Expert insights, trends, research findings, and best practices from Websec security team to help you strengthen your organization's security posture.https://websec.ca/en-usFri, 15 May 2026 01:13:02 GMThttps://websec.ca/images/websec-logo-1.pnghttps://websec.ca/blogCopyright 2026 Websec Securityhttps://websec.ca/blog/comparison-between-real-user-id-and-effective-user-id-is-not-enough-to-prevent-privilege-escalation/https://websec.ca/blog/comparison-between-real-user-id-and-effective-user-id-is-not-enough-to-prevent-privilege-escalation/In Unix-like systems, processes have a real and effective user ID determining their access permissions. While usually identical, they can differ in situations like when the setuid bit is activated in executables.Tue, 03 Oct 2023 19:39:50 GMTBlogCVE-2015-5198CheckmarxCodeQLUNIXWebsec Security Teamhttps://websec.ca/blog/DevSecOps-2022-Webinar/https://websec.ca/blog/DevSecOps-2022-Webinar/Roberto Salgado and Kobalt.io's Miki Fukushima are hosting a free webinar on September 20, 2022 covering why application security matters, the shift to developer-first security, and a practical roadmap for embedding security into DevSecOps.Mon, 29 Aug 2022 00:00:00 GMTBlogDevSecDevSecOpsDevelopmentcybersecuritywebinarWebsec Security Teamhttps://websec.ca/blog/CVE-2022-21404-Another-story-of-developers-fixing-vulnerabilities-unknowingly-because-of-CodeQL/https://websec.ca/blog/CVE-2022-21404-Another-story-of-developers-fixing-vulnerabilities-unknowingly-because-of-CodeQL/How CodeQL may help reduce false negatives within Open-Source projects. Taking a look into a deserialization vulnerability within Oracle Helidon (CVE-2022-21404).Thu, 19 May 2022 18:18:09 GMTBlogCVE-2022-21404CodeQLDeserializationJavaOracleSnakeYAMLYAMLWebsec Security Teamhttps://websec.ca/blog/secure-web-application-development/https://websec.ca/blog/secure-web-application-development/An introduction to Websec's Secure Web Application Development training course, covering the curriculum, target audience, and how the interactive lectures and quizzes help engineering teams ship more secure code.Mon, 29 Nov 2021 00:00:00 GMTBlogSWADTrainingWebsec Security Teamhttps://websec.ca/blog/cybersecure-canada/https://websec.ca/blog/cybersecure-canada/Discussing the Government of Canada's CyberSecure Canada standard for small and medium-sized organizations. What does it cover and why should organizations get certified? How can Websec help you get certified?Mon, 20 Sep 2021 00:00:00 GMTBlogcertificationcybersecureWebsec Security Teamhttps://websec.ca/blog/Appsec-Resources-For-Developers-Where-To-Start/https://websec.ca/blog/Appsec-Resources-For-Developers-Where-To-Start/A curated guide to web application security resources organised by experience level, from getting started with the basics to advanced training and specialised tooling, with short notes on what each resource covers and when to reach for it.Thu, 02 Sep 2021 17:46:16 GMTBlogASVSFrameworkNISTOWASPWSTGcybersecurityproactive controlsstandardsweb app securityWebsec Security Teamhttps://websec.ca/blog/app-sec-resources/https://websec.ca/blog/app-sec-resources/A curated guide to web application security resources organised by experience level, from getting started with the basics to advanced training and specialised tooling, with short notes on what each resource covers and when to reach for it.Thu, 02 Sep 2021 00:00:00 GMTBlogASVSFrameworkNISTOWASPWSTGcybersecurityproactive controlsstandardsweb app securityWebsec Security Teamhttps://websec.ca/blog/Hardening-guide-for-JBoss-EAP-7-0/https://websec.ca/blog/Hardening-guide-for-JBoss-EAP-7-0/A practical hardening guide for JBoss EAP 7.0 web servers covering welcome page removal, custom error handling, jboss-web.xml tuning, and other configuration tweaks that are still missing from the official documentation.Fri, 14 Dec 2018 22:39:19 GMTBlogEAPHardeningJBossPaulino CalderonWebsec Security Teamhttps://websec.ca/blog/Nmap-scripts-for-Trane-Tracer-SC-HVAC/https://websec.ca/blog/Nmap-scripts-for-Trane-Tracer-SC-HVAC/8.8 Mexico will take place on October 11 in Mexico City. Websec will be represented by Paulino Calderón who will give his talk, "Defeating Monkeys with Scanners".Fri, 14 Dec 2018 22:38:29 GMTBlogCalderonHVACPaulinoSCTracerWebsec Security Teamhttps://websec.ca/blog/Ncrack-and-Nmap-NSE-development-for-offense-and-defense-DEFCON-CHINA/https://websec.ca/blog/Ncrack-and-Nmap-NSE-development-for-offense-and-defense-DEFCON-CHINA/Paulino Calderon (@calderpwn) represented Websec in the first edition in China of the world-renowned DEFCON event. Here we share all the material of your workshop.Fri, 14 Dec 2018 22:31:13 GMTBlogCalderonChinaDEFCONNmapPaulinonseWebsec Security Teamhttps://websec.ca/blog/launching-replay-attacks-wells-fargo-wallet-service/https://websec.ca/blog/launching-replay-attacks-wells-fargo-wallet-service/The Wells Fargo Wallet service is susceptible to replay attacks, where an attacker may intercept a transaction through an altered PoS or fake terminal, steal the sensitive token, and replay the token later.Tue, 20 Nov 2018 19:28:28 GMTBlogAttacksFargoMendozaNFCPaymentSalvadorWellsnetxingWebsec Security Teamhttps://websec.ca/blog/Three-Non-Web-based-XSS-Injections/https://websec.ca/blog/Three-Non-Web-based-XSS-Injections/In this post guest blogger Alejandro Hernandez (nitr0us) writes about some interesting and fun XSS vectors which are not commonly seen.Tue, 19 Dec 2017 00:00:00 GMTBlogAlejandroCross-site ScriptingHernandezInjectionNon-webXSSnitr0usmxWebsec Security Teamhttps://websec.ca/blog/Belkin-Wemo-Switch-NMap-Scripts/https://websec.ca/blog/Belkin-Wemo-Switch-NMap-Scripts/Belkin Wemo Switch Smart Plug is a network controlled power outlet. The current firmware version does not requiere authentication to switch the power ON or OFF or to gather information such as nearby wireless networks. Two NMap scripts have been publishedFri, 23 Jun 2017 00:00:00 GMTBlogBelkinNetworkNmapPower OutletScriptsSmart PlugSwitchWemonseWebsec Security Teamhttps://websec.ca/blog/mastering-the-nmap-scripting-engine/https://websec.ca/blog/mastering-the-nmap-scripting-engine/Our team's latest book, Mastering the Nmap Scripting Engine, has been published. Across ten chapters it walks readers from Lua fundamentals and the NSE API through writing advanced brute-force, parallelism, and vulnerability-detection scripts.Tue, 29 Nov 2016 05:41:58 GMTBlogEngineMasteringNmapScriptingnseWebsec Security Teamhttps://websec.ca/blog/downloading-entire-source-code-through-exposed-GIT-directory/https://websec.ca/blog/downloading-entire-source-code-through-exposed-GIT-directory/Website administrators sometimes inadvertently leave an exposed .git directory, from which it is possible to download the entire source code of the web application using just wget and a common server misconfiguration.Fri, 19 Feb 2016 23:45:19 GMTBlogAlevskDirbDirbusterDirectory ListingGitSource CodeWebsec Security Teamhttps://websec.ca/blog/backdoors-in-Zhone-GPON-2520-and-Alcatel-Lucent-I240Q/https://websec.ca/blog/backdoors-in-Zhone-GPON-2520-and-Alcatel-Lucent-I240Q/While examining the "dropbear" binary for the Zhone GPON 2520 and Alcatel Lucent I240Q, we found that both routers have backdoors that allow users with SSH access to connect to these devices with maximum privileges.Thu, 08 Jan 2015 00:00:00 GMTBlog2402520AlcatelBackdoorGPONInfinitumLucentPlaySSHTotalZhonei240qWebsec Security Teamhttps://websec.ca/blog/drive-by-ONT-botnet-with-IRC-CC/https://websec.ca/blog/drive-by-ONT-botnet-with-IRC-CC/Demonstration of a botnet created purely by using embedded devices which are controlled remotely through vulnerabilities exploited from a webpage.Thu, 19 Dec 2013 18:21:40 GMTBlogAlcatelBotnetDrive byI-240W-QLucentOntWebsec Security Teamhttps://websec.ca/blog/insecure-session-data-CodeIgniter/https://websec.ca/blog/insecure-session-data-CodeIgniter/A security analysis of how web applications built on the CodeIgniter PHP framework handle user sessions, documenting the recurring implementation mistakes we see on assessments and what pentesters and developers should watch for.Thu, 04 Jul 2013 08:05:18 GMTBlogCodeIgniterFrameworkInsecurePHPSessionUserWeb SecurityWebsec Security Teamhttps://websec.ca/blog/panoptic/https://websec.ca/blog/panoptic/An overview of Panoptic, an open source penetration testing tool that automates the process of search and retrieval of common log and config files through path traversal vulnerabilities.Sun, 14 Apr 2013 14:08:56 GMTBlogLFIPanopticPythonRFIToolWebsec Security Teamhttps://websec.ca/blog/hackerhalted-discount-code-for-nmap-6-network-exploration-and-security-auditing-cookbook/https://websec.ca/blog/hackerhalted-discount-code-for-nmap-6-network-exploration-and-security-auditing-cookbook/PacktPub has shared a limited-time discount code for our friends attending Hacker Halted USA 2012. Use code APMK1F for 20 percent off the print edition and 25 percent off the electronic edition of Nmap 6: Network Exploration and Security Auditing Cookbook.Fri, 14 Dec 2012 21:39:20 GMTBlogCookbookDiscountHackerHaltedNetworkNmapSecuritySecurity AuditingWebsec Security Team