A variety of web applications employ database systems for the provision of backend functionality. A widely used language used to query, operate, and administer database systems is Structured Query Language (SQL). Owing to its rampant use in web applications globally, SQL powered databases are easy and frequent targets for cyber-criminal acts, the severity of which depends solely on the intricacies of each…

Magento Extension PDF Invoice Plus Vulnerability by Astra Magento Security

About PDF Invoice Plus Magento Extension Vulnerability A couple of weeks ago, our security team was performing a security audit on a customer store using Magento. While testing the extensions used by the customer, a critical vulnerability was found in the extension PDF Invoice Plus. This extension is a widely used extension by hundreds of Magento stores to generate invoices…

Clickjacking - All You Need to Know

Often stated as one of the most overlooked of all web vulnerabilities, clickjacking aka UI redress attack refers to a type of attack that tricks users into unwarily clicking on nefarious links set up by the attacker. On clicking these links, the attacker is able to gather confidential information, compromise the user’s privacy, or make a user perform actions online…

A recently discovered unpatched vulnerability has rendered Wordpress. the most popular CMS in the world in peril of user credential exposure. The vulnerability could allow hackers to compromise targeted admin passwords. What's more perturbing is that it renders all versions of Wordpress as vulnerable. The wordpress vulnerability (CVE-2017-8295) had been brought to light by Dawid Golunski, a Polish security researcher who reported…

5 Vulnerabilities 75% Websites Have

Internet Security for online businesses and applications is an ever pressing issue. While organizations are regularly updating their defense mechanisms against rising cyber-attacks, cyber criminals are constantly finding new hack techniques to break into firewalls and steal sensitive information. 2016 witnessed a steep rise in cyber-crime attacks, all the while with no exception of insider threats getting prominent each year. Enlisted below are…

Cross Site Scripting XSS - Astra Security

Cross-Site Scripting (XSS) attacks are stated as one of the most rampant occurring yet easily fixable injection attack faced by e-commerce businesses and a variety of other web applications. From targeting applications built on archaic web technologies to newer ones using rich, client-side UIs, XSS has plagued them all. However, it is imperative to realize that vulnerabilities posing as a…

Recently a new severe 0-day Magento vulnerability has been released by DefenceCode team in an advisory. If you are vulnerable from this, attackers are capable of remotely executing  arbitrary code. As of now the vulnerability has been confirmed for the Magento Community edition as the researcher did not test for the enterprise edition. But since both the version use same base code there is…

Magento-Module-XSS-AffiliatePlus-GetAstra.com

A couple of weeks ago, we were performing a security scan for a customer using Magento shop. While auditing their website our team found a critical vulnerability in Affiliate Plus module. According to Affiliate Plus' website, 7000+ stores use the extension. This Affiliate Plus Magento module XSS vulnerability leaves a number of Magento stores vulnerable. About Affiliate Plus Magento Module XSS When logged…

Lately, Magento has been in news owing to frequent notorious attacks on it's payment security system. A recent case of Magento attack witnessed credit card scrapers targeting the payment security system of Magento stores in order to steal paramount credit card information. Consequently, Magento has been wary of vulnerabilities in its system and in a prudent attempt, regularly releases security patches as…

Close