-
Interesting IE leak via window.onerror
Chris Evans has posted an interesting bug in IE involving using JavaScript's window.onerror to leak cross domain data. From his blog "The bug is pretty simple: IE supports a window.onerror callback which fires whenever a Javascript parse or runtime error occurs. Trouble is, it fires even if www.evil.com registers its own window.onerror handler and then…
-
Palin e-mail snoop sentenced to a year in custody
"Former college student David Kernell, whose criminal prying into Sarah Palin's personal e-mail account caused an uproar two months before the 2008 presidential election, was today sentenced to a year and a day in federal custody by a judge who recommended that the time be served in a Knoxville, Tenn. halfway house. Corrections officials could…
-
CGISecurity Turns 10!: Summary of the more interesting site posts throughout the years
To commemorate this site turning 10 I've created a list of my top 10 thought provoking/innovate posts that people who haven't been following this site may be unaware of. The Cross-site Scripting FAQ (2001) In 2001 someone informed me of this new threat involving the injection of HTML/Javascript into a site's response (XSS). At…
-
CGISecurity.com Turns 10!: A short appsec history of the last decade
Ten years ago today I started cgisecurity.com to fill a void in the application security space. At the time no other dedicated site existed, neither OWASP nor WASC had been created, and the www-mobile list was effectively the only place to discuss web related vulns and attacks . When I first started this site I…
-
WASC Web Hacking Incident Database Semi-Annual Report for 2010
Fellow WASC officer Ryan Barnett has published an update to the Web Hacking Incident Database project. He sent the following to The Web Security List (a list which I operate) this morning. "Greetings everyone, I wanted to let you all know that we have released the new WHID report for 2010 – http://projects.webappsec.org/Web-Hacking-Incident-Database-2010-Semi-Annual-Report A…
-
Apple website hit with SQL Injection
"A hack attack that can expose users to malware exploits has infected more than 1 million webpages, at least two of which belong to Apple. The SQL injection attacks bombard the websites of legitimate companies with database commands that attempt to add hidden links that lead to malware exploits. While most of the sites that…
-
New Site Addressing Python Security
For you python developers out there, Craig Younkins sent the following to The Web Security Mailing List (which I moderate) this morning. "I'd like to invite you to a new community – http://www.pythonsecurity.org/ –which is now the central hub for security in Python. We're writing articleson security topics and how they pertain to Python, analyzing…
-
Why publishing exploit code is *generally* a bad idea if you’re paid to protect
Update2: Further proof that people are abusing this in a wide scale and likely wouldn't have had the exploit code not been released. Update: I've clarified a few points and added a few others. Recently Tavis Ormandy (a google employee) discovered a security issue in windows, and days after notifying Microsoft published a working exploit…
-
A reminder that CSRF affects more than websites
Maksymilian Arciemowicz has published an advisory outlining how one can perform CSRF attacks against FTP services, in this case Sun Solaris 10 ftpd. An attacker could embed a payload such as the following to execute commands on ftpd. <img src=”ftp://…..////SITE%20CHMOD%20777%20FILENAME”;> The NetBSD team addressed this issue by failing on large commands. The interesting thing…
-
Paper: Feasibility and Real-World Implications of Web BrowserHistory Detection
Artur Janc and Lukasz Olejnik have published a whitepaper outlining CSS history techniques along with results of what they found from real world users. From the whitepaper "Browser history detection through the Cascading Style Sheets visited pseudoclass has long been known to the academic security community and browser vendors, but has been largely dismissed as…
-
Mozilla releases browser checker to see if you’re running vulnerable plugins
Mozilla has released a tool that identifies which browser plugins you have installed, identifies if it is vulnerable, and provides you with links to get the updates. Very handy! Browser Plugin Check: https://www.mozilla.com/en-US/plugincheck/
-
Release of Strict Transport Security http module for ASP.NET.
Sacha Faust has published an IIS http module for the Strict Transport Security protocol. From his blog "I’ve been tackling the problem of users connecting to online services from untrusted network. At work we typically call this the “Startbucks” scenario where a user is connecting to a random wifi and accessing corporate data through online…
-
Apache Compromised Again
It appears someone used a combination of XSS on an Apache domain, a url shortener, and an issue tracking system to ultimately lead to rooting of 2 core Apache machines used to host bugzilla, and the main shell server. This is a great breakdown of a real world incident that people rarely publicly speak about,…
-
Tools: CMS Explorer Tool Released
Sullo writes in "CMS Explorer is designed to reveal the the specific modules, plugins, components and themes that various CMS driven web sites are running. It can also search OSVDB.org for vulnerabilities in found components, as well as "bootstrap" a security proxy by downloading potential file names from the component's code repository and then requesting…
-
Be careful of “scheme relative urls” when performing 3xx redirects
Former coworker Sacha Faust has published an entry on how the lack of handling relative urls when implementing URL redirection can lead to open redirector's. Article: http://blogs.msdn.com/sfaust/archive/2010/03/30/saferedirect.aspx
-
TJX Hacker Gets Pwned, 20 Years In Prison
Could the trend of claiming not to know any better while hacking due to asperger's be coming to an end? From Wired "Convicted TJX hacker Albert Gonzalez was sentenced to 20 years in prison on Thursday for leading a gang of cyberthieves who stole more than 90 million credit and debit card numbers from TJX…
-
Secure Application Development on Facebook Platform
Facebook and isecpartners have teamed up to write an article on developing secure applications on the Facebook platform. "This document provides a basic outline/best practice for developing secure applications on the Facebook platform. Facebook applications are web, desktop, or mobile applications that make use of the Facebook API to integrate tightly with the social network…
-
Web Security Dojo v1.0 release
From the announcement "Web Security Dojo is a turnkey web application security lab with tools, targets, and training materials built into a Virtual Machine(VM). It is ideal for both self-instruction and training classes since everything is pre-configured and no external network connection is needed. All tools and targets are configured to use non-conflicting ports and…
-
Watcher 1.3.0 passive Web-vulnerability testing tool released
"A new update to the Watcher passive vulnerability detection and security testing tool has been released. Watcher is an open source addon to the Fiddler Web proxy that aids developers, auditors, and penetration testers in finding Web-application security issues as well as hot-spots for deeper review." – Casabasecurity The full announcement can be found at…
-
XSS, SQL Injection and Fuzzing Barcode Cheat Sheet
Someone has published an amusing cheat sheet that will allow you to fuzz barcode scanning systems for common input validation issues such as XSS and SQL Injection. They even provide an online barcode generator which allows you to create your own payloads. Not much else to say really 🙂 Link: http://www.irongeek.com/xss-sql-injection-fuzzing-barcode-generator.php
-
Multiple Adobe products vulnerable to XML External Entity Injection And XML Injection
I haven't really been posting advisories on this website for the past year, however a series of XML Injection/XXe vulnerabilities in Adobe products caught my eye. XML Injection is to web services, what XSS is to web pages (an attacker controllable application response able to perform abuses against the consumer). This advisory provides a good…
-
2010 SANS Top 25 Most Dangerous Programming Errors Released
I was luck enough to assist in this project and I must say that a lot of great discussions took place. Unlike many other top x security lists, SANS/MITRE's methodology is fairly extensive and well documented giving you insight into how decisions were made. I do want to point out that top x lists in…
-
Larry Suto Web Application Security Scanner Comparison Report Inaccurate Vendors Say
Larry Suto published a report comparing the various commercial web application security scanners. As you'd expect the vendors are likely to respond about how inaccurate the report is, however in this case both HP and Acunetix argued valid points. From Acunetix "They were not found because Larry didn’t authenticated our scanner (didn’t provided any credentials). No…
-
R.I.P. Apache 1.x: Apache 1.3.42 marks of end life
The latest version of Apache 1.3.42 is the last 1.3 version of Apache that will be released. I admit I've been running 1.3 for ages now due to it being rock solid and having a decent security track record. The announcement states that security patches 'may be available' at http://www.apache.org/dist/httpd/patches/ but consider this the time…
-
Weaning the Web off of Session Cookies Making Digest Authentication Viable
Timothy D. Morgan has published an excellent paper describing How UI limitations hinder adoption of HTTP based authentication How UI behaviors are/can be abused pertaining to HTTP auth Observations on Cookie limitations Proposals for browser vendors to allow for more widescale adoption of HTTP based auth such as digest From the paper "In this paper,…
Favorite Links
- Security Templates (New)
- The Web Application Security Consortium
- QA Security
- The Web Security Mailing List
- Romain Gaucher’s Blog
- Jeremiah Grossman’s Blog
Popular Pages
WASC Threat Classification
- Abuse of Functionality
- Application Misconfiguration
- Brute Force Attack
- Content Spoofing
- Credential/Session Prediction
- Denial of Service
- Directory Indexing
- Information Leakage
- Remote File Inclusion Attack
- Routing Detour Attack
- SOAP Array Abuse
- XML Attribute Blowup
- XML Injection
- XML External Entity Attack