Review of Htaccess Attacks
There has been a lot of excitement around the new htaccess authentication bypass tool called HTExploit (HiperText Access Exploit [1]). This tool abuses a very old attack made possible due to a common htaccess configuration issue. Being an industry that loves to name...
Discovering Modern CSRF Patch Failures
Cross-site request forgery (CSRF/XSRF) vulnerabilities allow an attacker to perform authenticated actions without authenticating as the user.
Java 7 ClassFinder Restricted Package Bypass
Intro There has been a lot of talk over the past couple of days about the new Java 7 exploit seen in the wild. Most of this talk covers the payload and distribution ([1]), but not many people are talking about the actual exploit and how it works in its excellent...
IDS/IPS Signature Bypassing (Snort)
At Fortra's Alert Logic, we work with many signatures to provide protection for clients. We often receive signatures that need to be changed due to a variety of detection issues. In this post we’ll see issues found regularly with Snort signatures. First, groups making...
Writing Exploits For Exotic Bug Classes: unserialize()
Auditing Security Checklist for AWS
Our friends over at Amazon Web Services have just released their Auditing Security Checklist for Use of AWS. This important document builds on the previously released Operational Checklists for AWS. AWS deserves kudos for putting this document front and center, as...
Writing Exploits For Exotic Bug Classes: PHP Type Juggling
PCI DSS Requirement 10.6 – Log Data Collection
As you likely know by now, the PCI DSS 3.0 standard went into effect on January 1, 2014. You have until January 1, 2015 to move to the new standard. While many of the changes in the PCI DSS 3.0 requirements are clarifications, there are several new requirements that...
Why is it Challenging to Tune a Web Application Firewall?
Although a web application firewall (WAF) presents some unique challenges, this blog guides you through understanding these issues and finding ways to overcome them.
Cybersecurity is a Team Effort
The responsibility for cybersecurity is a heavy one. It has to be—a security breach can mean loss of valuable data, covert or overt control of a company’s system, serious financial loss, or even a temporary system shutdown. It makes sense, then, that the responsibility for cybersecurity falls on someone’s shoulders.
Using a Web Application Firewall (WAF) to Mitigate Denial of Service (DoS) Attacks
In simple terms, a denial of service (DoS) attack is an attack intended to make a resource unavailable to users. Historically intended to bring down services, resources and websites (e.g., In its early days, Twitter was a frequent target for DoS attacks), DoS attacks could become an increasingly pervasive part of our lives as our lives become more and more intertwined with technology.
JournalCTL Terminal Escape Injection
SystemD is an init control system being integrated into Linux flavors more and more. This system is made to largely overhaul SysV and upstart into a modern init system.