Foregenix-Logo-Horizontal-Colour
Free Webscan

Cybersecurity Insights

Kieran Murphy

We're proud to announce our partnership with Unisys!

16/07/20 17:23

We’re proud to announce our partnership with Unisys Corporation to offer the Unisys Stealth suite of security solutions and services to Australia, New Zealand, and the South Pacific.

Read More
Benjamin Hosack

Let’s help secure the Magento Community - Advice & Resources

15/07/20 10:12

What we do

We have a mission to make cyberspace safe for everyone  and it guides us in all of our client relationships - from card brands, to some of the largest fintech organisations in the world, through to some of the smallest online businesses in the world.

Read More
Benjamin Hosack

Magento 1 End of Life - With one week to go, here are the facts.

24/06/20 12:22

With less than a week to go until Magento 1 End of Life, based on our recent eCommerce “universe” security scan, there are over 218,000 Magento 1 sites yet to migrate.

In fact, only 2,576 Magento 1 websites migrated off Magento 1 last month - the numbers are a lot lower than the payments industry leaders would be happy with.

Read More
Dan Farr

Looking ahead to PCI DSS Version 4.0

10/06/20 10:00

Firstly there are not going to be any spoilers in here I am afraid; while Foregenix participates in feedback on all PCI SSC issued standards and is an active member of the Global Executive Assessor Roundtable (GEAR), we do so under non-disclosure agreement, so we will not be commenting on the draft of PCI DSS version 4.0 that we provided feedback on. PCI DSS v3.2.1 has been around for a number of years and based on the standard lifecycle will be replaced shortly.

Read More
Zacharias Pigadas

Using DNS as an out-of-band command output retrieval channel

04/06/20 10:02

 

Setting the scene

A fair amount of the work we do in the Foregenix Penetration Testing team is, in one way or another, a flavour of web application penetration testing. In these assessments we come across command execution vulnerabilities that belong in one of two different categories:

  1. Those were the output is returned directly to the user and,
  2. Well… those that are not.

In this blog post we will discuss the latter, cases where the output of our command is not directly displayed on the application, and present a strategy for obtaining access to the output of our command using recursive DNS queries. Finally we construct a practical example of the discussed strategy via a step by step process bypassing different constraints imposed to us by the use of DNS as an out of band retrieval method.

Read More
Kieran Murphy

We're proud to announce our partnership with Unisys!

16/07/20 17:23

We’re proud to announce our partnership with Unisys Corporation to offer the Unisys Stealth suite of security solutions and services to Australia, New Zealand, and the South Pacific.

Read More
Benjamin Hosack

Let’s help secure the Magento Community - Advice & Resources

15/07/20 10:12

What we do

We have a mission to make cyberspace safe for everyone  and it guides us in all of our client relationships - from card brands, to some of the largest fintech organisations in the world, through to some of the smallest online businesses in the world.

Read More
Benjamin Hosack

Magento 1 End of Life - With one week to go, here are the facts.

24/06/20 12:22

With less than a week to go until Magento 1 End of Life, based on our recent eCommerce “universe” security scan, there are over 218,000 Magento 1 sites yet to migrate.

In fact, only 2,576 Magento 1 websites migrated off Magento 1 last month - the numbers are a lot lower than the payments industry leaders would be happy with.

Read More
Dan Farr

Looking ahead to PCI DSS Version 4.0

10/06/20 10:00

Firstly there are not going to be any spoilers in here I am afraid; while Foregenix participates in feedback on all PCI SSC issued standards and is an active member of the Global Executive Assessor Roundtable (GEAR), we do so under non-disclosure agreement, so we will not be commenting on the draft of PCI DSS version 4.0 that we provided feedback on. PCI DSS v3.2.1 has been around for a number of years and based on the standard lifecycle will be replaced shortly.

Read More
Zacharias Pigadas

Using DNS as an out-of-band command output retrieval channel

04/06/20 10:02

 

Setting the scene

A fair amount of the work we do in the Foregenix Penetration Testing team is, in one way or another, a flavour of web application penetration testing. In these assessments we come across command execution vulnerabilities that belong in one of two different categories:

  1. Those were the output is returned directly to the user and,
  2. Well… those that are not.

In this blog post we will discuss the latter, cases where the output of our command is not directly displayed on the application, and present a strategy for obtaining access to the output of our command using recursive DNS queries. Finally we construct a practical example of the discussed strategy via a step by step process bypassing different constraints imposed to us by the use of DNS as an out of band retrieval method.

Read More