-
WASC RSA Meet-Up 2010!
The Web Application Security Consortium (WASC) is having an official meetup in San Francisco during the RSA conference.If you like to get free food/drinks, shoot pool, and chat appsec with many of the leading researchers in the appsec world this is your chance. WASC RSA 2010 Meet-up Wednesday, March 3, 2010 Lunch served: 12:00 PM…
-
Facebook security pretty much what you’d expect?
An interview claiming to be with a facebook employee discusses a few things that you probably were hoping didn't happen. Here are some choice quotes from the article " Rumpus: Have you ever logged in to anyone’s account? Employee: I have. For engineering reasons. Rumpus: Have you ever done it outside of professional reasons? Employee:…
-
Hacker Messes With Student’s Schedule
I don't usually post much about hacking incidents but this one was particularly funny. "A college student has been dropped from her classes twice, apparently the victim of someone who hacked into her schedule.Michelle McCoy-Lloyd was going to take two culinary classes at San Joaquin Delta College starting next week.Last month, someone had hacked into…
-
WASC Threat Classification to OWASP Top Ten RC1 Mapping
Jeremiah Grossman and Bil Corry have created a nice visual mapping between the OWASP Top Ten and the WASC Threat Classification v2. More Information: http://jeremiahgrossman.blogspot.com/2010/01/wasc-threat-classification-to-owasp-top.html
-
Announcement: WASC Threat Classification v2 is Out!
I am very pleased to announce that the WASC Threat Classification v2 is finally out the door. This project has by far been one of the most challenging, intellectually stimulating projects I've had the chance to work on. I have included the official announcement below. "The Web Application Security Consortium (WASC) is pleased to announce…
-
Stephen Watt sentenced to 2 years in prison for role in TJX
Stephen Watt (alias JimJones/Unix Terrorist/PHC/etc) was sentenced to 2 years in prison for his role in writing the blablah sniffer used by the folks involved in the TJX credit card incident. From wired magazine "While accused TJX hacker kingpin Albert Gonzalez awaits a possible sentence of 17 years or more in prison, one of his…
-
Adobe on Fuzzing Adobe Reader For Security Defects
Adobe has published an entry on their blog outlining how fuzzing plays a part in discovering security issues in their product prior to launching it. Its good to see a company such as Adobe publishing this information as its one of those things that is discussed frequently by the security community, however is rarely discussed…
-
132,000+ sites Compromised Via SQL Injection
Net-Security has posted an article on the discovery of 132k+ sites that have been SQL Injected. From the article "A large scale SQL injection attack has injected a malicious iframe on tens of thousands of susceptible websites. ScanSafe reports that the injected iframe loads malicious content from 318x.com, which eventually leads to the installation of…
-
Potential risks of using Google’s free DNS service?
Google has announced that they are offering a free DNS service to anyone wanting to use it. Unfortunately the motivations/privacy concerns aren't being discussed in as much detail as I'd like, and people aren't asking the important question of why google is offering such a free service. Several points to consider Google can profile a…
-
Preventing Security Development Errors: Lessons Learned at Windows Live by Using ASP.NET MVC
Microsoft has published a paper on its ASP.NET MVC framework, how to use it, and how utilization of an SDL eliminates the potential to introduce vulnerabilities such as XSRF. From the paper "On the Microsoft platform, most Web applications are based on ASP.NET and the Microsoft®.NET Framework. ASP.NET MVC is a new framework based on…
-
Clientless SSL VPN products break web browser domain-based security models
A new CERT advisory has been published outlining a weakness in the way web based SSL clients operate, resulting in a Same Origin Policy breakage. Here's the meaty details. "As the web VPN retrieves web pages, it rewrites hyperlinks so that they are accessible through the web VPN. For example, a link to http://<www.intranet.example.com>/mail.html becomes…
-
Nozzle: A Defense Against Heap-spraying Code Injection Attacks
Microsoft has been working on a tool called 'Nozzle' to prevent the exploitation of heap spraying attacks and released a whitepaper describing the process. From the whitepaper. "Heap spraying is a new security attack that significantly increasesthe exploitability of existing memory corruption errors in type-unsafeapplications. With heap spraying, attackers leverage their ability toallocate arbitrary objects…
-
Symantec SQL Injected, Seeks Counseling
"The Romanian hacker who successfully broke into a web site owned by security vendor Kaspersky Lab has struck again, this time exposing shortcomings in a Symantec web server. The hacker, known only as Unu, said in a blog post today that he was able to access a server belonging to the security giant using a…
-
Firefox 3.6 locks out rogue add-ons
From computerworld "Mozilla will add a new lockdown feature to Firefox 3.6 that will prevent developers from sneaking add-ons into the program, the company said. The new feature, which Mozilla dubbed "component directory lockdown," will bar access to Firefox's "components" directory, where most of the browser's own code is stored. The company has billed the…
-
Article: Securely deploying cross-domain policy files
Peleus from Adobe's security team has published a blog entry on how to securely deploy flash crossdomain.xml files. If you're considering using flash on your site, or already are be sure to check out this article. Article: http://blogs.adobe.com/asset/2009/11/securely_deploying_cross-domai.html
-
OWASP Issues 2010 Top 10 (RC1)
At AppsecDC OWASP published the latest version of its top ten list. From the Top Ten "OWASP plans to release the final public release of the OWASP Top 10 -2010during the first quarter of 2010 after a final, one-month public comment period ending December 31, 2009. This release of the OWASPTop 10 marks this project’s…
-
Heading out to AppsecDC
I'll be heading out to AppSecDC to present Transparent Proxy Abuse on Thursday, so if you're attending and want to chat about appsec I'll be available after my talk. Here's a teaser of my presentation I'll be presenting a video demonstrating this abuse case against Squid and Mac OS X Parental Control software prior to…
-
TLS negotiation flaw published
Steve Dispensa and Marsh Ray have published a paper describing a weakness in the TLS negotiation process. This is the same attack discussed on the IETF TLS list. From the whitepaper "Transport Layer Security (TLS, RFC 5246 and previous, including SSL v3 and previous) is subject to a number of serious man-in-the-middle (MITM) attacks related…
-
Amazon EC2 cloud computing for password/crypto cracking
There is a rather lengthy set of posts on using cloud based computing services as ideal venues for crypto and password cracking. Link: http://news.electricalchemy.net/2009/10/cracking-passwords-in-cloud.html Link: http://news.electricalchemy.net/2009/10/password-cracking-in-cloud-part-5.html
-
Microsoft’s Enhanced Mitigation Evaluation Toolkit adds protection to processes
Microsoft has published the Enhanced Mitigation Evaluation Toolkit. This toolkit allows you to specify a process to add the following forms of protection (without recompiling). SEHOP This mitigation performs Structured Exception Handling (SEH) chain validation and breaks SEH overwrite exploitation techniques. Take a look at the following SRD blog post for more information: http://blogs.technet.com/srd/archive/2009/02/02/preventing-the-exploitation-of-seh-overwrites-with-sehop.aspx. With…
-
Attacking Magstripe Gift Cards
Corsaire has published a rather lengthy paper on attacking gift card systems. While this is a little off topic it's a good read. "This paper is based on research conducted on a large number of UK gift cards. It has been created to complement the presentation “Stored Value Gift Cards: Magstripes Revisited”, which was delivered…
-
Metasploit sold to Rapid7
It was announced this morning that Rapid7 has purchased metasploit, and hdmoore! That is all. Rapid7 Announcement: http://www.rapid7.com/metasploit-announcement.jsp Metasploit Blog: http://blog.metasploit.com/2009/10/metasploit-rising.html Metasploit Blog: http://blog.metasploit.com/2009/10/joining-team.html More Coverage http://www.andrewhay.ca/archives/1085 http://blog.ianetsec.net/perspective/2009/10/nick-selby-metasploit-acquisition-shakes-up-the-pentest-landscape.html http://darkreading.com/vulnerability_management/security/management/showArticle.jhtml?articleID=220800067
-
OWASP Publishes Transport Layer Protection Cheat Sheet
"This article provides a simple model to follow when implementing transport layer protection for an application. Although the concept of SSL is known to many, the actual details and security specific decisions of implementation are often poorly understood and frequently result in insecure deployments. This article establishes clear rules which provide guidance on securely designing…
-
WASC Announcement: 2008 Web Application Security Statistics Published
The Web Application Security Consortium (WASC) is pleased to announce the WASC Web Application Security Statistics Project 2008. This initiative is a collaborative industry wide effort to pool togethersanitized website vulnerability data and to gain a better understanding about the web application vulnerability landscape. The statistics was compiled from web application security assessment projects which…
-
One character mistake knocks .se TLD offline
"What was essentially a typo last night resulted in the temporary disappearance from the Internet of almost a million Web sites in Sweden — every address with a .se top-level down name. According to Web monitoring company Pingdom, which happens to be based in Sweden, the disablement of an entire top-level domain "is exceptionally rare.…
Favorite Links
- Security Templates (New)
- The Web Application Security Consortium
- QA Security
- The Web Security Mailing List
- Romain Gaucher’s Blog
- Jeremiah Grossman’s Blog
Popular Pages
WASC Threat Classification
- Abuse of Functionality
- Application Misconfiguration
- Brute Force Attack
- Content Spoofing
- Credential/Session Prediction
- Denial of Service
- Directory Indexing
- Information Leakage
- Remote File Inclusion Attack
- Routing Detour Attack
- SOAP Array Abuse
- XML Attribute Blowup
- XML Injection
- XML External Entity Attack