Input Validation Attacks Archives

EBay Remote Code Execution Vulnerability Demonstrated

15-December-201318-April-2020Prasanna Sherekar

A German Security researcher has demonstrated a critical vulnerability on Ebay website. He found a controller which was prone to remote-code-execution due to a type-cast issue in combination with complex curly syntax. In a demo video, he exploited this RCE flaw on EBay website, and managed to display output of phpinfo() PHP function on the […]

Yahoo Account Exploit Selling on Black Market

28-November-20125-December-2012Prasanna Sherekar

Yahoo is investigating the claims of a hacker who is selling an exploit that apparently hijacks Yahoo mail accounts. The exploit, being sold for $700 by an Egyptian hacker on an exclusive cybercrime forum, targets a cross-site scripting (XSS) weakness in yahoo.com that lets attackers steal cookies from Yahoo! Webmail users. Such a flaw would […]

Fully Automated MySQL 5 Boolean Enumeration Script

3-January-201215-January-2012Prasanna Sherekar

This script uses blind SQL injection and boolean enumeration to perform INFORMATION_SCHEMA Mapping. Syntax: perl mysql5enum.pl -h [hostname] -u [url] [-q [query]] Example: perl mysql5enum.pl -h www.target.tld -u http://www.target.tld/vuln.ext?input=24 -q “select system_user()” Description: – By default, this script will first determine username, version and database name before enumerating the information_schema information. – When the -q […]

Facebook To Start Paying Security Bug Bounty

30-July-20112-August-2011Prasanna Sherekar

Facebook is the most recent company to come to the bug-bounty party, officially announcing recently that- “To show our appreciation for our security researchers, we offer a monetary bounty for certain qualifying security bugs.” Here’s how it works: Eligibility: To qualify for a bounty, you must: Adhere to our Responsible Disclosure Policy Be the first […]

Zed Attack Proxy (ZAP) – Integrated Penetration Testing Tool

21-June-20119-July-2011Prasanna Sherekar

The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing. ZAP provides automated scanners […]

MySQL and Sun websites hacked using SQL injection

28-March-201128-March-2011Prasanna Sherekar

MySQL.com, the official website of the database management system of the same name, was today subjected to an attack whereby hackers used SQL injection exploits to gain access to a complete list of usernames and passwords on the site. News of the attack surfaced when the attackers posted details of the compromise on the Full […]