News / Posted September 03, 2019
Cross-Site Scripting (XSS) is by far the most widespread high impact vulnerability, present even in the best of web applications, regardless of the framework or programming language employed - a burly steadfast member of the OWASP Top Ten.
Here at AppCheck the client-side nature of typical XSS has led to a general underappreciation of its exploitation potential, though a good understanding of the vulnerability and its subtle variations will show how it can be used to devastating effect... and more importantly: how it can be avoided.
In this seminar we will build up piece-by-piece an understanding of XSS that spares no detail.
Research Security Alerts / Posted January 04, 2017
On the 25th of December 2016, a security researcher disclosed a critical security flaw within a popular PHP library used to send emails. The PHPMailer library is used by more than 9 million websites worldwide and is bundled with popular open source PHP content management systems such as WordPress. At worst the flaw could be exploited to execute arbitrary PHP code on the affected system. This would allow the remote attacker to take complete control of the application and launch further attacks against the system and internal network. PHPMailer versions below 5.2.20 are affected along with a number of other libraries that include the vulnerable code; such as SwiftMail and the Zend Framework.Read more
Security Alerts / Posted October 26, 2016
On the 25th of October 2016, the Joomla team issued a patch for a high severity security flaw that could allow a remote unauthenticated attacker to create administrative accounts on the target system. AppCheck was updated on the same day to detect and safely exploit the vulnerability.Read more
Security Alerts / Posted May 12, 2016
WordPress versions 4.5.1 and earlier are affected by a XSS vulnerability through Plupload,the third-party library WordPress uses for uploading files. WordPress versions 4.2 through 4.5.1 are vulnerable to reflected XSS using specially crafted URIs through MediaElement.js, the third-party library used for media players. MediaElement.js and Plupload have also released updates fixing these issues.Read more
Security Alerts / Posted May 06, 2016
A vulnerability with a widely deployed image processing library was disclosed on the 5th of May 2016. Within an hour of the disclosure AppCheck NG was updated to detect the flaw.
A Practical View of the Most Common Threats Facing Web Apps Today
The Web Application Security seminar is a free event that presents a detailed analysis of the most common threats facing web applications today. We will review high profile examples and provide a technical breakdown of critical security flaws along with an introduction into emerging technologies such as HTML5.
Each candidate will receive a copy of the slides and exclusive tools and exploit code used in the live hacking demonstrations.
Security Alerts / Posted April 23, 2016
A vulnerability in Apache Struts 2.3.20-2.3.28* could allow an unauthenticated, remote attacker to execute arbitrary code on a target server.Read more
Research Security Alerts / Posted October 23, 2015
On the 9th October researchers at AppCheck NG discovered a critical Remote Command Execution (RCE) in the popular WordPress plugin Form Manager which allows an attacker with an unprivileged account (including a self-registered account) to execute arbitrary commands on the host. The vulnerability was reported and fixed on the 12th October.Read more
Research Security Alerts / Posted May 27, 2015
The aheadWorks Blog extension for Magento prior to version 1.3.10 is vulnerable to a critical SQL Injection security flaw. A remote unauthenticated attacker could exploit this vulnerability to take complete control of the affected Magento server and database.
With almost 80,000 downloads at the time of writing, the affected component is the most popular blog component available via Magento Connect.Read more
Security Alerts / Posted April 21, 2015
Researchers have identified a serious vulnerability in Magento, the popular e-commerce platform owned by eBay. This critical flaw in the Magento eCommerce platform exposes online shops to serious risk by allowing malicious hackers to access credit card data or execute arbitrary PHP code on the web server. This vulnerability should be considered a high risk factor for businesses making use of the Magento platform, and should be addressed as a matter of priority.Read more
Security Alerts / Posted April 15, 2015
Microsoft has released a patch for a critical remote code execution vulnerability in the Windows HTTP Stack for all supported editions of Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2.Read more
Research Security Alerts / Posted March 03, 2015
On the 10th of February 2015 Appcheck reported several security flaws in the popular VirtueMart eCommerce extension for Joomla (Version 3.0.2). A fix has since been made available via http://virtuemart.net/ although no official announcement was released by the vendor.Read more