Expert insights, trends, research findings, and best practices from Websec security team to help you strengthen your organization's security posture.https://websec.com/en-usTue, 21 Apr 2026 11:27:01 GMThttps://websec.com/images/websec-logo-1.pnghttps://websec.com/blogCopyright 2026 Websec Securityhttps://websec.com/blog/comparison-between-real-user-id-and-effective-user-id-is-not-enough-to-prevent-privilege-escalation/https://websec.com/blog/comparison-between-real-user-id-and-effective-user-id-is-not-enough-to-prevent-privilege-escalation/In Unix-like systems, processes have a real and effective user ID determining their access permissions. While usually identical, they can differ in situations like when the setuid bit is activated in executables.Tue, 03 Oct 2023 19:39:50 GMTBlogCVE-2015-5198CheckmarxCodeQLUNIXWebsec Security Teamhttps://websec.com/blog/CVE-2022-21404-Another-story-of-developers-fixing-vulnerabilities-unknowingly-because-of-CodeQL/https://websec.com/blog/CVE-2022-21404-Another-story-of-developers-fixing-vulnerabilities-unknowingly-because-of-CodeQL/How CodeQL may help reduce false negatives within Open-Source projects. Taking a look into a deserialization vulnerability within Oracle Helidon (CVE-2022-21404).Thu, 19 May 2022 18:18:09 GMTBlogCVE-2022-21404CodeQLDeserializationJavaOracleSnakeYAMLYAMLWebsec Security Teamhttps://websec.com/blog/Appsec-Resources-For-Developers-Where-To-Start/https://websec.com/blog/Appsec-Resources-For-Developers-Where-To-Start/A list of resources for web application security and a short description of what each resource covers.Thu, 02 Sep 2021 17:46:16 GMTBlogASVSFrameworkNISTOWASPWSTGcybersecurityproactive controlsstandardsweb app securityWebsec Security Teamhttps://websec.com/blog/Hardening-guide-for-JBoss-EAP-7-0/https://websec.com/blog/Hardening-guide-for-JBoss-EAP-7-0/This time we are sharing a hardening guide for JBoss EAP 7.0 servers.Fri, 14 Dec 2018 22:39:19 GMTBlogEAPHardeningJBossPaulino CalderonWebsec Security Teamhttps://websec.com/blog/Nmap-scripts-for-Trane-Tracer-SC-HVAC/https://websec.com/blog/Nmap-scripts-for-Trane-Tracer-SC-HVAC/8.8 Mexico will take place on October 11 in Mexico City. Websec will be represented by Paulino Calderón who will give his talk, "Defeating Monkeys with Scanners".Fri, 14 Dec 2018 22:38:29 GMTBlogCalderonHVACPaulinoSCTracerWebsec Security Teamhttps://websec.com/blog/Ncrack-and-Nmap-NSE-development-for-offense-and-defense-DEFCON-CHINA/https://websec.com/blog/Ncrack-and-Nmap-NSE-development-for-offense-and-defense-DEFCON-CHINA/Paulino Calderon (@calderpwn) represented Websec in the first edition in China of the world-renowned DEFCON event. Here we share all the material of your workshop.Fri, 14 Dec 2018 22:31:13 GMTBlogCalderonChinaDEFCONNmapPaulinonseWebsec Security Teamhttps://websec.com/blog/launching-replay-attacks-wells-fargo-wallet-service/https://websec.com/blog/launching-replay-attacks-wells-fargo-wallet-service/The Wells Fargo Wallet service is susceptible to replay attacks, where an attacker may intercept a transaction through an altered PoS or fake terminal, steal the sensitive token, and replay the token later.Tue, 20 Nov 2018 19:28:28 GMTBlogAttacksFargoMendozaNFCPaymentSalvadorWellsnetxingWebsec Security Teamhttps://websec.com/blog/Three-Non-Web-based-XSS-Injections/https://websec.com/blog/Three-Non-Web-based-XSS-Injections/In this post guest blogger Alejandro Hernandez (nitr0us) writes about some interesting and fun XSS vectors which are not commonly seen.Tue, 19 Dec 2017 00:00:00 GMTBlogAlejandroCross-site ScriptingHernandezInjectionNon-webXSSnitr0usmxWebsec Security Teamhttps://websec.com/blog/Belkin-Wemo-Switch-NMap-Scripts/https://websec.com/blog/Belkin-Wemo-Switch-NMap-Scripts/Belkin Wemo Switch Smart Plug is a network controlled power outlet. The current firmware version does not requiere authentication to switch the power ON or OFF or to gather information such as nearby wireless networks. Two NMap scripts have been publishedFri, 23 Jun 2017 00:00:00 GMTBlogBelkinNetworkNmapPower OutletScriptsSmart PlugSwitchWemonseWebsec Security Teamhttps://websec.com/blog/mastering-the-nmap-scripting-engine/https://websec.com/blog/mastering-the-nmap-scripting-engine/We invite you to learn more about the latest publication from our team, "Mastering the Nmap Scripting Engine".Tue, 29 Nov 2016 05:41:58 GMTBlogEngineMasteringNmapScriptingnseWebsec Security Teamhttps://websec.com/blog/downloading-entire-source-code-through-exposed-GIT-directory/https://websec.com/blog/downloading-entire-source-code-through-exposed-GIT-directory/Website administrators sometimes inadvertently leave an exposed .git directory, from which it is possible to download the entire source code of the web application using just wget and a common server misconfiguration.Fri, 19 Feb 2016 23:45:19 GMTBlogAlevskDirbDirbusterDirectory ListingGitSource CodeWebsec Security Teamhttps://websec.com/blog/backdoors-in-Zhone-GPON-2520-and-Alcatel-Lucent-I240Q/https://websec.com/blog/backdoors-in-Zhone-GPON-2520-and-Alcatel-Lucent-I240Q/While examining the "dropbear" binary for the Zhone GPON 2520 and Alcatel Lucent I240Q, we found that both routers have backdoors that allow users with SSH access to connect to these devices with maximum privileges.Thu, 08 Jan 2015 00:00:00 GMTBlog2402520AlcatelBackdoorGPONInfinitumLucentPlaySSHTotalZhonei240qWebsec Security Teamhttps://websec.com/blog/drive-by-ONT-botnet-with-IRC-CC/https://websec.com/blog/drive-by-ONT-botnet-with-IRC-CC/Demonstration of a botnet created purely by using embedded devices which are controlled remotely through vulnerabilities exploited from a webpage.Thu, 19 Dec 2013 18:21:40 GMTBlogAlcatelBotnetDrive byI-240W-QLucentOntWebsec Security Teamhttps://websec.com/blog/insecure-session-data-CodeIgniter/https://websec.com/blog/insecure-session-data-CodeIgniter/A security analysis on how web applications created with the PHP framework CodeIgniter handle user sessions.Thu, 04 Jul 2013 08:05:18 GMTBlogCodeIgniterFrameworkInsecurePHPSessionUserWeb SecurityWebsec Security Teamhttps://websec.com/blog/panoptic/https://websec.com/blog/panoptic/An overview of Panoptic, an open source penetration testing tool that automates the process of search and retrieval of common log and config files through path traversal vulnerabilities.Sun, 14 Apr 2013 14:08:56 GMTBlogLFIPanopticPythonRFIToolWebsec Security Teamhttps://websec.com/blog/hackerhalted-discount-code-for-nmap-6-network-exploration-and-security-auditing-cookbook/https://websec.com/blog/hackerhalted-discount-code-for-nmap-6-network-exploration-and-security-auditing-cookbook/PacktPub created a special discount code for our friends from HackerHaltedFri, 14 Dec 2012 21:39:20 GMTBlogCookbookDiscountHackerHaltedNetworkNmapSecuritySecurity AuditingWebsec Security Teamhttps://websec.com/blog/backdoor-in-Alcatel-Lucent/https://websec.com/blog/backdoor-in-Alcatel-Lucent/The newest optical fiber devices offered by the ISP Infinitum have a backdoor which allow for full administration of these devices. This backdoor account is hidden by nature and does not allow for the password to be changed.Sun, 02 Dec 2012 15:06:54 GMTBlogAccountAlcatelBackdoorFiber OpticHiddenInfinitumLucentWebsec Security Teamhttps://websec.com/blog/Mac2WepKey-HHG5xx-for-iPhone/https://websec.com/blog/Mac2WepKey-HHG5xx-for-iPhone/The famous app to obtain the default WiFi passwords for Huawei routers is now available for the iPhone iOS 5.Thu, 06 Sep 2012 14:34:52 GMTBlogAppDefaultGeneratorHuaweiIphoneMac2wepkeyRene De La GarzaiOSWebsec Security Teamhttps://websec.com/blog/solutions-challenge-2B/https://websec.com/blog/solutions-challenge-2B/A detailed explanation of the SQL Injection challenge 2B and the many solutions used to solve this challenge.Wed, 22 Aug 2012 12:45:32 GMTBlog2BChallengeInjectionSQLSolutionWebsec Security Teamhttps://websec.com/blog/solutions-challenge-2A/https://websec.com/blog/solutions-challenge-2A/A detailed explanation of the SQL Injection challenge 2A and the many solutions used to solve this challenge.Sat, 14 Jul 2012 14:10:13 GMTBlog2AChallengeInjectionSQLSolutionWebsec Security Team