Archive | Web Hacking


27 October 2014 | 1,409 views

Arachni v1.0 Released – Web Application Security Scanner Framework

Arachni is an Open Source, feature-full, modular, high-performance Ruby framework aimed towards helping penetration testers and administrators evaluate the security of web applications. It is smart, it trains itself by monitoring and learning from the web application’s behaviour during the scan process and is able to perform meta-analysis using a number of factors in order [...]

Continue Reading


18 October 2014 | 2,057 views

RIPS – Static Source Code Analysis For PHP Vulnerabilities

RIPS is a tool written in PHP to find vulnerabilities using static source code analysis for PHP web applications. By tokenizing and parsing all source code files RIPS is able to transform PHP source code into a program model and to detect sensitive sinks (potentially vulnerable functions) that can be tainted by user input (influenced [...]

Continue Reading


06 October 2014 | 1,150 views

JPMorgan Hacked & Leaked Over 83 Million Customer Records

So yah last week we all discovered, OMG JPMorgan Hacked! This set a lot of people on edge as JPMorgan Chase & Co is the largest US bank by assets – so it’s pretty seriously business. The breach happened back in July and was only disclosed last Thursday due to a filing to the US [...]

Continue Reading


23 September 2014 | 1,480 views

CloudFlare Introduces SSL Without Private Key

Handing over your private key to a cloud provider so they can terminate your SSL connections and you can work at scale has always been a fairly contentious issue, a necessary evil you may say. As if your private key gets compromised, it’s a big deal and without it (previously) there’s no way a cloud [...]

Continue Reading


18 September 2014 | 731 views

Twitter Vulnerability Allows Deletion Of Payment Details

Twitter has been in the news a lot lately, firstly about their patent filing regarding the pro-active scanning on the web for malware and then the bug bounty going live – which is related to this story. This is a pretty neat Twitter vulnerability that was discovered by someone taking part in the Twitter bug [...]

Continue Reading


08 September 2014 | 760 views

Twitter Bug Bounty Official – Started Paying For Bugs

So the Twitter bug bounty program is now official, they are actually paying – and not a bad amount too. A minimum of $140 for a confirmed bug with no defined maximum. This includes the Twitter website itself and any sub-domain (mobile, ads, apps etc), and the official mobile apps for iOS and Android. It’s [...]

Continue Reading


29 August 2014 | 3,692 views

IronWASP – Open Source Web Security Testing Platform

IronWASP (Iron Web application Advanced Security testing Platform) is an open source system for web application vulnerability testing. It is designed to be customizable to the extent where users can create their own custom security scanners using it. Though an advanced user with Python/Ruby scripting expertise would be able to make full use of the [...]

Continue Reading


23 August 2014 | 2,345 views

Garmr – Automate Web Application Security Tests

Garmr is a tool to inspect the responses from websites for basic security requirements. It includes a set of core test cases implemented in corechecks that are derived from the Mozilla Secure Coding Guidelines which can be found here: https://wiki.mozilla.org/WebAppSec/Secure_Coding_Guidelines The purpose of this page is to establish a concise and consistent approach to secure [...]

Continue Reading


15 August 2014 | 2,872 views

Hiding A Bitcoin Mining Botnet In The Cloud

This is a pretty interesting story, and an interesting use (or mis-use) of cloud resources. We’ve covered similar stuff before like the case when Yahoo! was Spreading Bitcoin Mining Botnet Malware Via Ads, and then more recently when the Pirated ‘Watch Dogs’ Game Made A Bitcoin Mining Botnet. But this time it’s not malware based, [...]

Continue Reading


11 August 2014 | 2,889 views

XML Quadratic Blowup Attack Blows Up WordPress & Drupal

This was a pretty interesting piece of news for me last week as I was actually affected by it (I think?). It’s an XML Quadratic Blowup Attack that affects both WordPress and Drupal and is quite serious as rather than just crashing the software, it can take down the whole server. It didn’t completely take [...]

Continue Reading