Inferential SQL injection, unlike in-band SQLi, may take longer for an attacker to exploit, however, it is just as dangerous as any other form of SQL injection. In an inferential SQLi attack, no data is actually transferred via the web application and the attacker would…
The Draft UK Investigatory Powers Bill
This week a draft ‘Investigatory Powers Bill’ was released by Home Secretary Theresa May and is receiving a great deal of media intention, instead being dubbed the UK ‘Surveillance Bill’. What’s it for? The bill is introduced as being for consolidation of all the laws…
New vBulletin pre-authentication RCE 0-day discovered, being used in the wild
A high-severity Remote Code Execution (RCE) vulnerability has been identified in the latest version of vBulletin. The 0-day vulnerability in the popular forum software, came to light when when vBulletin’s developers released a security update for versions 5.1.4 through 5.1.9 of the software on Monday…
In the headlines: TalkTalk breach, Joomla and Drupal patches, CISA bill, 1000 KKK members, and more
TalkTalk breach could affect 4 million users Another cellphone provider has hit the headlines with a breach; this time the UK provider TalkTalk. Following an attack which occurred in February, this latest breach happened last week and the company has admitted that not all stolen…
SQLi part 4: In-band SQLi (Classic SQLi)
SQL injection can be classified into three major categories – In-band SQLi, Inferential SQLi and Out-of-band SQLi. In this article we shall be exploring In-band SQL Injection. LEARN MORE: SQL Injection Cheat Sheet by Invicti In-band SQLi (Classic SQLi) In-band SQL injection is the most…
000webhost Breach Exposes 13 Million Passwords
000webhost is one of the most popular free hosting providers out on the Internet. Unfortunately for them and their users, all their 13 million user accounts have had their usernames and passwords leaked through what was eventually revealed to be a database breach via an…
SQLi part 3: The anatomy of an SQL Injection attack
An SQL injection needs just two conditions to exist – a relational database that uses SQL, and a user controllable input which is directly used in an SQL query. In the example below, it shall be assumed that the attacker’s goal is to exfiltrate data from…
New Joomla! SQL Injection vulnerability gives attackers full control of your website
A high-severity SQL injection vulnerability has been identified in versions 3.2 through to 3.4.4 of Joomla!. The popular Content Management System (CMS), second only to WordPress with a staggering 6.6% CMS marketshare (as of October 23, 2015, based on a W3Techs’ trend reports runs on an estimated…
Get tested during Cyber Security Awareness Month
It is October again, and that means that it is a better time than ever to set aside some time to gather the relevant troops inside your organization to evaluate your information security posture – because October is National Cyber Security Awareness Month! Since its…