Fail-safe defaults Software is bound to fail. Try as we might to create perfect, failure-resistant software, bugs will always exist that might cause software to fail. Notwithstanding this, it is important that this potential failure does not expose an application to a security risk. An…
In the headlines: Anonymous vs ISIS, Australian attorney general, NTP and DDoS exploits
Anonymous vs ISIS Naturally, even cybersecurity news in this past week has centred around ISIS in the wake of the Paris attacks. The main headline has come from Anonymous, who have again but more formally waged ‘war’ on ISIS themselves. So far their efforts seem…
Defence in depth and how it applies to web applications – Part 1
Information security generally refers to defending information from unauthorized access, use, disclosure, disruption, modification or deletion from threats. Organizations are constantly facing threats that exist both externally as well as internally — be they from nation states, political activists, corporate competitors or even disgruntled employees….
SQLi part 6: Out-of-band SQLi
Out-of-band SQL injection is not very common, mostly because it depends on features being enabled on the database server being used by the web application. Out-of-band SQL injection occurs when an attacker is unable to use the same channel to launch the attack and gather…
SQLi part 5: Inferential SQLi (Blind SQLi)
Inferential SQL injection, unlike in-band SQLi, may take longer for an attacker to exploit, however, it is just as dangerous as any other form of SQL injection. In an inferential SQLi attack, no data is actually transferred via the web application and the attacker would…
The Draft UK Investigatory Powers Bill
This week a draft ‘Investigatory Powers Bill’ was released by Home Secretary Theresa May and is receiving a great deal of media intention, instead being dubbed the UK ‘Surveillance Bill’. What’s it for? The bill is introduced as being for consolidation of all the laws…
New vBulletin pre-authentication RCE 0-day discovered, being used in the wild
A high-severity Remote Code Execution (RCE) vulnerability has been identified in the latest version of vBulletin. The 0-day vulnerability in the popular forum software, came to light when when vBulletin’s developers released a security update for versions 5.1.4 through 5.1.9 of the software on Monday…
In the headlines: TalkTalk breach, Joomla and Drupal patches, CISA bill, 1000 KKK members, and more
TalkTalk breach could affect 4 million users Another cellphone provider has hit the headlines with a breach; this time the UK provider TalkTalk. Following an attack which occurred in February, this latest breach happened last week and the company has admitted that not all stolen…
SQLi part 4: In-band SQLi (Classic SQLi)
SQL injection can be classified into three major categories – In-band SQLi, Inferential SQLi and Out-of-band SQLi. In this article we shall be exploring In-band SQL Injection. In-band SQLi (Classic SQLi) In-band SQL injection is the most common and easy-to-exploit of SQL injection attacks. In-band…