WordPress 5.1 CSRF to Remote Code Execution

13 Mar 2019 by Simon Scannell

WordPress Remote Code Execution

Last month we released an authenticated remote code execution (RCE) vulnerability in WordPress 5.0. This blog post reveals another critical exploit chain for WordPress 5.1 that enables an unauthenticated attacker to gain remote code execution on any WordPress installation prior to version 5.1.1.

Read More

5 Best Practices for your SAST Evaluation

26 Feb 2019 by Dr. Johannes Dahse

Static Application Security Testing Evaluation

Choosing the right solution for automated security testing is hard. A good way is to run a proof of concept (POC) of different vendors so you can verify marketing claims before adding another software to your stack. Our best practices can help to prepare an efficient and thorough evaluation so you can unmask snake oil from cutting-edge technology and make the best choice.

Read More

WordPress 5.0.0 Remote Code Execution

19 Feb 2019 by Simon Scannell

WordPress Remote Code Execution

This blog post details how a combination of a Path Traversal and Local File Inclusion vulnerability lead to Remote Code Execution in the WordPress core. The vulnerability remained uncovered in the WordPress core for over 6 years.

Read More

Security Testing Plugin for Maven & Gradle

5 Feb 2019 by Julian Karl, Amin Dada

Maven Gradle Security Testing

We are pleased to announce integration support for the two major build automation tools Apache Maven and Gradle. Both plugins enable to add our static code analysis solution to your build process and to provide a streamlined way to configure and start a new security scan for your Java applications.

Read More

CTF Writeup: Complex Drupal POP Chain

29 Jan 2019 by Simon Scannell

Drupal

A recent Capture-The-Flag tournament hosted by Insomni’hack challenged participants to craft an attack payload for Drupal 7. This blog post will demonstrate our solution for a PHP Object Injection with a complex POP gadget chain.

Read More