Archive | Web Hacking


18 October 2014 | 1,583 views

RIPS – Static Source Code Analysis For PHP Vulnerabilities

RIPS is a tool written in PHP to find vulnerabilities using static source code analysis for PHP web applications. By tokenizing and parsing all source code files RIPS is able to transform PHP source code into a program model and to detect sensitive sinks (potentially vulnerable functions) that can be tainted by user input (influenced [...]

Continue Reading


06 October 2014 | 1,033 views

JPMorgan Hacked & Leaked Over 83 Million Customer Records

So yah last week we all discovered, OMG JPMorgan Hacked! This set a lot of people on edge as JPMorgan Chase & Co is the largest US bank by assets – so it’s pretty seriously business. The breach happened back in July and was only disclosed last Thursday due to a filing to the US [...]

Continue Reading


23 September 2014 | 1,467 views

CloudFlare Introduces SSL Without Private Key

Handing over your private key to a cloud provider so they can terminate your SSL connections and you can work at scale has always been a fairly contentious issue, a necessary evil you may say. As if your private key gets compromised, it’s a big deal and without it (previously) there’s no way a cloud [...]

Continue Reading


18 September 2014 | 723 views

Twitter Vulnerability Allows Deletion Of Payment Details

Twitter has been in the news a lot lately, firstly about their patent filing regarding the pro-active scanning on the web for malware and then the bug bounty going live – which is related to this story. This is a pretty neat Twitter vulnerability that was discovered by someone taking part in the Twitter bug [...]

Continue Reading


08 September 2014 | 752 views

Twitter Bug Bounty Official – Started Paying For Bugs

So the Twitter bug bounty program is now official, they are actually paying – and not a bad amount too. A minimum of $140 for a confirmed bug with no defined maximum. This includes the Twitter website itself and any sub-domain (mobile, ads, apps etc), and the official mobile apps for iOS and Android. It’s [...]

Continue Reading


29 August 2014 | 3,668 views

IronWASP – Open Source Web Security Testing Platform

IronWASP (Iron Web application Advanced Security testing Platform) is an open source system for web application vulnerability testing. It is designed to be customizable to the extent where users can create their own custom security scanners using it. Though an advanced user with Python/Ruby scripting expertise would be able to make full use of the [...]

Continue Reading


23 August 2014 | 2,317 views

Garmr – Automate Web Application Security Tests

Garmr is a tool to inspect the responses from websites for basic security requirements. It includes a set of core test cases implemented in corechecks that are derived from the Mozilla Secure Coding Guidelines which can be found here: https://wiki.mozilla.org/WebAppSec/Secure_Coding_Guidelines The purpose of this page is to establish a concise and consistent approach to secure [...]

Continue Reading


15 August 2014 | 2,837 views

Hiding A Bitcoin Mining Botnet In The Cloud

This is a pretty interesting story, and an interesting use (or mis-use) of cloud resources. We’ve covered similar stuff before like the case when Yahoo! was Spreading Bitcoin Mining Botnet Malware Via Ads, and then more recently when the Pirated ‘Watch Dogs’ Game Made A Bitcoin Mining Botnet. But this time it’s not malware based, [...]

Continue Reading


11 August 2014 | 2,862 views

XML Quadratic Blowup Attack Blows Up WordPress & Drupal

This was a pretty interesting piece of news for me last week as I was actually affected by it (I think?). It’s an XML Quadratic Blowup Attack that affects both WordPress and Drupal and is quite serious as rather than just crashing the software, it can take down the whole server. It didn’t completely take [...]

Continue Reading


30 July 2014 | 3,331 views

XSSYA – Cross Site Scripting (XSS) Scanner Tool

XSSYA is a Cross Site Scripting Scanner & Vulnerability Confirmation Tool, it’s written in Python and works by executing an encoded payload to bypass Web Application Firewalls (WAF) which is the first method request and response. If the website/app responds 200 it attempts to use “Method 2″ which searches for the payload decoded in the [...]

Continue Reading