security

• Setup ZAP baseline for CI & tracking with JIRA Everybody loves JIRA tickets!

  Doing a baseline security scan of your web application before deployment is a simple way to improve the security of your application. Adding a scan to your CI as part of your SDLC makes it effortless to iterate and improve your application’s security. There are lots of options for scanning your web application, but in this post we’ll focus on scanning with OWASP ZAP! I’m going to walk through getting a basic scan setup and configured …

  Doing a baseline security scan of your web application before deployment is a simple way to improve the security of your application. Adding a scan to your CI as part of your SDLC makes it effortless to iterate and improve your application’s security. There are lots of options for scanning your web application, but in this post we’ll focus on scanning with OWASP ZAP! I’m going to walk through getting a basic scan setup and...

  July 24, 2020

  • security
  • zap

• Getting sneaky with DNS for SSRF Understanding how fundamental technologies work goes a long way ...

  Generally when I make http requests against a domain, I wouldn’t expect it to make requests on my localhost - but sometimes, just that happens. For getting sneaky with SSRF attacks you can have a DNS record point to 127.0.0.1. When a record pointing to 127.0.0.1 is resolved, your application will end up making requests 127.0.0.1. For experimentation, I used one of Rapid7’s free datasets, & found the domain volks-seat.de pointing 127.0.0.1. It never occurred to …

  Generally when I make http requests against a domain, I wouldn’t expect it to make requests on my localhost - but sometimes, just that happens. For getting sneaky with SSRF attacks you can have a DNS record point to 127.0.0.1. When a record pointing to 127.0.0.1 is resolved, your application will end up making requests 127.0.0.1. For experimentation, I used one of Rapid7’s free datasets, & found the domain volks-seat.de pointing 127.0.0.1. It never occurred...

  June 04, 2020

  • ssrf
  • dns

• Vulnerability Report - WordPress plugin - givewp XSS to get admin!

  This is a post I back dated to when I privately reported a vulnerability to givewp for their WordPress plugin. I privately shared via their support contact form. The version this XSS was found is long in the past! > I discovered an XSS vulnerability, details included in Vulnerability input. > If you have any questions or need more information please let me know! I wasn’t sure how to do a ‘private pull request’ otherwise I …

  This is a post I back dated to when I privately reported a vulnerability to givewp for their WordPress plugin. I privately shared via their support contact form. The version this XSS was found is long in the past! I discovered an XSS vulnerability, details included in Vulnerability input. If you have any questions or need more information please let me know! I wasn’t sure how to do a ‘private pull request’ otherwise I would...

  November 27, 2017

  • vulnerability

• Vulnerability Report - WordPress plugin - php-everywhere Low priv users with code execution

  This is a post I back dated to when I privately reported a vulnerability to the author of the php-everywhere plugin. I discovered a low privileged user could execute arbitrary PHP code and provided a POC where a low priv user could upgrade their permissions to admin. (The plugin is no longer available for downloadhttps://wordpress.org/plugins/php-everywhere/) > Hi Alexander, I discovered a vulnerability in the PHP EveryWhere Plugin. - 1 - In PHP EveryWhere plugin options, set …

  This is a post I back dated to when I privately reported a vulnerability to the author of the php-everywhere plugin. I discovered a low privileged user could execute arbitrary PHP code and provided a POC where a low priv user could upgrade their permissions to admin. (The plugin is no longer available for downloadhttps://wordpress.org/plugins/php-everywhere/) Hi Alexander, I discovered a vulnerability in the PHP EveryWhere Plugin. Steps 1 - In PHP EveryWhere plugin options, set...

  November 25, 2017

  • vulnerability