Skip to content

Posts from the ‘Web Security’ Category

13
Aug

OWASP ModSecurity Core Rule Set

ModSecurity is a good starting point to secure your web site. OWASP provides the core rule set (CRS) for ModSecurity rules against the most critical web application attack.

From OWASP:

ModSecurity is an Apache web server module that provides a web application firewall engine. The ModSecurity Rules Language engine is extrememly flexible and robust and has been referred to as the “Swiss Army Knife of web application firewalls.”

In order to enable users to take full advantage of ModSecurity out of the box, we have developed the Core Rule Set (CRS) which provides critical protections against attacks across most every web architecture.

Check OWASP Core Rule Set home page for more info.

Download here

21
May

PHP include exploitation with Metasploit

Metasploit support for PHP Include exploitation, or simply known as RFI (Remote File Inclusion). I will show you how this work on CS-Cart 1.3.3 which vulnerable to remote file inclusion.

The vulnerable path is at classes/phpmailer/class.cs_phpmailer.php?classes_dir=[include arbitrary php code]

so in Metasploit, the PHPURI PATH will be like this:

classes/phpmailer/class.cs_phpmailer.php?classes_dir=XXpathXX

let see how this exploitation works. Read moreRead more

Rss Feed Tweeter button Facebook button Linkedin button Stumbleupon button