-
My experience coleading purple team
I've been fortunate enough to manage a red team program for several years and since it's inception it has gone through many changes. What started out as adhoc engagements trying to see how far we could get/what problems we could find, turned into a mechanism to work more closely, and regularly with operations/it teams. More…
-
CGISecurity.com Turns 10!: A short appsec history of the last decade
Ten years ago today I started cgisecurity.com to fill a void in the application security space. At the time no other dedicated site existed, neither OWASP nor WASC had been created, and the www-mobile list was effectively the only place to discuss web related vulns and attacks . When I first started this site I…
-
WASC Threat Classification 2.0 Sneak Peek
Here is a sneak peek at the WASC Threat Classification v2.0. We’ve been working on this for more than a year and it’s been a very challenging, educational experience to say the least. Sections that are gray are currently in peer review and are not completed. Mission statement “The Threat Classification v2.0 outlines the attacks…
-
Announcing month of new security buzzwords
In the tradition of Month of Bugs we’re pleased to announce the month of security buzzwords, complete with abbreviations. #1 Remote Command Injection (RCI) #2 Remote Filestream Inclusion (RFSI) #3 Cam Jacking (CJ) #4 Cross-Port Request Forgery (XPRF) #5 Cross-Site Fixation (XSF) #6 HTTP Gerbiling (HTTP-Gerbil) #7 Host Request Splitting (HRS) #8 Double Credential Reflection…
-
Proxy Attack Stupid Buzzword Contest
I just released a paper on an attack vector against certain transparent proxy architectures via the use of client side plugins with sockets support. If you've been reading this site for awhile you can probably tell that I frown upon new industry buzzwords and often make fun of new silly sounding terms. Rather than selecting…
-
Microsoft Fixes Clickjacking in IE8?
"Microsoft has introduced a release client version of its latest browser, Internet Explorer 8 (IE8), and the new iteration of the application includes several security improvements, including a noteworthy attempt to address the emerging problem of clickjacking attacks. For those who don't recall, clickjacking is a relatively new technique — first detailed in mid-2008 by…
-
Load Jacking latest buzzword
I hate promoting new buzzwords but found this one amusing. "So what do you do when you’re a couple of bored Russian immigrants with some cool hacking skills and you want to make some money the easy way? Well, if you are Nicholas Lakes and Vaiachelav Berkovich you set yourself up as a trucking company…
-
Details of Clickjacking Attack Revealed With Online Spying Demo
"A researcher has “hacked” the mysterious clickjacking attack and today posted a demonstration in his blog on how the Web-borne attack works. Details of the dangerous clickjacking attack have been closely held by the two researchers who discovered it — Jeremiah Grossman and Robert “RSnake” Hansen — at the request of Adobe, which wanted more…
-
Adobe yanks speech exposing critical ‘clickjacking’ vulns
"In another event for the "internet is broken" files, two prominent security researchers have pulled a scheduled talk that was to demonstrate critical holes affecting anyone who uses a browser to surf the web. Jeremiah Grossman and Robert "RSnake" Hansen say they planned to demonstrate serious "clickjacking" vulnerabilities involving every major browser during a presentation…
-
Same Site Scripting Paper Released
An email sent to bugtraq by Travis Ormandy outlines a new attack dubbed same site scripting. "It's a common and sensible practice to install records of the form "localhost. IN A 127.0.0.1" into nameserver configurations, bizarrely however, administrators often mistakenly drop the trailing dot, introducing an interesting variation of Cross-Site Scripting (XSS) I call Same-Site…
-
Coined Buzzword of the week: Cross Site Printing
Aaron Weaver has published a whitepaper describing how you can utilize 'intranet hacking' tricks to send spam to printers. Pretty amusing. "Many network printers listen on port 9100 for a print job (RAW Printing or Direct IP printing). You can telnet directly to the printer port and enter text. Once you disconnect from the printer…
-
Cross-build injection attacks
" Injection-based attacks have proven effective, yielding access to private data or possible control over a compromised machine. Software vendors are in a continual race to fix the holes that allow these attacks to succeed. But what if a hacker could inject malicious code when a program is actually compiled and created? Unfortunately, with the…
-
JSON, Ajax & Web 2.0: Sounds like a classical reinvention, but this volatile trio opens the door to serious vulnerabilities
"Now that Web 2.0 hype is at full tilt, much ado's being made over Ajax framework vulnerabilities and other new-fangled bugs. A prime example of this phenomenon is the spectacular Javascript hijacking vulnerability discovered by Fortify Software (login required). Every security bug like this deserves some ink, but too much focus on bugs may cause…
-
JSON, Ajax & Web 2.0: Sounds like a classical reinvention, but this volatile trio opens the door to serious vulnerabilities
"Now that Web 2.0 hype is at full tilt, much ado's being made over Ajax framework vulnerabilities and other new-fangled bugs. A prime example of this phenomenon is the spectacular Javascript hijacking vulnerability discovered by Fortify Software (login required). Every security bug like this deserves some ink, but too much focus on bugs may cause…
-
Anti DNS Pinning/DNS Rebinding is the new industry buzz(word)
Anti-DNS Pinning/DNS Rebinding is the new security hot topic lately and I wouldn't expect the marketingfest to end anytime soon. "While previous attacks using JavaScript could send data to a network, the attack investigated by Stanford — known as domain-name service (DNS) rebinding — could send and receive data from the local network, completely bypassing…
-
Joanna Rutkowska Pwns challengers at blackhat
"In their presentation, titled "Don't Tell Joanna, The Virtualized Rootkit Is Dead," the researchers detailed how to use counters that are external to a system to detect a virtualized rootkit's pull on CPU resources or other telltale footprints. It's got to be an external counter, given that a virtualized rootkit sits at the hypervisor level…
-
Anti XSS using Ajax
"XSS have became a problem that most web developers still suffering from it tell now, simply because however you try hard to validate every user input it only takes a single line of code that prints out the user input without validation to render your whole application vulnerable to XSS attacks and once you are…
-
5 Ways People Screw Up AJAX
I had noticed that not many articles existed on the negative aspects/implementation of ajax so came up with this top 5 list of things people screw up when using ajax. 1. No back button!: One of the most annoying things to a user is the inability to go backwards. They may visit a site, perform…
-
AJAX: Selecting the Framework that Fits
DDJ has released an article covering the following AJAX frameworks. * Dojo 0.3.1 (dojotoolkit.org).* Prototype and Scriptaculous 1.4 (www.prototypejs.org and script.aculo.us).* Direct Web Reporting 1.0 (getahead.org/dwr).* Yahoo! User Interface Library 0.11.1 (developer.yahoo.com/yui).* Google Web Toolkit 1.0 (code.google.com/webtoolkit). If you’re using AJAX or are considering it, check it out. Article Link: http://www.ddj.com/199203087
-
Ambiguity In Ajax Lockdown Framework
An anonymous user writes "This draft sets focus on the complexities in ajax lockdown for client privacy.The framework is based on the concept of fusing ajax applications with direct web remoting.The stress is laid on the client server communication and t he main point of talk is encrypting the client data and decrypting on the…
-
Myth-Busting AJAX (In)security
" The hype surrounding AJAX and security risks is hard to miss. Supposedly, this hot new technology responsible for compelling web-based applications like Gmail and Google Maps harbors a dark secret that opens the door to malicious hackers. Not exactly true. Even the most experienced Web application developers and security experts have a difficult time…
-
Ajax Security: Stronger than Dirt?
"Ajax allows the development of more feature rich, asynchronous applications, but in doing so opens up new possibilities for attackers. We look at the relevant security issues and their possible solutions. Ajax (Asynchronous JavaScript and XML) lurched into being in 2005 [1]. As a web services model, Ajax is touted as the next big thing…
-
Vulnerability Scanning Web 2.0 Client-Side Components
Shreeraj Shah has written an article outling some of the 'Web 2.0' risks. He covers RSS Security, JSON, Ajax Security, Cross Site Request Forgery and other related issues. Article Link: http://www.securityfocus.com/infocus/1881
-
Top 10 Ajax Security Holes Post
RSnake provides some much needed insight into the AJAX craze. "However, I'd like to point out, as I have before that really users should not consider AJAX to be another security risk. It is the same old risk that we have always faced, except there is more client side code that can be circumvented now.…
-
Hacking Web 2.0 Applications with Firefox
"AJAX and interactive web services form the backbone of “web 2.0” applications. This technological transformation brings about new challenges for security professionals. This article looks at some of the methods, tools and tricks to dissect web 2.0 applications (including Ajax) and discover security holes using Firefox and its plugins. The key learning objectives of this…
Favorite Links
- Security Templates (New)
- The Web Application Security Consortium
- QA Security
- The Web Security Mailing List
- Romain Gaucher’s Blog
- Jeremiah Grossman’s Blog
Popular Pages
WASC Threat Classification
- Abuse of Functionality
- Application Misconfiguration
- Brute Force Attack
- Content Spoofing
- Credential/Session Prediction
- Denial of Service
- Directory Indexing
- Information Leakage
- Remote File Inclusion Attack
- Routing Detour Attack
- SOAP Array Abuse
- XML Attribute Blowup
- XML Injection
- XML External Entity Attack