Cybersecurity Insights

Zacharias Pigadas

Using DNS as an out-of-band command output retrieval channel

04/06/20 10:02

 

Setting the scene

A fair amount of the work we do in the Foregenix Penetration Testing team is, in one way or another, a flavour of web application penetration testing. In these assessments we come across command execution vulnerabilities that belong in one of two different categories:

  1. Those were the output is returned directly to the user and,
  2. Well… those that are not.

In this blog post we will discuss the latter, cases where the output of our command is not directly displayed on the application, and present a strategy for obtaining access to the output of our command using recursive DNS queries. Finally we construct a practical example of the discussed strategy via a step by step process bypassing different constraints imposed to us by the use of DNS as an out of band retrieval method.

Read More
Benjamin Hosack

WebScan eCommerce Industry Report & Magento End of Life

20/05/20 15:30

A great deal has been written about the Magento 1 End Of Life in June 2020 (less than 45 days time), this article will present a different perspective into the challenge.

Read More
Hameed Riaz

An Introduction to Cardholder Data Discovery as Part of a PCI DSS Assessment

14/05/20 10:00

 

The Payment Card Industry Security Standards Council (PCI SSC) requires organisations to determine the scope of their PCI DSS assessment accurately.

Prior to discussing data discovery, it is important to define PCI DSS assessment scoping. The official definition by the PCI SSC for scoping is:

'Process of identifying all system components, people, and processes to be included in a PCI DSS assessment'.

Read More
Kirsty Trainer

Web Ninja partners with Foregenix to enhance website security!

12/05/20 10:00



CITY OF GOLD COAST, AUSTRALIA - Web Ninja has signed a partnership agreement with Foregenix, one of the world's leading cyber security firms, with the aim to make threat detection and protection available to all their eCommerce customers regardless of size and resources.

Read More
Kirsty Trainer

4 Reasons You Need File Integrity Monitoring (FIM) 

07/05/20 10:10

eCommerce environments are under constant threat from attackers; if your website touches cardholder data at any point, you’re a target. It doesn’t matter if you’re a big multinational conglomerate, or a tiny independent merchant; if you’re deploying poor security measures, they probably have you in their sights.

File integrity monitoring (FIM) systems are a critical part of your website's immune system. If you want to find and destroy malicious code, you’ll need to know where it is and where it’s come from. FIM systems will log changes made to your website, where they’ve come from and when they were made. Utilising a FIM log in your security strategy will help provide you with up to date knowledge of the inner workings of your website.

But why is file integrity monitoring important?

Read More
Zacharias Pigadas

Using DNS as an out-of-band command output retrieval channel

04/06/20 10:02

 

Setting the scene

A fair amount of the work we do in the Foregenix Penetration Testing team is, in one way or another, a flavour of web application penetration testing. In these assessments we come across command execution vulnerabilities that belong in one of two different categories:

  1. Those were the output is returned directly to the user and,
  2. Well… those that are not.

In this blog post we will discuss the latter, cases where the output of our command is not directly displayed on the application, and present a strategy for obtaining access to the output of our command using recursive DNS queries. Finally we construct a practical example of the discussed strategy via a step by step process bypassing different constraints imposed to us by the use of DNS as an out of band retrieval method.

Read More
Benjamin Hosack

WebScan eCommerce Industry Report & Magento End of Life

20/05/20 15:30

A great deal has been written about the Magento 1 End Of Life in June 2020 (less than 45 days time), this article will present a different perspective into the challenge.

Read More
Hameed Riaz

An Introduction to Cardholder Data Discovery as Part of a PCI DSS Assessment

14/05/20 10:00

 

The Payment Card Industry Security Standards Council (PCI SSC) requires organisations to determine the scope of their PCI DSS assessment accurately.

Prior to discussing data discovery, it is important to define PCI DSS assessment scoping. The official definition by the PCI SSC for scoping is:

'Process of identifying all system components, people, and processes to be included in a PCI DSS assessment'.

Read More
Kirsty Trainer

Web Ninja partners with Foregenix to enhance website security!

12/05/20 10:00



CITY OF GOLD COAST, AUSTRALIA - Web Ninja has signed a partnership agreement with Foregenix, one of the world's leading cyber security firms, with the aim to make threat detection and protection available to all their eCommerce customers regardless of size and resources.

Read More
Kirsty Trainer

4 Reasons You Need File Integrity Monitoring (FIM) 

07/05/20 10:10

eCommerce environments are under constant threat from attackers; if your website touches cardholder data at any point, you’re a target. It doesn’t matter if you’re a big multinational conglomerate, or a tiny independent merchant; if you’re deploying poor security measures, they probably have you in their sights.

File integrity monitoring (FIM) systems are a critical part of your website's immune system. If you want to find and destroy malicious code, you’ll need to know where it is and where it’s come from. FIM systems will log changes made to your website, where they’ve come from and when they were made. Utilising a FIM log in your security strategy will help provide you with up to date knowledge of the inner workings of your website.

But why is file integrity monitoring important?

Read More