• Subscribe to the low volume list for updates.

Blog

Top 100K Sites WordPress Usage Infographic

WordPress.org have a post up detailing the "state of the word". Around the same time we have been putting a wordpress infographic that highlights some of the findings from our analysis of wordpress usage among the top 100K sites (as rated by Alexa). WordPress Usage in the Top 100K Infographic
Read More

SQL Injection Scanner List

A few of the wide range of SQL Injection scanning tools available from detection to automated exploitation and shells on a plate. Sqlninja ( http://sqlninja.sourceforge.net/ ) Supports only Microsoft SQL Server. sqlmap ( http://sqlmap.org/ ) Full support: MySQL, Oracle, PostgreSQL and Microsoft SQL Server. Partial support for: Microsoft Access, DB2, Informix, Sybase and Interbase. Pangolin […]
Read More

Security Testing WordPress

Our scan does not perform brute forcing of accounts, passwords or plugins. Brute Forcing is more appropriate in a targeted pen-test or black-box vulnerability assessment. Simply put brute forcing: Plugins is achieved by testing URL's: http://myexampleblog.cm/wp-content/plugins/$pluginname Usernames can be brute forced with a POST request to the login form (Incorrect username) Passwords can be brute […]
Read More

Hydra 6.4 Password Brute Forcer

The latest version of Hydra has been released with some bug fixes. Problems noted in my post comparing hydra with ncrack and medusa have been addressed and after testing I can confirm these issues are no longer present. CHANGELOG for 6.4 ================= * Update SIP module to extract and use external IP addr return from […]
Read More

Malware in WordPress Themes

Found an interesting article over at OttoPress with some in depth analysis of malware discovered in a theme on a less than reputable WordPress theme site. Seems there are some dodgey sites out there that have infected themes, both free ones and ripped off professional themes. Beware and check the reputation of your themes. It […]
Read More

Testing WordPress Password Security with Metasploit

How easy is it to hack wordpress admin accounts? Poor WordPress password security is an ongoing issue, the purpose of this post is to highlight how easy it is to break into wordpress admin accounts that have weak passwords. Metasploit Framework is an open source penetration testing application that has modules for the explicit purpose […]
Read More

w3af web application security testing framework stable released

sudo apt-get install python-nltk python-soappy python-lxml python-svn python-scapy graphviz tar jxvf w3af-1.0-stable.tar.bz2 ./w3af_gui The first thing to notice is the shiny new splash screen highlighting the new owner of the project that being Rapid7. A notice that I don't have the latest update appears, so auto update is performed after confirmation. Following some local testing […]
Read More

Google Dorking WordPress

WordPress is very popular and easy to install. This very accessibility makes it a juicy target for those wanting to collect compromised hosting accounts for serving malicious content, spamming, phishing sites, proxies and web shells. How prevalent is poor WordPress Security? Our Web Tech Report showed that application updates to WordPress are reasonable. Lets try […]
Read More

Secure WordPress

WordPress Scanner is the latest tool added to our kit. It can be used to test the security of your wordpress installation from an external perspective. No plugin installation is required, our systems will do an external passive analysis of your wordpress installation and highlight wordpress security issues along with recommendations to improve the security […]
Read More