Skip to main content
Scanning Sites for SRI Usage with sritest.io

Scanning Websites for SRI Hash Usage with sritest.io

Third-party hosted website assets, such as JavaScript libraries, are vulnerable to tampering. However, a new technique named Subresource Integrity (SRI) is here to protect these external assets.

One problem is the slow implementation of SRI, thus sritest.io was born. The new service enables website owners and frontend developers to evaluate their sites for SRI hash usage. Sritest.io aims to help the widespread implementation of SRI, thus, ultimately protect website visitors from malicious code.

Read More

Risk-Driven Incident Response

Psst! Do you wanna protect your company from security incidents?

But what you have is hundreds of apps, your infrastructure looks like a bowl of spaghetti and the company is short on resources? Don’t worry, it’s doable with careful planning!

This risk-based incident response framework lets you target the most critical things at your organisation. Keep on reading and your incident response team will operate as a powerful sniper rifle, rather than a clunky shotgun.

Read More

Ransomware Playbook for Managing Infections

Ransomware is a variation of malicious software that encrypts the victim’s files without any consent, then demands a ransom in exchange for the decryption keys. This is a lucrative, multi-million-dollar business model, which targets hundreds of thousands of users each day.

Files becoming unavailable could lead to the disruption of normal business activities, therefore it costs money. A formal incident response playbook with effective pre-designed instructions, however, helps minimize the impact on the business.

Read More

Bypassing WordPress Login Pages with WPBiff

Two-factor authentication protected WordPress login pages can be bypassed because of certain unsafe NTP practices.

The Internal clock of remote servers can be manipulated under the right conditions. Because certain WordPress Google Authenticator plugins also rely on the local timestamp, it opens up new ways to circumvent the user authentication process on the /wp-admin dashboard.

We demonstrate a practical attack against two-factor protected WordPress login pages. We are going to gain access to the dashboard without having access to the token generator app.

Read More

Tricking Google Authenticator TOTP with NTP

Because of unsafe NTP practices, internal clocks on remote machines can be manipulated under the right conditions. Once time is altered, expired SSL certificates become valid again and causes HSTS policies to expire.

But what about authentication? Certain TOTP implementations such as popular WordPress plugins also rely on the local timestamp.

This article demonstrates a proof of concept for accessing two-factor authentication protected WordPress dashboards.

Read More