ian Muscat

WordPress, the content management system powering north of 28% of websites on the Internet, is certainly no stranger to providing timely security patches to its hundreds of millions of users when security researchers report them. This time however, things took a slightly different turn —…

The difference between Vulnerability Assessment and Penetration Testing

Web Security Zone | August 17, 2017 by Ian Muscat

Many information security professionals are familiar with the terms ”‘vulnerability assessment” and “penetration testing” (“pentest” for short). Unfortunately, in many cases, these two terms are incorrectly used interchangeably. This post aims to clarify differences between vulnerability assessment and penetration testing, demonstrate that both are integral…

Take action and discover your vulnerabilities