By default, most open source applications will expose the administrative panel to the world by default, but why? Why is this a core design? From a security perspective, its design leaves a lot to be desired. It’s the number one abused vector by bad actors used to compromise sites and the reasoning is simple – website […]
The Importance of Asset Monitoring
When we manage multiple assets, we must know what we have and their state. This is especially true when managing complex web ecosystems. Whether they are applications dependent on continuous communication with endpoints, or architectures reliant on multiple origins. At NOC, we don’t specifically talk to inventory management, or discovery, but should be invested in. […]
WordPress Forced Updates vs Auto-Updates and Abusing User Defined Intent
On June 1st, Automattic’s JetPack plugin released an update to patch an exploitable vulnerability. The vulnerability was found in their Carousel feature. The release invites plugin users to update their version. It warns that while it’s not known to be actively exploited it could be now that it’s been released. One thing it fails to […]
Using cURL to test the Performance of a Website
cURL is an amazing tool (available by default on Macs and Linux) that allows an administrator to remotely transfer data and most commonly used against URLs (i.e., websites). Think of it as a terminal-based browser that doesn’t try to parse the HTML. For example, if you want to get the HTML content for noc.org, all […]
What Hackers Do with WordPress in 2022 – Post Hack Analysis
In our last article, How WordPress Gets Hacked in 2022 – Initial Reconnaissance, we analyzed the behaviors (TTPs) of bad actors trying to hack a vanilla WordPress deployment. Confirming our suspicions, attacks targeting access controls continues to be the #1 preferred vector by bad actors. Analysis showed that attackers were especially interested in abusing WP-JSON and XMLRPC. […]
A Website Security Framework Intro
A framework should provide the underlying structure from which we built our security governance program. Consider a home. Regardless of the type of home, they all have a similar framework. The framework keeps the house together and defines the basic structure, it starts with the foundation on which the house will sit. From there, the […]
Hijacking a Websites SERP Results with SEO SPAM
Over the past few weeks we have been following a bad actor as they attack and takes control of a WordPress website we manage. In the process, we have seen them riddle the site with backdoors to ensure they are able to retain control and perform some rudimentary SPAM injections pointing to 17 domains with over 17,000 entries. This article […]