We recently consulted on an incident where a bad actor compromised a large ecommerce website. They were able to manipulate elements of the checkout page to hijack the users card information. They targeted an onclick action when the user clicked “continue”. While the platform was not storing the data locally, they had local scripts capturing […]
Category: Website Security
WooCommerce Patches Two SQLi Vulnerabilities
Yesterday, WooCommerce released an urgent announcement encouraging users to update because of a serious vulnerability. They don’t get into the details, but for us it’s imperative to understand what they are patching so that we can virtually patch at the edge via the NOC Web Application Firewall (WAF). Especially when it comes to a platform like […]
Responding to Website Security Incidents – Incident Response Plan Basics
If there is one thing that we have learned from vulnerabilities like Log4Shell, Heartbleed, Apache Struts Framework, Shellshock, and so many others is that when it comes to the components that power the web, the fabric of the internet, we are not prepared. That acknowledgement is critical in helping us psychologically acknowledge that security itself […]
The Most Effective Security Control for Open Source Admin Panels Never Used
By default, most open source applications will expose the administrative panel to the world by default, but why? Why is this a core design? From a security perspective, its design leaves a lot to be desired. It’s the number one abused vector by bad actors used to compromise sites and the reasoning is simple – website […]
The Importance of Asset Monitoring
When we manage multiple assets, we must know what we have and their state. This is especially true when managing complex web ecosystems. Whether they are applications dependent on continuous communication with endpoints, or architectures reliant on multiple origins. At NOC, we don’t specifically talk to inventory management, or discovery, but should be invested in. […]
A Website Security Framework Intro
A framework should provide the underlying structure from which we built our security governance program. Consider a home. Regardless of the type of home, they all have a similar framework. The framework keeps the house together and defines the basic structure, it starts with the foundation on which the house will sit. From there, the […]
Cloud-based Web Application Firewalls (WAF) & The Log4J Vulnerability
Every CIO / CISO worth their weight has spent the better part of four days trying to under the Log4J Vulnerability and more importantly, their organizations unique exposure. This article won’t dive into the vulnerability, that is being covered at nauseum and some organizations are doing exceptionally well with their write-ups. Here are some notable […]