Some of the security issues commonly seen on a website can be taken care of using the .htaccess (hypertext access) file. In this article, I am gonna be showing the .htaccess configuration from my WordPress website and explain the security issues sorted out using it. However, before we get into that, let’s look into what an .htaccess file actually is.

.htaccess is a configuration file for use on web servers running the Apache Web Server software. When a .htaccess file is placed in a directory which is in turn ‘loaded via the Apache Web Server’, then the .htaccess …


A guide on how to fix your vulnerable WordPress website.

Introduction

One of the first things you do when auditing a WordPress website is checking for ways to enumerate the admin username. In cases where the admin username is revealed, it’s pretty common to see the WordPress login page taking a large number of hits from brute force attacks against that username.

With Astra Web Application Firewall installed on our clients’ websites, I am easily able to observe this through the Login Activity feature which logs all the login attempts made, including successful attempts as well as the failed attempts that got blocked by Astra after a certain number of tries.


An Explanation with a Real Life Example

When I was trying to learn what CSRF is during my educational days, all I could find was theoretical stuff with examples of Bob and Alice and their transactions, which was good enough for the time being but not in gaining an idea of the real world approach to this OWASP Top Ten 2013 vulnerability. It was only after I found and exploited CSRF vulnerability on our client’s web application that I actually understood this vulnerability and its implications in depth.

Therefore, I have decided to write this article hoping to explain this vulnerability with a real life example that…


Something rather simple, yet potentially critical that a developer should take note of.

TL;DR: Improper configuration of robots.txt and the web server, resulted in me getting access to my client’s highly sensitive files containing the transaction details of around 16,000 customers each.

Introduction

This time around, it is not a price manipulation vulnerability like in the last story, rather it is a combination of some low risk vulnerabilities that paved way to what could have been a data breach worthy of making the front page.

Client

Let’s call our client Flashy Holdings. Flashy Holdings are a large financial institution in their country with over 7000 employees at the time of writing. …


And what you can do to be more secure.

TL;DR: While pen-testing one of Astra’s customers, I found a way to change their set shipping charge to zero by manipulating the parameters in the POST request, and successfully make the order to any country of my choice.

Introduction

As an Information Security Analyst at Astra, I get to deal with reputed clients from all parts of the world. It is my daily job to test their web applications and do an assessment on every little corner of the website which is something we can’t yet rely on automated scanners to do. However, the excitement of breaking into something new, the…

Jinson Varghese

Cybersecurity Researcher and Ethical Hacker

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store