-
Backdooring UIML’s and Existing JavaScript Applications
One of the more interesting aspects of so called ‘Rich Internet Applications’ involves User Interface Markup Languages such as XUL (By Mozilla, been around awhile) and XAML/XBAP (.NET 3.0 the new kid on the block). Essentially these languages allow you to ‘paint’ buttons, menu bars, grids, forms, messageboxes, and other GUI components associated with HTML…
-
Wikipedia’s search engine will spell trouble for the SEO market
Wikipedia’s founder has announced a search engine allowing users to control the search results in a way similar to how digg works. I dabble in Search Engine Optimization (SEO) and I expect a huge shift if the other major search engines such as google and yahoo adopt similar models. Typically people will improve their rankings…
-
The lack of security enabled frameworks is why we’re vulnerable
We’ve been stating for years ‘developers need to learn to code securely’ sure this is great, however is essentially limited to skilled professionals. This isn’t to say we shouldn’t keep teaching however rather than simply focusing on those paying attention we should start babysitting the remaining majority. So how do you watch what a developer…
-
PHP security under scrutiny
"Perhaps PHP should stand for Pretty Hard to Protect: A week after a prominent bug finder and developer left the PHP Group, data from the National Vulnerability Database has underscored the need for better security in PHP-based Web applications." … "The concerns come as attackers and security researchers have increasingly focused on finding flaws in…
-
Top 10 Web Hacks of 2006
I assisted Jeremiah Grossman and Rsnake in compiling a list of application security issues in the year 2006 that can be found on Jeremiah's blog. That is all.
-
Application Security Predictions of 2007
Ok I know I’m a little early but here’s my yearly list of application security predictions. Admittedly I may be a year or two early on a few of them, however read them over and give them some thought. Rich Internet Applications (RIA) .net 3.0 WPF and Adobe Flex The next big buzzword is going…
-
PHP Ninja Stefan Esser Quits the PHP Security Team After Being Ignored For Reporting Issues
Apparently Stefan Esser (a key player in PHP's Security Response Team) has called it quits. Steffen is known for finding various vulnerabilities in PHP and working with the PHP Security team to identify and prevent issues in PHP itself. From his blog (Mirroring since his site appears to be getting slammed hard): "Last night I…
-
Worms Get Smarter
"The recent wave of Web worms on MySpace and other social networking sites represent a new generation of more sophisticated worms — ones that employ the pervasive cross-site scripting (XSS) flaws found on many Websites. Early worms were more for wreaking havoc and proof-of-concept purposes (think Code Red and Melissa), but the new worms discovered…
-
WASC-Announcement: Capturing and Exploiting Hidden Mail Servers
The Web Application Security Consortium is proud to present 'MX Injection: Capturing and Exploiting Hidden Mail Servers' written by Vicente Aguilera Diaz of Internet Security Auditors. In this article Vicente discusses how an attacker can inject additional commands into an online web mail application communicating with an IMAP/SMTP server. Article Link: http://www.webappsec.org/projects/articles/121106.shtml
-
MySpace, YouTube successes open door to Web 2.0 dangers
"But in the rush to add interactive features, security has often been overlooked. Several high profile attacks have exploited weaknesses in sites using Web 2.0 technologies. The Yamanner worm hit Yahoo mail users, exploiting JavaScript and Ajax code to collect email addresses, while the Samy and Spaceflash worms spread among MySpace users changing buddy lists…
-
Myspace Phish Attack Leads Users to Zango Content
"A while ago on the Spywareguide Blog, I covered a technique being used in Peer to Peer land involving URLs being embedded in Quicktime movies, which would then pop open a website. This has now been taken to the next level, with an intensive and seemingly never ending Phish attack, the sole aim of which…
-
Myth-Busting AJAX (In)security
" The hype surrounding AJAX and security risks is hard to miss. Supposedly, this hot new technology responsible for compelling web-based applications like Gmail and Google Maps harbors a dark secret that opens the door to malicious hackers. Not exactly true. Even the most experienced Web application developers and security experts have a difficult time…
-
Ajax Security: Stronger than Dirt?
"Ajax allows the development of more feature rich, asynchronous applications, but in doing so opens up new possibilities for attackers. We look at the relevant security issues and their possible solutions. Ajax (Asynchronous JavaScript and XML) lurched into being in 2005 [1]. As a web services model, Ajax is touted as the next big thing…
-
Microsoft Anti-Cross Site Scripting Library V1.5 is Released
"For defence in depth, developers may wish to use the Microsoft Anti-Cross Site Scripting Library to encode output. This library differs from most encoding libraries in that it uses the "principle of inclusions" technique to provide protection against XSS attacks. This approach works by first defining a valid or allowable set of characters, and encodes…
-
Browser Port Scanning without JavaScript
Jeremiah 'Lord Nikon' Grossman Writes "Since my Intranet Hacking Black Hat (Vegas 2006) presentation, I've spent a lot of time researching HTML-only browser malware since many experts now disable JavaScript. Imagine that! Using some timing tricks, I've discovered a way to perform Intranet Port Scanning with a web browser using only HTML. I ts really…
-
Vulnerability Scanning Web 2.0 Client-Side Components
Shreeraj Shah has written an article outling some of the 'Web 2.0' risks. He covers RSS Security, JSON, Ajax Security, Cross Site Request Forgery and other related issues. Article Link: http://www.securityfocus.com/infocus/1881
-
Finally someone speaking about RIA (Rich Internet Applications)
I was happy to see a post at GNUCITIZEN chatting about RIA and how we should start reading up on this new exciting technology. This is something I'm planning on sticking this in my 2007 risk predictions. XUL and WPF/XAML are some exciting new web technologies I strongly advise you start reading about. Article Link:…
-
Attacking Permalinks
Everyone has seen urls such as http://site/2006/02/02 and you know that there’s an application in the backend somewhere but figuring out how to attack those urls can be tricky. A few of you have probably tried attacking them by sending requests such as http://site/2006′>/02/02 and received a 404 page. I started thinking about this in…
-
Web Application Security Professionals Survey Results
Jeremiah grossman sent out a survey a few weeks ago to the application security industry and he has posted the results on his site. "73% of those performing web application vulnerability assessments are not using or rarely using commercial scanner products. It's hard to say if this is good/bad/increasing/decreasing or otherwise. Certainly people want tools.…
-
Top 10 Ajax Security Holes Post
RSnake provides some much needed insight into the AJAX craze. "However, I'd like to point out, as I have before that really users should not consider AJAX to be another security risk. It is the same old risk that we have always faced, except there is more client side code that can be circumvented now.…
-
Article: Challenges faced by automated web application security assessment tools
If you’re in the position of evaluating a web application security scanner, or use one to fulfill a compliance scanning requirement then you may want to check out an article I wrote describing some of the challenges these products face. Article Link: http://www.cgisecurity.com/articles/scannerchallenges.shtml
-
Mod Security as an IPS
One of our readers 'J. Oquendo' "got bored" and wrote an article titled 'Securing LAMP and using ModSecurity as an IPS'. "Many times administrators often forget to do security checks from the ground up. They often will rely on simple methods of testing a machine. An NMAP scan here, a Metasploit scan there… Let's build…
-
Detecting Web Application Security Vulnerabilities
An anonymous poster contributes "Web application source code, independent of languages and platforms, is a major source for vulnerabilities. One of the CSI surveys on vulnerability distribution suggests that 64% of the time, a vulnerability crops up due to programming errors and 36% of the time, due to configuration issues. According to IBM labs, there…
-
Security Fix Released for PHP
"The PHP development team is proud to announce the immediate release of PHP 5.2.0. This release is a major improvement in the 5.X series, which includes a large number of new features, bug fixes and security enhancements. Further details about this release can be found in the release announcement 5.2.0, the full list of changes…
-
Happy Birthday Internet Worms
"The Morris worm or Internet worm was one of the first computer worms distributed via the Internet; it is considered the first worm and was certainly the first to gain significant mainstream media attention. It was written by a student at Cornell University, Robert Tappan Morris, and launched on November 2, 1988 from MIT. The…
Favorite Links
- Security Templates (New)
- The Web Application Security Consortium
- QA Security
- The Web Security Mailing List
- Romain Gaucher’s Blog
- Jeremiah Grossman’s Blog
Popular Pages
WASC Threat Classification
- Abuse of Functionality
- Application Misconfiguration
- Brute Force Attack
- Content Spoofing
- Credential/Session Prediction
- Denial of Service
- Directory Indexing
- Information Leakage
- Remote File Inclusion Attack
- Routing Detour Attack
- SOAP Array Abuse
- XML Attribute Blowup
- XML Injection
- XML External Entity Attack