-
WASC TC v2 – Improper Input Handling Section Completed
I lead the WASC Threat Classification v2 project and we've just completed a section that I felt deserved its own post. Prasad Shenoy along with the WASC TC peer review team authored a really great section on Improper Input Handling meant to describe each aspect of input handling with a medium level of detail. We've…
-
Yahoo Best Jobs in America ranks infosec professional #8
After checking out my favorite stocks this morning at finance.yahoo.com I saw an article titled 'best jobs in America' so figured I'd check it out. To my surprise Computer/Network Security Consultant was ranked as the 8th best job in the US. Very cool! Link: http://finance.yahoo.com/career-work/article/107932/best-jobs-in-america.html
-
Announcing the Web Application Security Scanner Evaluation Criteria v1
“The Web Application Security Consortium is pleased to announce the release of version 1 of the Web Application Security Scanner Evaluation Criteria (WASSEC). The goal of the WASSEC project is to create a vendor-neutral document to help guide information security professionals during web application scanner evaluations. The document provides a comprehensive list of features that…
-
WASC Honeypots – Apache Tomcat Admin Interface Probes
The WASC Distributed Open Proxy Honeypots project has published an entry on people performing brute force attacks against tomcat administrative interfaces through WASC's open relay proxies. Tomcat Brute Forcing: http://tacticalwebappsec.blogspot.com/2009/10/wasc-honeypots-apache-tomcat-admin.html
-
Reddit XSS worm spreads
UPDATE: Reddit has posted a blog entry at http://blog.reddit.com/2009/09/we-had-some-bugs-and-it-hurt-us.html addressing this. "Popular social news website Reddit has stopped the spread of a cross-site scripting (XSS) worm that hit the site on Monday. The XSS worm spread via comments on the site, originally from the account of a user called xssfinder. Reddit failed to filter out…
-
SVN Flaw Reveals Source Code to 3,300 Popular Websites
"A Russian security group has posted a detailed blog post about how they managed to extract the source code to over 3,300 websites. The group found that some of the largest and best known domains on the web, such as apache.org and php.net, amongst others, are vulnerable to an elementary information leak that exposes the…
-
New open source web application layer firewall ‘ESAPI WAF’ released
"The open-source ESAPI WAF is a departure from commercial, network-based firewalls, as well as ModSecurity's free WAF, says Arshan Dabirsiaghi, developer of the ESAPI WAF and director of research for Aspect Security. Dabirsiaghi will roll out the WAF at the OWASP Conference in Washington, D.C., in November. "WAFs today are deployed as appliances meant to…
-
Strict Transport Security (STS) draft specification is public
Fellow coworker Jeff Hodges has announced the formal specification draft for Strict Transport Security. STS is a new proposed protocol for allowing a website to instruct returning visitors to never visit the site on http, and to only visit the site over https and is entirely opt in. This can prevent MITM situations where an…
-
Microsoft publishes BinScope and MiniFuzz
From the download pages. BinScope"BinScope is a Microsoft verification tool that analyzes binaries on a project-wide level to ensure that they have been built in compliance with Microsoft’s Security Development Lifecycle (SDL) requirements and recommendations. BinScope checks that SDL-required compiler/linker flags are being set, strong-named assemblies are in use, up-to-date build tools are in place,…
-
Chrome adds defence for cross-site scripting attacks, already busted
"The 4.0.207.0 release uses a reflective XSS filter that checks each script before it executes to check if the script appears in the request that generated the page. Should it find a match, the script will be blocked. According to Chromium developer Adam Barth, the developers plan to post an academic paper that will describe…
-
WASC Distributed Open Proxy Honeypot Shows Brute Force Attacks Against Yahoo
Fellow WASC officer Ryan Barnett has published findings pertaining to a distributed brute force attack against Yahoo's login pages as part of his findings for the WASC Distributed Open Proxy Honeypot Project . For those not aware of this project, Ryan leads an initiative where people run open relay proxies and centrally upload the logs…
-
MS09-048: Vulnerabilities in Windows TCP/IP Could Allow Remote Code Execution
Microsoft has just published a remote vulnerability in the windows TCP/IP stack. "This security update resolves several privately reported vulnerabilities in Transmission Control Protocol/Internet Protocol (TCP/IP) processing. The vulnerabilities could allow remote code execution if an attacker sent specially crafted TCP/IP packets over the network to a computer with a listening service. Firewall best practices…
-
Apache.org Incident Report For 8/28/2009 Hack
From the report "Our initial running theory was correct–the server that hosted the apachecon.com (dv35.apachecon.com) website had been compromised. The machine was running CentOS, and we suspect they may have used the recent local root exploits patched in RHSA-2009-1222 to escalate their privileges on this machine. The attackers fully compromised this machine, including gaining root…
-
Apache.org Compromised via stolen SSH keys
Netcraft is reporting that apache.org has been compromised. The apache blog posted the following message indicating an SSH key compromise. "This is a short overview of what happened on Friday August 28 2009 to the apache.org services. A more detailed post will come at a later time after we complete the audit of all machines…
-
Article: Bypassing DBMS_ASSERT in certain situations
David "I like to beat up on oracle" Litchfield has published a new paper outlining how DBMS_ASSERT can be misused in such a way that SQL Injection is possible. From the whitepaper "The DBMS_ASSERT builtin package can be used by PL/SQL developers to protectagainst SQL injection attacks[1]. In [2] Alex Kornbrust showed that there are…
-
AppSec DC 2009
"OWASP Announces International Application Security Conference for 2009 Speaker Agenda Released and Registration Open for 2009's Largest Web Application Security Event Washington DC August 20th, 2009 — Following in the footsteps of the Open Web Application Security Project's (OWASP, http://www.owasp.org ) immensely successful and popular conferences earlier this year in Australia, Poland, Ireland, and Brazil,…
-
WASC Threat Classification v2 updates
We're nearing the completion of the WASC Threat Classification v2 (2 sections left!) and have added the following new sections since my last couple of posts. Null Byte Injection Integer Overflows We've also heavily updated the following sections Buffer Overflows (in depth discussion of heap vs stack vs integer overflows) SQL Injection (added SQL Injection…
-
Bypassing OWASP ESAPI XSS Protection inside Javascript
"Everyone knows the invaluable XSS cheat sheet maintained by "RSnake". It isall about breaking things and features all the scenarios that can result inXSS. To complement his efforts, there is an excellent XSS prevention cheatsheet created by "Jeff Williams" (Founder and CEO, Aspect Security). As faras I have seen, this wiki page provides the most…
-
WordPress Admin Password Reset Vulnerability
"Yesterday a vulnerability was discovered: a specially crafted URL could be requested that would allow an attacker to bypass a security check to verify a user requested a password reset. As a result, the first account without a key in the database (usually the admin account) would have its password reset and a new password…
-
Next Phase of WASC’s Distributed Open Proxy Honeypot Project Begins
Fellow WASC Officer Ryan Barnett has started the next phase of the Distributed Open Proxy Honeypot Project where people deploy open relay proxies and send the results to a central host for analysis. I met up with Ryan at blackhat where he showed me the central console displaying metrics for each proxy node (shown below).…
-
Gary McKinnon loses appeal
"Gary McKinnon has lost a judicial review against his extradition to the United States on hacking charges. Lawyers for the Briton hoped his recent diagnosis with Asperger's Syndrome would be enough to persuade judges to overturn previous rulings and allow McKinnon to be tried in the UK." – The Register Long story short Gary hacked…
-
Why you never use ATMs in the hotel defcon is hosted in, or near
Just got back from vegas and finally started catching up. Looks like a fake ATM was placed at defcon (no surprise). "As the conference was kicking off a few days ago, attendees noticed that at ATM placed in the Riviera Hotel, which plays host to the annual event, didn't quite look right, according to a…
-
One In Two Security Pros Unhappy In Their Jobs?
Darkreading posted the following article on a infosec job survey that I found highly intriguing. "Kushner and Murray say they were surprised by security's high number of unhappy campers — 52 percent of the around 900 security pros who participated in the survey are less than satisfied with their current jobs. Only 27 percent said…
-
Hacking Short CSRF Tokens using CSS History Hack
Securethoughts has posted an entry on combining CSS history theft hacking to brute force short CSRF tokens and has created a POC demonstrating it. While not fast this is certainly achievable (assuming the token is still valid/hasn't expired once identified) on short CSRF token values, and has the advantage in that it doesn't perform site…
-
Microsoft Security Bulletin Summary for July 2009
It is Microsoft patch Tuesday and the following issues have been addressed. MS09-029 Vulnerabilities in the Embedded OpenType Font Engine Could Allow Remote Code Execution (961371) This security update resolves two privately reported vulnerabilities in the Microsoft Windows component, Embedded OpenType (EOT) Font Engine. The vulnerabilities could allow remote code execution. An attacker who successfully…
Favorite Links
- Security Templates (New)
- The Web Application Security Consortium
- QA Security
- The Web Security Mailing List
- Romain Gaucher’s Blog
- Jeremiah Grossman’s Blog
Popular Pages
WASC Threat Classification
- Abuse of Functionality
- Application Misconfiguration
- Brute Force Attack
- Content Spoofing
- Credential/Session Prediction
- Denial of Service
- Directory Indexing
- Information Leakage
- Remote File Inclusion Attack
- Routing Detour Attack
- SOAP Array Abuse
- XML Attribute Blowup
- XML Injection
- XML External Entity Attack