Category
Sort By
DROWN is an abbreviation for Decrypting RSA with Obsolete and Weakened encryption and is seems to be applicable on servers using SSLV2. Just like Heartbleed, it may impact more than 11 million websites using OpenSSL.This blog explains Preventing cryptographic protocols from "DROWN attack". What this vulnerability can do? DROWN...
Application Security, Technology
The basic principle of CSRF vulnerability Whenever we are accessing an application, the browser is sending a request to the server and the server responds to the request by sending some data to the browser called response. This two-way communication continues as we continue using the application. When we login to the application, the...
Application Security, Technology
TO THE NEW has been organizing conferences and actively participating in various conferences as well. I was invited to attend a presentation at SANS Community Night in Delhi, India on 14th Jan 2016. The topic of the talk was “DIY vulnerability discovery with DLL Side Loading“, and it's use as stealthy persistence technique for malware...
Application Security, Technology
We have seen a lot of applications where some sub-domains or sub-directories are publicly exposed (intently or by mistake). So, with experience from our past pentests we have made a habit of testing for vulnerable or accessible sub-domains. During one of such testing, I was manually testing the URLs of different sub-domains of the...
Application Security, Technology
During a recent penetration test on one of our client's application, we came across a case of malicious file propagation through the application server. The attack does not require an authenticated session. The vulnerable section is accessible by unauthenticated users. The attack involves an attacker submitting a malicious request (a...
I was recently searching for something on Google and came across this instance of what might be a logical vulnerability prevailing across multiple web applications. I was searching for publicly accessible Jenkins console through Google Dorking. My search query listed some of the websites that had Jenkins as a part of their domain...
Application Security, Technology
Android has been the most used mobile operating system till date. With the huge base of end-users, Android has been guilty of hosting numerous security related bugs in the past. With the latest version of Android 6.0 namely Marshmallow being released, I expected to see a few changes in the security model. Change in the permissions...
Application Security, Technology
Hackers and cyber criminals identify E-commerce sites as a source of information, such as credit cards and other PII (Personally identifiable information). To protect customers, it's necessary to know how to protect the application and the sensitive customer data it has. All this involves user's trust and assurance on the brand and...
Application Security, Technology
In my previous blog on Ithemes Security, we went through Dashboard, Configuration and Global Settings. In this second part of the blog series, A detailed understanding of sections 404 Detection, Away Mode, Banned Users will be covered. 404 Detection Hackers are always looking for vulnerabilities that can be exploited. Some...
Hackers and cyber criminals identify healthcare organizations as a source of assets, similar in a way that a bank has monetary assets. In case you have any doubt about the previous statement, I would like to reassure you that healthcare information has a monetary value and worth. And yes, it is at risk. What is wrong with the Healthcare...
WordPress websites are mostly an easy target for attacks due to improper file permissions and vulnerable plugins being installed. Different factors that lead to attack on WordPress sites are :- Weak Passwords Vulnerable Plugins Obsolete version of WordPress being used Possible Solution Securing WordPress is a process and it...
Sleepy Puppy is a payload management framework for Cross Site Scripting that enables security engineers to simplify the process of capturing, managing, and tracking XSS propagations. Delayed XSS (a variant of stored XSS) Delayed XSS testing is testing that can be used to extend the scope of attack beyond the immediate effect of...
