HackDig : Dig high-quality web security articles for hacker

Finding and Exploiting Same Origin Method Execution vulnerabilities

Recently it came to my attention that it was possible to abuse JSONP callbacks using a vulnerability known as SOME – Same Origin Method Execution which can be used by an attacker to widely abuse a user’s trust between the web application and the intended flow of execution. For example, using the SOME attack it is possible for an attacker to trick
Publish At:2015-12-31 16:50 | Read:1613 | Comments:0 | Tags:exploitation Open Source pentesting pentura privacy security

[IRCCloud] History and Another XSS Bug Bounty

Personally, I have been a user of IRC since 2004 on some private networks and some other well-known ones such as Freenode. However, it was always inconvenient to have to set up an IRC Bouncer, so when IRCCloud came around, I was excited to try it and see if it provided me with a method of staying connected to all the required networks without having to downl
Publish At:2015-10-14 11:40 | Read:899 | Comments:0 | Tags:fuzzing infosec pentesting pentura security Software Vulnera

Fuzzing for Fun and Profit

So as you do, I was just looking around, manually fuzzing some Web Sockets requests, seeing if I could get any sort of XSS, Remote IRC Command Injection or SQLi mainly – ended up that I didn’t find much there that worse worth noting. So I started seeing if their logic was all alright, so one of their requests looked similar to: {“_reqid”:1234, “cid”:5678, “t
Publish At:2015-10-13 17:40 | Read:978 | Comments:0 | Tags:exploitation fuzzing infosec pentesting pentura security Sof

Most businesses do not understand data breach risks

Research by HP has uncovered a lack of understanding among businesses of the risks associated with data breaches. More than 70% of US and UK executives surveyed by the Ponemon Institute said that their organisation does not understand fully the dangers of breaches, while less than half of top executives and board members are kept informed about the response
Publish At:2014-11-07 15:20 | Read:1132 | Comments:0 | Tags:pentura

Research Reveals Cost of Online Fraud to UK

This week has been Get Safe Online Week and to coincide with the event, the National Fraud Intelligence Bureau researched cyber-crime in the UK. The research found that over the last year, the ten biggest online scams cost victims over £670m – although the actual figure is thought to be significantly higher than that due to unreported crimes. A separate poll
Publish At:2014-10-30 18:20 | Read:978 | Comments:0 | Tags:pentura

Kmart hit by card hack attack

It’s been revealed that a data breach at US retail chain Kmart that compromised card details lasted over a month. The discount department store said that the malware was discovered last week but had been operating since early September. Based on its investigation so far, the company said that it believes credit and debit cards were exposed but that no person
Publish At:2014-10-22 21:15 | Read:1119 | Comments:0 | Tags:pentura

AT&T suffers insider data breach

AT&T has become the latest multinational company to suffer a data breach after one of its own employees gained access to customer data. The US mobile telecoms giant has started informing around 1,600 customers in Vermont that their personal data was breached in August. In a letter posted on the Vermont government’s website, AT&T confirmed that a form
Publish At:2014-10-09 10:50 | Read:1474 | Comments:0 | Tags:pentura

New security flaw uncovered in WordPress

Researchers have revealed a potentially serious flaw in WordPress software, that allows hackers to search for abandoned or inactive WordPress sites before mounting phishing attacks aimed at enticing users to install infected updates.  Hackers can then quickly hijack the website and direct visitors to deliver malicious content. WordPress is by far the most po
Publish At:2014-10-03 10:20 | Read:1247 | Comments:0 | Tags:pentura

Shell Shock Rapid 7 Threatsweeper

By now, you may have heard about CVE-2014-6271, also known as the “bash bug“, or even “Shell Shock”, that may affect your organisation. It’s rated the maximum CVSS score of 10 for impact and ease of exploitability. The affected software, Bash (the Bourne Again SHell), is present on most Linux, BSD, and Unix-like systems, including Mac
Publish At:2014-09-26 09:50 | Read:1468 | Comments:0 | Tags:pentura

Chat Forums the Latest Method of Attack for Hackers

Reports surfaced this week that Amazon’s Twitch.TV gaming site had been hit by a malware attack that targeted chat forums to access user’s machines.  Hackers were found to be sending phishing messages across the site’s chat forums, which lured users with offers of raffle prizes, then drops a malicious Windows binary file on anyone who replies with thei
Publish At:2014-09-25 12:30 | Read:1165 | Comments:0 | Tags:pentura

Pentura Recruiting

Pentura are currently recruiting for CHECK Team Members (CTM) with Web Application Testing experience. Please send CVs to: James Taylor Head of Penetration Testing Services james.taylor@pentura.com
Publish At:2014-09-24 15:50 | Read:2373 | Comments:0 | Tags:pentura

Flexible Working Enlarges Scope of IT Security

New Kaspersky research released this week reported that Children are a major threat to internet security with 20% of parents reporting losing money or information due to their children’s online activity. While parents are already feeling the repercussions of children using devices, businesses should also be taking note of the threat posed. With professionals
Publish At:2014-09-15 04:30 | Read:1196 | Comments:0 | Tags:pentura

Gmail Flaw Highlights Mobile App Risks

Researchers at the University of California’s College of Engineering and the University of Michigan have identified a weakness in Gmail’s mobile application that could allow malicious third party apps to obtain personal information from users’ email accounts. Researchers found that 92 percent of Gmail accounts, and around 82 per cent of the
Publish At:2014-09-01 09:20 | Read:1591 | Comments:0 | Tags:pentura

Paddy Power Notifies Customers of Data Breach… Four Years Late

Irish bookmaker Paddy Power has admitted that personal details of more than 600,000 customers were stolen in a cyber-attack that occurred in 2010. The company revealed that it was aware of an attack on its system four years ago but failed to inform customers of the security breach. Data including names, usernames, postal addresses, email addresses, phone num
Publish At:2014-08-27 05:20 | Read:1922 | Comments:0 | Tags:pentura

Documentum DQL Injection / ESA-2014-046

Before naming your vulnerabilities became cool (Heartbleed anyone?) I discovered an issue on the EMC Documentum software and internally called it “injeception”. Now that naming your vulnerability is so mainstream I will just call it ESA-2014-046 (that, surprisingly, matches with the name used by the vendor!) But why that name? Well, it’s 2014 and they have r
Publish At:2014-08-21 04:40 | Read:1488 | Comments:0 | Tags:pentura

Announce

Share high-quality web security related articles with you:)

Tools

Tag Cloud