About a year ago I discovered this by accident and hadn't seen it published anywhere so thought it was worth mentioning. If you enter the following into the firefox URL bar it will follow them to www.cnn.com. [http://www.cnn.com] [http://]www.cnn.com [http://www].cnn.com Etc... You can also substitute [] for {} or " and it...
I recently attended RSA and had a chance to see the cryptography panel. Towards the end of the panel an amusing amount of bickering began between the former NSA technical director (Brian snow) and folks such as Whit Diffie (inventor of diffie hellman key exchange), and Adi Shamir (co founder of RSA...
From the announcement "Web Security Dojo is a turnkey web application security lab with tools, targets, and training materials built into a Virtual Machine(VM). It is ideal for both self-instruction and training classes since everything is pre-configured and no external network connection is needed. All tools and targets are configured to use...
"A new update to the Watcher passive vulnerability detection and security testing tool has been released. Watcher is an open source addon to the Fiddler Web proxy that aids developers, auditors, and penetration testers in finding Web-application security issues as well as hot-spots for deeper review." - Casabasecurity The full announcement can...
Someone has published an amusing cheat sheet that will allow you to fuzz barcode scanning systems for common input validation issues such as XSS and SQL Injection. They even provide an online barcode generator which allows you to create your own payloads. Not much else to say really :) Link: http://www.irongeek.com/xss-sql-injection-fuzzing-barcode-generator.php
I haven't really been posting advisories on this website for the past year, however a series of XML Injection/XXe vulnerabilities in Adobe products caught my eye. XML Injection is to web services, what XSS is to web pages (an attacker controllable application response able to perform abuses against the consumer). This advisory...
Brian Holyfield has published an entry on using Windows WCF to perform backend port scanning. This is possible due to the callback functionality WCF provides. From his article "Last weekend at Shmoocon, I demonstrated how an attacker can trick certain WCF web services into performing an unauthorized port scan of machines behind...
I was luck enough to assist in this project and I must say that a lot of great discussions took place. Unlike many other top x security lists, SANS/MITRE's methodology is fairly extensive and well documented giving you insight into how decisions were made. I do want to point out that top...
Larry Suto published a report comparing the various commercial web application security scanners. As you'd expect the vendors are likely to respond about how inaccurate the report is, however in this case both HP and Acunetix argued valid points. From Acunetix "They were not found because Larry didn’t authenticated our scanner (didn’t...
The latest version of Apache 1.3.42 is the last 1.3 version of Apache that will be released. I admit I've been running 1.3 for ages now due to it being rock solid and having a decent security track record. The announcement states that security patches 'may be available' at http://www.apache.org/dist/httpd/patches/ but consider...
Sullo has sent the following announcement to the full disclosure mailing list indicating a new release of Nikto. "I'm happy to announce the immediate availability of Nikto 2.1.1! Nikto is an open source web server scanner which performs comprehensive tests against web servers for multiple items, including over 6100 potentially dangerous files/CGIs,...
Timothy D. Morgan has published an excellent paper describing How UI limitations hinder adoption of HTTP based authentication How UI behaviors are/can be abused pertaining to HTTP auth Observations on Cookie limitations Proposals for browser vendors to allow for more widescale adoption of HTTP based auth such as digest From the paper...
The Web Application Security Consortium (WASC) is having an official meetup in San Francisco during the RSA conference.If you like to get free food/drinks, shoot pool, and chat appsec with many of the leading researchers in the appsec world this is your chance. WASC RSA 2010 Meet-up Wednesday, March 3, 2010 Lunch...
An interview claiming to be with a facebook employee discusses a few things that you probably were hoping didn't happen. Here are some choice quotes from the article " Rumpus: Have you ever logged in to anyone’s account? Employee: I have. For engineering reasons. Rumpus: Have you ever done it outside of...
I don't usually post much about hacking incidents but this one was particularly funny. "A college student has been dropped from her classes twice, apparently the victim of someone who hacked into her schedule.Michelle McCoy-Lloyd was going to take two culinary classes at San Joaquin Delta College starting next week.Last month, someone...
Jeremiah Grossman and Bil Corry have created a nice visual mapping between the OWASP Top Ten and the WASC Threat Classification v2. More Information: http://jeremiahgrossman.blogspot.com/2010/01/wasc-threat-classification-to-owasp-top.html
I am very pleased to announce that the WASC Threat Classification v2 is finally out the door. This project has by far been one of the most challenging, intellectually stimulating projects I've had the chance to work on. I have included the official announcement below. "The Web Application Security Consortium (WASC) is...
Stephen Watt (alias JimJones/Unix Terrorist/PHC/etc) was sentenced to 2 years in prison for his role in writing the blablah sniffer used by the folks involved in the TJX credit card incident. From wired magazine "While accused TJX hacker kingpin Albert Gonzalez awaits a possible sentence of 17 years or more in prison,...
Adobe has published an entry on their blog outlining how fuzzing plays a part in discovering security issues in their product prior to launching it. Its good to see a company such as Adobe publishing this information as its one of those things that is discussed frequently by the security community, however...
I currently lead the WASC Threat Classification Project and we're expecting to publish our latest version next month. One of the biggest changes between the TCv2 and TCv1 is that we're doing away with single ways to represent the data. In the TCv1 we had a single tree structure to convey appsec...
