2 min
Exploits
8 Reasons Why SQL Injection Vulnerabilities Still Exist
Knowing how to prevent a SQL injection vulnerability
is only half the
web application security battle. A multitude of factors come into play when it
comes to writing secure code, many of which are out of the developers' direct
control. That's why common vulnerabilities like SQL injection continue to plague
today's applications, and why application security testing software is so
important. These problems can be overcome – with a little
3 min
AppSpider
Mobile application security: Lock the back door!
Mobile application security
A few years ago, Sean Gallagher wrote this article that we believe outlines one
of the most important areas of application security risk today, mobile
application security. In his article for Ars Technica, “Mobile Application
Security: Always Keep the Back Door Locked,” Gallagher outlines that its
important to address mobile application security because many of the mobile
applications we use today access backend middleware and corporate data sources.
We have email app
1 min
5 Tips for Dealing with Unusual Traffic Detected Notifications
If you get an "unusual traffic detected" notification from Google, here are five ways to troubleshoot the issue. Learn more.
5 min
IT Ops
Unleash the power of node.js for Shell Scripting (Part 1)
Setting Up
Running a Node Script
We are going to talk about creating shell scripts with node.js. The first thing
that you need to do is install node.js. You can get the installers from
https://nodejs.org/en/download/, or use your favorite package manager.
Let’s go straight in and write our first script.
The first thing to do is to create a file called script.js with the following
code:
console.log('hello world')
We can now execute this script by running the following command in our shell:
3 min
IT Ops
Logging from Tableau for Successful DataOps
Lately, we’ve been seeing a growing number of customers using Logentries in
support of DataOps – the practice of collecting, normalizing and redistributing
data throughout an organization so teams can make smarter business decisions.
With teams ranging from engineers to support to marketing & sales relying on
data for every day decision making, a critical requirement of those within a
DataOps role is to actively monitor their organization’s data platforms.
I recently had the pleasure of chatt
1 min
Metasploit Weekly Wrapup
Metasploit Weekly Wrapup for 2015-10-15
Welcome to this week's Metasploit Wrapup. I'm your host Brent Cook, tagging in
for egypt who just finished speaking about
Metasploit at the Texas DIR Telecommunications Forum
. This week was largely focused on bug fixes and refinements.
In the fixes bucket, PowerShell sessions now properly upgrade with the 'sessions
-u' command. Fixing this also revealed some general proble
4 min
IT Ops
Exploring Lambdas and Streams in Java 8
Java 8 introduced a host of new features, including lambda functions and
streams. In this article I will focus on these two features as they are the most
impactful features that were added in this new version of Java.
Lambda Functions
If you ever had to write a GUI for an application with an OO language you’ll
understand the pain of writing event handlers, such as a mouse click event. So
much boilerplate needed because you had to define a disgusting inline class with
a single method. With the
6 min
Log Management
10 Best Practices for Log Management and Analytics
Introduction
Today’s Log Management and Analytics Challenges
Within the last decade, the advancement of distributed systems has introduced
new complexities in managing log data. Today’s systems can include thousands of
server instances or micro- service containers, each generating its own log data.
With the rapid emergence and dominance of cloud-based systems, we have witnessed
explosive growth in machine-generated log data. As a result, log management
5 min
Project Sonar
Rapid7 Labs' Project Sonar - Nexpose Integration
With the release of Nexpose 5.17, customers were enabled to easily gain an
outsider's view of their internet-facing assets. This capability was made
possible through integration with Rapid7 Labs' Project Sonar
.
What is Project Sonar?
Project Sonar is a community effort to improve security through the active
analysis of public networks. This includes running scans across public
internet-facing systems, organizing the results, and sharing the data with the
5 min
TLS Coverage Improvements in Nexpose 6.0.2
Over the last couple of years, some of the most serious and widely publicized
vulnerabilities have been related to the Transport Layer Security (TLS) protocol
and its predecessor, Secure Sockets Layer (SSL). Because TLS is so fundamental
to keeping network communications secure, new flaws that are discovered can have
a disproportionate effect on an organization's risk.
From Heartbleed to POODLE
, FREAK
1 min
Logentries
Logentries Joins the Rapid7 Family
I'm very excited today to join the Rapid7 family. The acquisition is good news
for Logentries customers, Rapid7 customers and all of our employees. It means
that great minds and innovative technology have come together to solve some of
our thorniest IT and security challenges.
The Logentries team has been on a mission over the last few years -- Revealing
the Power of Log Data to the World. While pursuing our mission, I am often asked
why log data has become so valuable. The answer is simple: l
2 min
Exploits
R7-2015-17: HP SiteScope DNS Tool Command Injection
This is a vulnerability advisory for the HP SiteScope DNS Tool Command Injection
vulnerability, made in accordance with Rapid7's disclosure policy.
Summary
Due to a problem with sanitizing user input, authenticated users of HP SiteScope
running on Windows can execute arbitrary commands on affected platforms as the
local SYSTEM account. While it is possible to set a password for the SiteScope
application administrator, this is not enforced upon installation. Therefore, in
default deployments, an
1 min
Metasploit
Metasploit Framework Tools Reorg
There are a wide variety of interesting and useful tools in the Metasploit
Framework. Many of these are available from the top-level of Metasploit in the
form of modules and library code. You can find countless tutorials and blogs
about how to put msfconsole, msfvenom and other top-level commands to good use.
However, not many people know about the 'tools' directory, which contains many
useful, single-purpose scripts, with topics spanning from exploit development to
statistics.
One of the probl
4 min
Metasploit
New Metasploit Tools to Collect Microsoft Patches
Patch testing and analysis are important parts in vulnerability research and
exploit development. One popular reason is people would try this technique to
rediscover patched bugs, or find ways to keep an 0day alive in case the fix in
place is inadequate. The same process is also used to find the range of builds
affected by a vulnerability, which tends to be useful to predict the value of
the exploit, improving target coverage and reliability.
Going through Microsoft patches is no easy task, tho
3 min
Nexpose
Nexpose 6.0: Using Adaptive Security
Overview
Adaptive Security is a new feature released in Nexpose 6.0 that dynamically
collects and analyzes the important network changes with minimal configuration
needed from the user. This new feature allows you to create workflows called
automated actions that can respond to various behaviors occurring in your
environment automatically. For further explanation, please feel free to read
Adaptive Security Overview.
Triggers and Actions
Currently Adapti
