Category

Compliance

Category

This article explains how to exploit Oracle WebLogic for remote code execution by using valid credentials. It’s useful during black-box security audits, pentests, and infrastructure audits, including automated vulnerability scanning. To set up an example playground, we will use the following docker container: docker run -p7001:7001 –name weblogic –rm vulhub/weblogic:12.2.1.3 Again, we need to have management rights & access to the administrator console (/console web endpoint) to cause remote code execution in Oracle WebLogic. In…

Industries from hospitality to taxis/transportation and food delivery are being disrupted by new age companies like Airbnb, Uber and DoorDash that have a cloud-based software infrastructure as one of their main enablers. Why do all these new companies use cloud and what advantage does it give them? Unlike legacy competitors, innovators with new infrastructure can: Quickly scale and grow their customer baseSupport their business in different geographies and ensure availabilityEnsure convenience, with users accessing the…

Kubernetes clusters enable an organization to easily take advantage of containerization. While this is a huge asset, it also creates security issues. Many organizations lack visibility into the applications within their Kubernetes cluster and their attack surface. Within a Kubernetes cluster, an organization can be running websites, microservices, and APIs. The problem with these applications is that they are very likely to contain exploitable vulnerabilities. In fact, the average web application contains 22 vulnerabilities, 4…

A lot of IT Security Officers responsible for driving the SOC 2 certification in their companies are probably wondering how the switch to mostly remote workspaces will affect their SOC 2 landscape. I would say that there are two types of companies affected (or not affected) by the coronavirus: Companies that initially not relied on the security of individual workstations, and heavily used the office network infrastructure to provide necessary vichto and protection for sensitive…

In the digital era, financial institutions serve an increasing number of customers through web and mobile applications. Fintech maintains online security, and OWASP offers pieces of the puzzle to address the challenges. We CAN solve these challenges by leveraging the OWASP community knowledge base to secure the financial sector. On May 21st, 2020, I had the honor to dive into these challenges from multiple perspectives with my two guests, Vandana Verma and Victor Gartvich. We…

In the previous article, we described the vulnerability discovered in the Yii2 Framework 2.0.35. In this piece, you’ll find out how to prevent it. It’s a highly recommended read, especially for web developers who want to quickly check the rule settings and fix a detected vulnerability. Yii is an object-oriented component framework that implements the MVC design pattern (learn more on Wiki). We used Yii2 Framework 2.0.35 as a demo configuration.How a seemingly safe Active…