The complexity of modern websites exposes countless potential vulnerabilities to lurking attackers. One of the most underestimated threats? Broken Access Control (BAC). The risk lies within the very machinations of your website — the systems managing who can interact with what. When correctly set, they keep unauthorized users out; when broken… Well, let’s not give […]
Archive by Author
MageCart WordPress Plugin Injects Malicious User & Credit Card Skimmer
One of our analysts recently found an interesting malicious plugin injected into a WordPress / WooCommerce ecommerce website which both creates and conceals a bogus administrator user. It was also found injecting sophisticated credit card skimming JavaScript into the website’s checkout page. This plugin includes an interesting sample of malicious code which goes to great […]
What is a Content Security Policy (CSP)
It’s always a good idea to be aware of the security issues that might affect your site. For example, cross-site scripting (XSS) attacks consist of injecting malicious client-side scripts into a website and using the site as a propagation method for other malicious behavior. XSS attacks are possible because browsers trust all requests that come […]
Analysis of the Fake WordPress CVE-2023-46182 Patch Plugin & Phishing Campaign
On December 1, 2023, several security researchers reported about a new phishing campaign targeting WordPress administrators. WordPress sites owners had started receiving emails from WordPress.com with the following message: “The WordPress Security Team has discovered a Remove Code Execution (RCE) vulnerability on your site, which allows attackers to execute malwares and steal your data, user […]
Critical RCE Vulnerability Patched in Backup Migration Plugin
On December 6th, 2023, the WordPress plugin Backup Migration received a critical security patch for a remote code execution vulnerability. Details were released five days later after users were given an opportunity to install the patch, although the official CVE is still locked down in “reserved” mode. Website administrators are advised to update to the […]
WPScan Intro: How to Scan for WordPress Vulnerabilities
In this post, we will look at how to use WPScan as a WordPress vulnerability scanner. This security tool provides you with a better understanding of your WordPress website and any vulnerabilities that may be present in your environment. It also happens to be pre-installed in Kali Linux. If you haven’t set it up yet, […]
40 New Domains of Magecart Veteran ATMZOW Found in Google Tag Manager
Hackers like Google Tag Manager: millions of sites use it, and they can inject custom scripts and HTML code via a script from the highly trusted domain googletagmanager.com. In order to create a new container and abuse Google Tag Manager, all they need is a Google account (and we all know how easy it is […]
Common Website Hacking Techniques
Website hacking — the act of exploiting weaknesses to gain unauthorized access to a website, database, cPanel, or admin dashboard — is a reality that some webmasters struggle with. In the hands of bad actors, automated hack tools and exploit kits make it especially easy for hackers to gain access to a plethora of information, […]
Skimming Credit Cards with WebSockets
If you were to believe shopping mall merchants, you’d think the holiday season starts immediately after Halloween. Christmas trees and candy canes abound, along with the same songs played on repeat that we hear every year ad nauseam. However, the same could be said for card skimming attacks: Once the trick-or-treaters have gone home for […]
HTTPS Protocol: What is the Default Port for SSL & Common TCP Ports
SSL port numbers serve as communication endpoints for transmitting or receiving data. One of the primary functions of these ports is to establish a secure connection between a web page and a website hosting server or the CDN/WAF that might sit in front of it. These add an extra layer of security by leveraging either […]
