Articles in the Application Security category

Assigning a CVE ID to Zero-Day Vulnerability
Whenever finding a new vulnerability in a software product, it's advisable that a researcher first notifies the company responsible for the product and gives them time to fix the identified vulnerabilities. I've found multiple vulnerabilities in Pfsense firewall and reported them to the Pfsense security team. They were ...
Naxsi - The Web Application Firewall for Nginx
Introduction In this tutorial we'll present naxsi nginx module, which provides a WAF (Web Application Firewall) to any application running behind Nginx web server. It works by inspecting HTTP requests and matching the malicious pattern rules in naxsi_core.rules. If a match is found, the malicious request is blocked ...
The Basics of ASP.NET
Introduction In this article we'll talk about unicode support in various elements of the HTTP protocol, but first let's say a few words about HTTP. We won't go into depth about what HTTP is, let's just remind the reader about the elements that comprise the whole ...
Wordpress Security for Users
Introduction We all know that Wordpress is the primary CMS system used on the Internet. We also know that security in Wordpress is not always taken for granted. The Wordpress CMS system can have different vulnerabilities in older versions, so it's vital keep it up-to-date. We should also be ...
Web Vulnerabilities Explained
Introduction We all know that vulnerabilities in web pages are quite common these days. They range from SQL injections, XSS vulnerabilities, CSRF, etc. In this article we'll provide basic examples of the most common vulnerabilities you'll find in web pages—including and especially WordPress. We'll describe them ...
Wordpress Plugin Vulnerabilities: From a Developer’s Point of View
1. Introduction We all know the prevalence of the WordPress blogging system and its share of vulnerabilities in the core system alone over the years. If not, we can take a look at the cvedetails web page that presents all the vulnerabilities from 2004 to the present. We can see ...
Wfuzz and WebSlayer
1. Introduction WfFuzz is a web application bruteforcer that can be considered an alternative to Burp Intruder as they both have some common features. With both Wfuzz and Burp Intruder we can bruteforce different web applications elements, like GET/POST parameters, cookies, forms, directories, files, HTTP headers, etc. If we ...
Filter Evasion: Part 1
1. Introduction First we must talk about vulnerabilities. We know that vulnerabilities that are present in any kind of software can be exploited by accepting the right input data, and parsing and executing it without checking it for malicious strings. Thus, vulnerabilities are present in software products because the programmers ...
Apache JMeter: Part 2
For Part 1 of this series, please click here. Test Plan Elements Up until now we haven't said anything about how to actually do something useful with JMeter, but it's only because we need to cover some boring details of how to configure it before actually running some ...
WordPress Security
Introduction There are numerous tools available when checking the security of the WordPress Content Management System (CMS). In the rest of the article we'll mention the WPScan tool, which does a great job of scanning the WordPress installation and its plugins for security vulnerabilities. WPScan WPScan is a WordPress ...