Overview Probably one of the first tasks to do while setting up the production environment is to mask the Apache (or) IHS (IBM HTTP Server) version and Server Banner in a header. This is not critical but considered low risk as information leakage vulnerability and must do for PCI DSS[...]
Read more
What is Apache Clickjacking Attack and How to Fix Clickjacking is a well-known web application vulnerabilities. For example, it was used as an attack on Twitter. To defence Clickjacking attack on your Apache HTTPD web server, you can use X-FRAME-OPTIONS to avoid your website being hacked from Clickjacking. The X-Frame-Options in HTTP response header can[...]
Read moreOverview Clickjacking (UI redress attack) is a malicious technique of tricking a user into clicking on something different from what the user perceives, thus potentially revealing confidential information or allowing others to take control of their computer while clicking on seemingly innocuous objects, including web pages. Affected versions IIS 7.x IIS 8.x Solution [...]
Read moreOverview Microsoft IIS loves to tell the world that a website runs on IIS. It does so with the Serverheader in the HTTP response, as shown below. In this post I’ll show you how to remove response server headers in IIS. You don’t want to give hackers too much information[...]
Read moreOverview Oracle Weblogic Remote Code Execution vulnerability allows unauthenticated attackers with network access via T3 to compromise vulnerable Oracle WebLogic Server. Successful exploitation of it can result in takeover of Oracle WebLogic Server, hence remote code execution Affected versions Weblogic 10.3.6.0 Weblogic 12.1.3.0 Weblogic 12.2.1.3 Solution This vulnerability[...]
Read more
Overview ROBOT is the return of a 19-year-old vulnerability that allows performing RSA decryption and signing operations with the private key of a TLS server. In 1998, Daniel Bleichenbacher discovered that the error messages given by SSL servers for errors in the PKCS #1 v1.5 padding allowed an adaptive-chosen ciphertext[...]
Read more
Overview Oracle WebLogic is vulnerable to a new deserialization vulnerability that could allow an attacker to execute remote commands on vulnerable hosts. This vulnerability was identified in China by China National Vulnerability Database (CNVD) published a Security Team, they have issued a bulletin about an unauthenticated remote command execution (RCE)[...]
Read more
Overview SSL Cipher is an encryption algorithm, which is used as a key between two computers over the Internet. Data encryption is the process of converting plain text into secret ciphered codes. It’s based on your web server SSL Cipher configuration and strong protocol that allows data encryption to take[...]
Read moreOverview Sweet32 affects TLS ciphers, also OpenSSL consider Triple DES cipher is now vulnerable as RC4 cipher . The DES ciphers (and triple-DES) only have a 64-bit block size. This enables an attacker to run JavaScript in a browser and send large amounts of traffic during the same TLS connection, creating[...]
Read moreOverview Cross Site Scripting (XSS) protection can be bypassed in many browsers. You can apply this protection for a web application if it was disabled by the user. This is used by a majority of giant web companies like Facebook, Twitter, Google, etc. Solution Go to $Web_Server/conf directory Open[...]
Read more