Cross-site Scripting (XSS) is a much talked-about type of injection vulnerability that occurs on the client-side (that is, in a user’s browser). It occurs, predominantly through the use of JavaScript due to its prevalence in most browsing experiences. Cross-site Scripting can be classified into four…
SQL injection slowly receding, but still a major concern
SQL injection (SQLi) is a frequent topic on this blog – it refers to an injection attack that allows an attacker to execute malicious SQL statements that allow the attacker to control a web application’s database server. Since an SQL injection vulnerability could possibly affect…
In the headlines: US Department of Energy, IBM census site, NSA cyber defense hack, Sage data breach and more
US Department of Energy invests $34m in cybersecurity The Department of Energy in the US is set to invest $34m in 12 individual projects aimed to secure the smart grid. The projects are described as being aimed to improve the ‘reliability and resilience’ of US…
Drupal Ransomware Vulnerability Attacks – Rex
For the past few months, multiple reports regarding a ransomware primarily affecting the popular CMS, Drupal have been emerging. The ransomware itself has no official name however is currently being dubbed as Rex. In May 2016, it was reported that 400 Drupal installations were affected, and…
Pentest Diaries: Negative Transfers and Android eWallets don’t Mix
eWallets, or digital wallets are becoming evermore popular. Most Android eWallets are apps that allow a user to make electronic transactions, including purchasing items online or in-person. Some services even allow an individual’s bank account to be linked to the service. Naturally, breaking the security…
Hunting for XXE in Uber using Acunetix AcuMonitor
XML External Entity (XXE) vulnerabilities are attacks which involve an attacker abusing an application which parses XML. The attack occurs against an XML parser which has XML entities enabled. If you are not familiar with XML entities, you can think of them as a rarely…
How to set-up HTTP Authentication (Basic) with Nginx on Ubuntu 16.04
Restricting portions of a web application or directories on a web server to a small group of trusted users can greatly improve the security of a website or web application. Most web applications provide their own form-based methods for authentication, however, we can also make…
In the headlines: LastPass vulnerability, Hillary Leaks, remote code execution vuln on Pornhub, and more
LastPass password manager vulnerability gives hackers your passwords LastPass is one of the most popular password managers around and can also be added to your browser, allowing you to store and auto fill all your passwords, using just one master password to access them. So…
EU Network and Information Security Directive sets legal requirement to report breaches
The EU have just passed a new directive, the Network and Information Security Directive, which was approved in December of 2015 and passed through last week. The directive comes into force in August of this year, with a 21 month limit to implement it, by…