HackDig : Dig high-quality web security articles for hacker

Injection Attacks: The Least Glamorous Attack Is One of the Most Threatening

Very little in life grabs our attention like a shiny new object. The gleam can be irresistible, the glitter mesmerizing. That’s how it is in cybersecurity, where the landscape is almost always dotted with alluringly novel hazards. Brand new threats, fresh twists on old threats — the shiny malicious objects just keep on coming, year in and year out. 201
Publish At:2017-11-02 13:10 | Read:4911 | Comments:0 | Tags:Threat Intelligence IBM Managed Security Services (MSS) IBM

The Educator’s Back-to-School Cybersecurity Checklist: Make Mitigating Command Injection a Priority

Pencils? Check. Notebooks? Check. Web applications and servers patched and sanitized? Hopefully. In many parts of the world, educators and students in primary, secondary and higher education institutions are reviewing their checklists to ensure academic preparedness for the new school year. But what about the education sector’s IT workers? What should
Publish At:2017-08-30 20:10 | Read:2983 | Comments:0 | Tags:Risk Management Threat Intelligence Academia Data Protection

Kapustkiy hacked the website of the Costa Rica Embassy in China

The popular hacker Kapustkiy continues to target websites of embassies across the world, the last victim is the Costa Rica Embassy in China. The hacker Kapustkiy continues its string of hack, today he announced a news data breach, the victim is the Costa Rica Embassy in China. Kapustkiy accessed a database containing 280 login credentials, but just published
Publish At:2016-12-23 01:45 | Read:2398 | Comments:0 | Tags:Breaking News Data Breach Hacking Costa Rica Embassy data br

Kapustkiy hacked the Slovak Chamber of Commerce

Kapustkiy announced the data breach of the Slovak Chamber of Commerce (www.scci.sk), more than 4,000 users record were accessed. New Week, new hack! This is Kapustkiy ‘s motto that announced the breach of the Slovak Chamber of Commerce (www.scci.sk). The popular hacker accessed data belonging to more than 4,000 users and published it on Pastebin. The h
Publish At:2016-12-20 00:00 | Read:3456 | Comments:0 | Tags:Breaking News Data Breach Hacking data breach Injection Slov

Android Native API Hooking with Library Injection and ELF Introspection.

This post can be considered both the part 2 of the previous "Dynamically inject a shared library into a running process on Android/ARM" and a proof of concept of the same, namely what can be done with library injection on Android. TL;DR I've updated the source code of the arminject project on github adding a library that once injected into a process will
Publish At:2015-05-04 23:30 | Read:4045 | Comments:0 | Tags:hooking api hooking library android injection elf relocation

Dynamically inject a shared library into a running process on Android/ARM

If you're familiar with Windows runtime code injection you probably know the great API CreateRemoteThread which lets us force an arbitrary running process to call LoadLibrary and load a DLL into its address space, this technique called DLL Injection is often used to perform user space API hooking, you can find a good post about it on Gianluca Braga's blog.
Publish At:2015-05-02 05:45 | Read:4255 | Comments:0 | Tags:hooking api hooking library android injection ptrace remote

75,000 GBP Fine For SQL Injection From ICO But With 90% Discount

Lancaster-based apartment booking company Worldview Limited has been fined under the Data Protection Act for allowing unauthorised access to customers' details. The company operates under two UK brands, Citybase Apartments and Central London Apartments.Although customers' payment details had been encrypted, the means to decrypt the information - known as the
Publish At:2014-11-07 09:15 | Read:6512 | Comments:0 | Tags:injection corrective technical SQL vulnerabilities data prot

OWASP Snakes and Ladders

In a month's time we will probably be in full office party season. I have been preparing something fun to share and use, that is an awareness document for application security risks and controls.Snakes and Ladders is a popular board game, with ancient provenance imported into Great Britain from Asia by the 19th century. The original game showed the effects o
Publish At:2014-11-06 06:15 | Read:4536 | Comments:0 | Tags:preventative data protection code injection business logic p

Ametys CMS 3.5.2 (lang parameter) XPath Injection Vulnerability

Input passed via the ‘lang’ POST parameter in the newsletter plugin is not properly sanitised before being used to construct a XPath query for XML data. This can be exploited to manipulate XPath queries by injecting arbitrary XPath code. Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5162.php
Publish At:2014-08-13 01:56 | Read:2919 | Comments:0 | Tags:Internal advisory ametys CMS data injection manipulation rem

BoxBilling 3.6.11 (mod_notification) Stored Cross-Site Scripting Vulnerability

BoxBilling suffers from a stored cross-site scripting vulnerability. Input passed to the ‘message’ POST parameter thru the ‘Notification Center’ extension/module is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of a
Publish At:2014-08-13 01:56 | Read:3731 | Comments:0 | Tags:Internal advisory boxbilling cross-site html injection javas

Stark CRM v1.0 Multiple Script Injection And Session Riding Vulnerabilities

Multiple stored XSS and CSRF vulnerabilities exist when parsing user input to several POST parameters. The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious w
Publish At:2014-08-13 01:55 | Read:3549 | Comments:0 | Tags:Internal advisory application crm csrf exploit flaw html inj

Announce

Share high-quality web security related articles with you:)

Tools

Tag Cloud