There’s a very negative perception of WordPress in the security world but I’m not going to touch that topic today. What I will address is why I am running WordPress on my personal blog about security. Some folks in the information security community might find that to be ironic however there are very specific and […]
Damn Vulnerable NodeJS Application
I’m always looking for cool tools that help me advance my knowledge and I recently stumbled across the DVNA platform. This platform will allow you to demonstrate OWASP top 10 vulnerabilities in a lab setting. This is good for educational purposes and for practicing your pentesting craft. Check it out at: https://github.com/appsecco/dvna
CMS Poc Exploitation Framework
Demo: This is an interesting CMS exploitation framework released on GitHub (one of many!). If you think that you’re safe without adequate layer 7 defenses then you’re incredibly misinformed… Check it out at: https://github.com/CHYbeta/cmsPoc
Enable X-Forwarded-For on IIS 8.5 and up
It’s critical to enable X-Forwarded-For Logging when behind a proxy or load balancer in order grab the true IP address of visitors. To enable this in your IIS site follow the steps below: Step 1. Select your website in the IIS management console. In this example, I have a test site called www.larmeir.com. Ensure that […]
Apache Reverse Proxy Vhost Examples
For certain projects I’ll use Nginx or Apache as a reverse proxy to back end web servers. While Nginx is far more light weight and faster, Apache is the swiss army knife of web servers and has just about every feature you could need. Here’s a couple of examples of Apache Reverse proxy vhosts. SSL […]
Enabling X-Forwarded-For Logging In Apache 2.4
It’s critical to enable X-Forwarded-For Logging when behind a proxy or load balancer in order grab the true IP address of visitors. To enable this in your Apache vhost configuration, simply add the following logging options: 1 2 3 4 5 LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined LogFormat "%{X-Forwarded-For}i %l […]
Simple .htaccess rules to protect wp-login.php and xmlrpc.php
The majority of trash WordPress traffic is targeting wp-login.php with bruteforces and xmlrpc.php for pingback/dos attacks. A simple solution? Enforce IP based ACLs via your web server. Apache 2.4 .htaccess Example: 1 2 3 4 5 <Files wp-login.php> Require all denied # your IP below Require ip xxx.xxx.xxx.xxx </Files><Files wp-login.php> Require all denied # your […]
How to enable IPV6 and DHCP6 on a Fortigate firewall with FortiOS 5.2
Example Environment: My IPv6 Subnet: xxxx:xxxx:0:106::1/64 My DHCP Subnet: xxxx:xxxx:0:cccc::1/64 Step 1. Configure external interface and set options: 1 2 3 4 5 6 7 8 9 10 config system interface edit "wan1" set alias "External" config ipv6 set ip6-address xxxx:xxxx:0:106::2/64 set ip6-allowaccess ping set ip6-manage-flag enable set ip6-other-flag enable end nextconfig system interface edit […]