Sicuranext Blog

Sign in Subscribe

ModSecurity: Path Confusion and really easy bypass on v2 and v3

ModSecurity: Path Confusion and really easy bypass on v2 and v3

TL;DR both ModSecurity v2 and v3 share a similar bug that can result in a really simple WAF bypass. The bug in the v3 branch has been fixed in version 3.0.12 and has been assigned the CVE number CVE-2024-1019. However, the bug in the v2 line remains

Emails and barcodes: a phishing story

Emails and barcodes: a phishing story

TL;DR If you open an email and see a QR code and some pressing message about something you’re supposed to do, doubt the source of the email. Microsoft won’t ask you to “verify the security of your account” via QR code. Neither will Google, nor Amazon, nor

OT Exposed Italy

OT Exposed Italy

OT (Operational Technology) consists of in a complex network of ICS (industrial control system). The ICS describes several types of control systems and associated instrumentation used for industrial process control. It includes systems like PLC (Programmable logic controller) , HMI (Human machine interface), DCS (Distributed control system) and SCADA (Supervisory Control

How attackers fingerprint your WordPress website

How attackers fingerprint your WordPress website

Attackers have quite a few sneaky ways to gather information from your WordPress website. They can get their hands on details like the WordPress version you're using, the active plugins and their versions, and even info about your active users. In this article, we'll take a

AWS WAF Bypass: invalid JSON object and unicode escape sequences

AWS WAF Bypass: invalid JSON object and unicode escape sequences

In recent times, the security community has been witnessing an increasing number of reports from researchers highlighting various bypass techniques targeting AWS Web Application Firewall¹. These bypasses have brought to light not only the absence of certain critical features but also the reliance on default configurations commonly used with both

Unleashing the Power of Data: Indexing Over 15 Million WordPress Websites with PWNPress

Unleashing the Power of Data: Indexing Over 15 Million WordPress Websites with PWNPress

We are excited to share a significant milestone achieved by PWNPress in our relentless pursuit of enhancing WordPress security. Leveraging the extensive Common Crawl dataset and pushing the boundaries of data analysis, we successfully indexed over 15 million WordPress websites. This endeavor involved parsing the entire Web Archive Text (WAT)

PWNPress: collect vulnerable WordPress websites over internet

PWNPress: collect vulnerable WordPress websites over internet

PWNPress is an innovative service that harnesses the power of data and cutting-edge technologies to identify vulnerabilities and misconfigurations in WordPress websites. Our mission is to empower website owners, developers, and security professionals with actionable insights that help fortify their WordPress installations and protect their digital assets. In today’s

Building Octofence WAAP Cache System & CDN: Lessons Learned and Best Practices

Building Octofence WAAP Cache System & CDN: Lessons Learned and Best Practices

Caching is a critical component of any modern application, enabling fast and efficient delivery of content and data to users. However, finding the right caching solution can be a challenge, particularly when existing off-the-shelf solutions don’t meet your specific needs. In this article, we’ll share our experience of

Why text/plain is evil for Web Application Firewall and Input validation

Why text/plain is evil for Web Application Firewall and Input validation

When sending an HTTP request that includes a message body, it’s essential to specify the type of the data being sent. This is because the server (or the web application) needs to know how to interpret the content of the message body to process it correctly. Moreover, a Web