Archive for the ‘Web Security’ Category

How Can WAF Prevent OWASP Top 10?

The OWASP Top 10 security risks point out the common vulnerabilities seen in web applications. But it does not list the set of attack vectors that WAFs (Web Application Firewalls) can simply block. This is but a myth often propagated by many a security vendor. OWASP Top 10 protection is the joint responsibility of the […]

Leave a Comment

Browser-in-the-browser attacks

Researchers at threat intelligence company Group-IB just wrote an intriguing real-life story about an annoyingly simple but surprisingly effective phishing trick known as BitB, short for browser-in-the-browser. You’ve probably heard of several types of X-in-the-Y attack before, notably MitM and MitB, short for manipulator-in-the-middle and manipulator-in-the-browser. In a MitM attack, the attackers who want to trick you position themselves somewhere “in the middle” of the […]

Leave a Comment

Chrome patches 24 security holes, enables “Sanitizer” safety system

Google’s latest Chrome browser, version 105, is out, though the full version number is annoyingly different depending on whether you are on Windows, Mac or Linux. On Unix-like systems (Mac and Linux), you want 105.0.5195.52, but on Windows, you’re looking for 105.0.5195.54. According to Google, this new version includes 24 security fixes, though none of them are reported […]

Leave a Comment

Chrome browser gets 11 security fixes with 1 zero-day – update now!

The latest update to Google’s Chrome browser is out, bumping the four-part version number to 104.0.5112.101 (Mac and Linux), or to 104.0.5112.102 (Windows). According to Google, the new version includes 11 security fixes, one of which is annotated with the remark that â€śan exploit [for this vulnerability] exists in the wild”, making it a zero-day hole. The name zero-day is a reminder […]

Leave a Comment

Candiru surveillance spyware DevilsTongue exploited Chrome Zero-Day to target journalists

The spyware developed by Israeli surveillance firm Candiru exploited recently fixed CVE-2022-2294 Chrome zero-day in attacks on journalists. Researchers from the antivirus firm Avast reported that the DevilsTongue spyware, developed, by Israeli surveillance firm Candiru, was used in attacks against journalists in the Middle East and exploited recently fixed CVE-2022-2294 Chrome zero-day. The flaw, which was fixed by Google on July 4, […]

Leave a Comment

Apple patches “0-day” browser bug fixed 2 weeks ago in Chrome, Edge

Apple has disgorged its latest patches, fixing more than 50 CVE-numbered security vulnerabilities in its range of supported products. The relevant security bulletins, update numbers, and where to find them online are as follows: APPLE-SA-2022-07-20-1: iOS 15.6 and iPadOS 15.6, details at HT213346 APPLE-SA-2022-07-20-2: macOS Monterey 12.5, details at HT213345 APPLE-SA-2022-07-20-3: macOS Big Sur 11.6.8, details at HT213344 APPLE-SA-2022-07-20-4: Security Update 2022-005 Catalina, details at HT213343 APPLE-SA-2022-07-20-5: tvOS […]

Leave a Comment

Tor Browser 11.5 is optimized to automatically bypass censorship

The Tor Project team has announced the release of Tor Browser 11.5, which introduces functionalities to automatically bypass censorship. The Tor Project team has announced the release of Tor Browser 11.5, the new version of the popular privacy-oriented browser implements new features to fight censorship. With previous versions of the browser, circumventing censorship of the Tor […]

Leave a Comment

Privacy-focused Brave Search grew by 5,000% in a year

https://www.bleepingcomputer.com/news/software/privacy-focused-brave-search-grew-by-5-000-percent-in-a-year/ Brave Search, the browser developer’s privacy-centric Internet search engine, is celebrating its first anniversary after surpassing 2.5 billion queries and seeing almost 5,000% growth in a year. To celebrate this success, Brave Software announced that Brave Search is finally exiting its beta phase and will become the default search engine for all users of […]

Leave a Comment

Internet scans find 1.6 million secrets leaked by websites

https://portswigger.net/daily-swig/internet-scans-find-1-6-million-secrets-leaked-by-websites Security researchers have apparently discovered more than 1.6 million secrets leaked by websites, including more than 395,000 exposed by the one million most popular domains. Modern web applications typically embed API keys, cryptographic secrets, and other credentials within JavaScript files in client-side source code. Aided by a tool developed specifically for the task, researchers from RedHunt Labs sought information […]

Leave a Comment

Microsoft warns of new highly evasive web skimming campaigns

Threat actors behind web skimming campaigns are using malicious JavaScript to mimic Google Analytics and Meta Pixel scripts to avoid detection. Microsoft security researchers recently observed web skimming campaigns that used multiple obfuscation techniques to avoid detection. The threat actors obfuscated the skimming script by encoding it in PHP, which, in turn, was embedded in […]

Leave a Comment

Massive hacking campaign compromised thousands of WordPress websites

Researchers uncovered a massive hacking campaign that compromised thousands of WordPress websites to redirect visitors to scam sites. Cybersecurity researchers from Sucuri uncovered a massive campaign that compromised thousands of WordPress websites by injecting malicious JavaScript code that redirects visitors to scam content. The infections automatically redirect site visitors to third-party websites containing malicious content […]

Leave a Comment

Keep your digital banking safe: Tips for consumers and banks

Digital banking has been a reality for quite a while now, particularly pushed forward in these last few years. Is security keeping up the pace? Online banking and mobile banking apps have made great security strides in recent years. In fact, some of today’s most well-respected banks are improving security measures by offering SMS or […]

Leave a Comment

Burp Suite overview

Burpsuite, the proxy-based tool used to evaluate the security of web-based applications and do hands-on testing developed by PortSwigger. It is one of the most popular penetration testing and vulnerability finder tools and is often used for checking web application security. Web App Security 👇 Please Follow our LI page…

Leave a Comment

Compromised WordPress sites launch DDoS on Ukrainian websites

Threat actors compromised WordPress sites to deploy a script that was used to launch DDoS attacks, when they are visited, on Ukrainian websites. MalwareHunterTeam researchers discovered the malicious script on a compromised WordPress site, when the users were visiting the website the script launched a DDoS attack against ten Ukrainian sites. The JavaScript was designed […]

Leave a Comment

Chrome emergency update fixes actively exploited a zero-day bug

Google addresses an actively exploited zero-day flaw with the release of Chrome 99.0.4844.84 for Windows, Mac, and Linux. Google fixed an actively exploited high-severity zero-day vulnerability with the release of Chrome 99.0.4844.84 for Windows, Mac, and Linux. Google has released Chrome 99.0.4844.84 for Windows, Mac, and Linux users to address a high-severity zero-day bug, tracked […]

Leave a Comment

Firefox patches two in-the-wild exploits – update now!

Mozilla has published Firefox 97.0.2, an “out-of-band” update that closes two bugs that are officially listed as critical. Mozilla reports that both of these holes are already actively being exploited, making them so-called zero-day bugs, which means, in simple terms, that the crooks got there first: We have had reports of attacks in the wild abusing [these] […]

Leave a Comment

OWASP Testing Guide

Owasp-testing-guide-4.0Download Owasp A Complete Guide

Leave a Comment

OWASP Vulnerability Management Guide

Owasp A Complete Guide Front End Web Developer Cert

Leave a Comment

High-Severity flaw in 3 WordPress plugins impacts 84,000 websites

Researchers from WordPress security company Wordfence discovered a high-severity vulnerability that affects three different WordPress plugins that impact over 84,000 websites. The vulnerability tracked as CVE-2022-0215 is a cross-site request forgery (CSRF) issue that received a CVSS score of 8.8. A threat actor could exploit the vulnerability to take over vulnerable websites. The flaw impacts three plugins […]

Leave a Comment

All in One SEO Plugin Bug Threatens 3M Websites with Takeovers

A critical privilege-escalation vulnerability could lead to backdoors for admin access nesting in web servers. A popular WordPress SEO-optimization plugin, called All in One SEO, has a pair of security vulnerabilities that, when combined into an exploit chain, could leave website owners open to site takeover. The plugin is used by more than 3 million websites. An attacker […]

Leave a Comment