You are here: Saotn.org » web application security

web application security

Count and display number of WordPress users in your Dashboard

Show the number of registered WordPress users in At-a-Glance widget

Often when a WordPress site is compromised, the website owner doesn’t notice anything strange at first. First a lot of users are created, and it’s only later when posts filled with spam are created or existing pages/posts edited. In the time between compromise and creation of spam posts, a website owner might notice an increased number of users. If he has the means to. And that’s what this little plugin does.

Read More »Count and display number of WordPress users in your Dashboard

Find vulnerable WordPress plugin versions fast using PowerShell

On a daily bases, new vulnerabilities are found in WordPress plugins. And when you host thousands of WordPress sites, you can count on the fact you have some customers using that vulnerable version of that particular plugin. So you need to find those vulnerable versions on your servers fast. On Windows Server, PowerShell is a perfect tool for the job!

Read More »Find vulnerable WordPress plugin versions fast using PowerShell

Disallow direct access to PHP files in wp-content/uploads/

Secure wp-content/uploads in Linux Apache and Windows Server IIS

It’s recommended to disallow access to and execution of PHP files in wp-content/uploads folder. Preferably without the use of a security plugin. Blocking access to PHP files in WordPress wp-content/uploads folder is easily achieved with a .htaccess file on Linux Apache, or web.config accesssPolicy in Windows Server IIS, and here is how.

Read More »Disallow direct access to PHP files in wp-content/uploads/

Basic Authentication module for Windows Server IIS

Basic Authentication managed HTTP module for IIS with virtual users support

In my pursuit of a basic authentication alternative in IIS, other than the built-in Basic Authentication module or Helicon Ape, I came across Devbridge AzurePowerTools. It’s apparently one of few HTTP managed modules for IIS that enables HTTP Basic Authentication with support for virtual users.

Read More »Basic Authentication module for Windows Server IIS

WordPress advisory: Akal premium theme XSS vulnerability

Over the course of one week I had the opportunity to audit two hacked WordPress websites. I could quickly discover two vulnerabilities: a Cross Site Scripting, or XSS, in a premium WordPress theme Akal, and a Denial-of-Service in an undisclosed newsletter plugin. This post describes the Akal premium WordPress theme XSS vulnerability.

Read More »WordPress advisory: Akal premium theme XSS vulnerability

Cracking PHP rand()

Sjoerd Langkemper writes about Cracking PHP rand(): Webapps occasionaly need to create tokens that are hard to guess. For example for session tokens or CSRF tokens, or in forgot password functionality where you get a token mailed to reset your password. These tokens should be cryptographically secure, but are often made by calling rand() multiple times and transforming the output to a string. This post will explore how hard it is to predict a token made with rand().


This is a very interesting read about how PHP rand() works, and how to attack & crack it. The post ends with the following conclusion:

Read More »Cracking PHP rand()

Joomla websites abused as open proxy for Denial-of-Service attacks

Joomla websites using the Googlemaps plugin for Joomla are actively abused as open proxy for launching Denial-of-Service (DoS) attacks. Even though the Googlemaps plugin vulnerability plugin_googlemap2_proxy.php was released over one and a half (1,5) years ago, I still see these DoS-attacks happening on a regular basis…

Read More »Joomla websites abused as open proxy for Denial-of-Service attacks

Mod_evasive on IIS

Mod_evasive is a module for Apache and Windows Server IIS (using Helicon Ape). It provides protection and evasive action in the event of an HTTP DoS-, DDoS or brute force attack. Detection is performed by creating an internal dynamic hash table of IP Addresses and URIs, and denies an IP address access to a website if it’s requesting the same page more than 10 times a second. This is configurable.

Read More »Mod_evasive on IIS

Don’t turn off CURLOPT_SSL_VERIFYPEER, fix your PHP configuration

An often heard solution to PHP cURL errors with SSL is to turn off CURLOPT_SSL_VERIFYPEER. Please don’t turn off CURLOPT_SSL_VERIFYPEER, but fix your PHP config instead. This article provides you two solutions to solve CA certificate validation errors with PHP cURL and OpenSSL. For system administrators and end-users.

Read More »Don’t turn off CURLOPT_SSL_VERIFYPEER, fix your PHP configuration