Clik here to view.
The WordPress Plugin and Theme Editor Must Go
…or “How WordPress Gets Hacked” The prelude With so many reports of WordPress sites being hacked in one way or another, I decided to see how exactly WordPress sites are being invaded. The WordPress...
View ArticleClik here to view.
The WordPress Meta “generator” Tag Paranoia
…or “WordPress Version Fingerprinting” I have read dozens of “How to secure your WordPress” articles, and one common “tip” among others is getting rid of the “generator” tag in the HTML head, for...
View ArticleClik here to view.
WordPress Pingback Attack
Yesterday I wrote a post titled On WordPress Pingbacks. While writing this I came to several conclusions that resulted in some interesting experiments and results. I was going to publish my results...
View ArticleClik here to view.
WordPress DoSnet
…or how to build your own WordPress-powered denial-of-service network Pingbacks have been part of the WordPress since the very beginning. One of my previous articles, titled WordPress Pingback Attacks...
View ArticleClik here to view.
Timing Attacks in Web Applications
When code is executed by a machine it takes some time to do so. Execution time ranges from nanoseconds to months and years and even more (think bruteforcing). Web applications construct output...
View ArticleClik here to view.
Advertisement Proposal Scam
So a couple of nights ago I got a weird e-mail from “Diana” at dianabem501@gmail.com. It said: I have visit your blog https://codeseekah.com/ I can pay you $200 per month. Contact me for more info....
View ArticleThe FancyBox for WordPress Vulnerability
…and how the exploit really worked Last week a very popular plugin called FancyBox for WordPress was hit with a zero-day vulnerability which I happened to experience first-hand and dig into. If you’ve...
View ArticleClik here to view.
WordPress Nonces Vulnerabilities
Quick Page/Post Redirect Plugin: A Case Study Quick Page/Post Redirect Plugin has 200,000+ active installs, with version 5.1.5 and older vulnerable to an attacker setting redirects to any URLs in bulk....
View ArticleClik here to view.
Javo Themes Spot LFI Vulnerability
Whew, it’s been a while… I’ve had the misfortune to work with yet another theme from ThemeForest. A $60 premium theme and nothing less! Meet Javo Spot by Javo Themes… Within half an hour of fiddling...
View Article12 WordPress Plugin Vulnerabilities in 12 Months
I’m challenging myself to find 12 plugin vulnerabilities in the next 12 months, right in time for WordCamp Moscow 2018, where I’ll present peculiar vulnerable code and talk about practical security...
View Article