Websec Cybersecurity Blog
Expert insights, trends, research findings, and best practices from our security team to help you strengthen your organization's security posture.
Belkin Wemo Switch NMap Scripts
Belkin Wemo Switch Smart Plug is a network controlled power outlet. The current firmware version does not requiere authentication to switch the power ON or OFF or to gather information such as nearby wireless networks. Two NMap scripts have been published
New publication: Mastering the Nmap Scripting Engine
Our team's latest book, Mastering the Nmap Scripting Engine, has been published. Across ten chapters it walks readers from Lua fundamentals and the NSE API through writing advanced brute-force, parallelism, and vulnerability-detection scripts.
Downloading an Application's Entire Source Code Through an Exposed GIT Directory
Website administrators sometimes inadvertently leave an exposed .git directory, from which it is possible to download the entire source code of the web application using just wget and a common server misconfiguration.
Backdoors in Zhone GPON 2520 and Alcatel Lucent I240Q
While examining the "dropbear" binary for the Zhone GPON 2520 and Alcatel Lucent I240Q, we found that both routers have backdoors that allow users with SSH access to connect to these devices with maximum privileges.
Drive By ONT Botnet with IRC C&C
Demonstration of a botnet created purely by using embedded devices which are controlled remotely through vulnerabilities exploited from a webpage.
(IN)secure session data in CodeIgniter
A security analysis of how web applications built on the CodeIgniter PHP framework handle user sessions, documenting the recurring implementation mistakes we see on assessments and what pentesters and developers should watch for.