Netflix has released an open source tool that their engineering team have developed in-house that can find second-order XSS vulnerabilities in web applications. The tool is called Sleepy Puppy, and while it’s a good initiative from Netflix, the auto-detection of ‘Delayed XSS’ is nothing new….
Author Archives Ian Muscat
THE AUTHOR
Ian Muscat
Password hashing and the Ashley Madison hack
The mainstream media is in a frenzy about the Ashley Madison hack, and with good reason. Aside from the shady social and moral motives that most people are criticising Avid Life Media (the site’s owners) about, the breach is a notable one in terms of…
WordPress 4.3 “Billie” improves password resets
The WordPress team have just announced that the 4.3 release of the massively popular blogging and content management software has been released to the public. While there are some interesting new usability features, the WordPress team have also released a new security feature that deals…
Business Logic Security Testing with Acunetix v10
Business logic in web applications refers to the encoding of real-world business rules that determine how data should be created, displayed, stored, and changed in a workflow-style process. Applications implementing business logic are not easy to test automatically because they are meant to be used…
Scanning for malicious links and phishing links
Any webmaster who has administered a blog with comments enabled or a forum knows all too well what a nightmare spam comment and post can be. While spam remains a problem, there are a lot of options (most notably Akismet for WordPress) how you can…
Is the new OpenSSL vulnerability Heartbleed all over again?
Last Monday, OpenSSL core team member Mark J Cox, delivered some, grim, but somewhat expected news on OpenSSL’s mailing list — A new version of OpenSSL is due to be released this Thursday 9th July, fixing a single security defect classified as “high” severity. OpenSSL is…
Genericons DOM-based XSS Vulnerability
Hundreds of WordPress themes and plugins that make use of the Genericons package, could be vulnerable to a DOM-based XSS vulnerability affecting millions of WordPress installations. Genericons are versatile vector icons embedded in a webfont from Automattic (the creators of WordPress). The vulnerability resides in…
Lessons to Learn from the AllCrypt Hack
On March 18, 2015, AllCrypt, a small crypto currency exchange posted what may very well be one of their last posts on their blog. The Bitcoin exchange had been hacked, resulting in stolen crypto currency. The AllCrypt Team described the attack in detail in their…
WordPress Security Tips Part 10 – Secure Your Debug Logs
During development of plugins or themes, as well as during deployment of a WordPress site, developers or system administrators may enable debug logs to log any PHP errors that occur. WordPress makes use of the WP_DEBUG constant which is defined in wp-config.php. The constant is…