Posted inWeb application security
3 Ways of blocking sendmail.php on IIS webserver
Use IIS URL Rewrite Module and Request Filtering in IIS to block access to certain scripts. Sendmail.php for example. To prevent sending spam.
Posted inWeb application security
Disallow direct access to PHP files in wp-content/uploads/
It's recommended to disallow access to and execution of PHP files in wp-content/uploads folder. Preferably without the use of a security plugin. Blocking access to PHP files in WordPress wp-content/uploads folder is easily achieved with a .htaccess file on Linux Apache, or web.config accesssPolicy in Windows Server IIS, and here is how. Secure your WordPress site with this simple, yet effective, tip!
Posted inWeb application security
WordPress .htaccess security best practices in Apache 2.4.6+
Apache Access Control done right in WordPress .htaccess, 'Allow/Deny from all' versus 'Require All Granted/Denied'. Since Apache 2.4.6, a new module is used to configure and set up access control for websites: mod_authz_core. This means you have to use a different syntax for allowing or blocking hosts and IP addresses to your website. But unfortunately, old documentation is never updated and people even still write blog posts using that old syntax, leaving you with an unprotected website. Not what you had in mind, now is it?
Posted inWeb application security
Protect WordPress from brute-force XML-RPC attacks
Secure WordPress against XML-PRC attacks. This post gives you some insights about how you can create an IP whitelist for xmlrpc.php, on Windows Server and Linux Apache (web.config and .htaccess). And how you can block access to xmlrpc.php file.
Posted inWeb application security WordPress
Check WordPress Core files integrity
Learn the importance of checking and verifying WordPress Core PHP files md5 checksums against WordPress' checksums API, using this standalone PHP file.
Posted inWeb application security
WordPress advisory: Akal premium theme XSS vulnerability
This post describes the Akal premium WordPress theme XSS vulnerability that I discovered. The theme suffers from a reflected Cross Site Scripting (XSS) vulnerability that would allow an attacker to steal an admin's cookie, if WordPress wasn't secured against that type of attacks.
Posted inWeb application security
“How we broke PHP, hacked Pornhub and earned $20,000”
This is a very interesting read on how Dario Weißer (@haxonaut), cutz and Ruslan Habalov (@evonide) were able to find a PHP unserialize bug to exploit and gain remote code execution on Pornhub. Pornhub’s bug bounty program is at Hackerone. Instead of actively attacking Pornhub, they took another road and attacked what Pornhub is built upon: PHP.
Posted inWeb application security
Binary webshell through OPcache in PHP 7
GoSecure wrote up a new PHP exploitation technique using the default OPcache engine from PHP 7. Using this attack vector, it's possible to bypass certain hardening techniques that disallow the file write access in the web directory.
Posted inWeb application security
Cracking PHP rand()
Webapps occasionaly need to create tokens that are hard to guess. For example for session tokens or CSRF tokens, or in forgot password functionality where you get a token mailed to reset your password. These tokens should be cryptographically secure, but are often made by calling rand() multiple times and transforming the output to a string. This post will explore how hard it is to predict a token made with rand().
Posted inWeb application security
Add a delay to your WordPress login form
This plugin adds a three second delay when logging into WordPress. This slows down brute-force attacks on your website. However, it is not recommended to use sleep(), because a heavy brute-force attack will let all those POST requests sleep for the given amount of time.
Posted inWeb application security
Joomla websites abused as open proxy for Denial-of-Service attacks
Joomla websites using the Googlemaps plugin for Joomla are actively abused as open proxy for launching Denial-of-Service (DoS) attacks. The problem with the Joomla Googlemaps plugin lies in the fact anyone can execute cURL HTTP requests to remote websites.
Posted inWeb application security
Exploit PHP mail() to get remote code execution
If you are able to control the 5th parameter of PHP mail() function ($options), you have the opportunity to execute arbitrary commands. Remote Code Execution (RCE) in PHP mail()
Posted inWeb application security
Increase in SQL injection attacks
Since a week or so, I notice a huge increase in SQL injection attacks on various websites. Anyone else seeing the same SQL injection attacks lately? This increased SQL injection activity - on various web sites and databases - has the following characteristics
Posted inWeb application security
MySQL sleep() attacks
MySQL sleep() command injection attacks: how not validating your PHP user input can lead to Denial of Service (DoS) attacks against websites and back-end database servers. Simply by putting "AND sleep(3)" in the address bar... Here is how to put a MySQL server to sleep, happy SQL injection!
Posted inWeb application security
Test SMTP Authentication and StartTLS
Investigate SMTP authentication issues like a boss! Particular over TLS encrypted SMTP connections, it's always handy if you are able to test the SMTP authentication and StartTLS connection. Preferably from your command line. This post shows you how to test SMTP servers, create base64 encoded logon information, verify SMTP authentication over an opportunistic TLS connection, all from the Linux and Windows command line using OpenSSL.