-
Affiliate Programs Vulnerable to Cross-site Request Forgery Fraud
Intro The following describes a long-standing and common implementation flaw in online affiliate programs allowing for fraud. For those unfamiliar with affiliate programs, they provide a way for companies to allow 3rd parties/website owners to direct traffic to their site in exchange for a share of the profits of user purchases. Most view affiliate programs…
-
Utilization of the same credentials across various sites
For years people have been getting their online accounts compromised due to phishing as well as via brute force attacks due to poorly chosen passwords. We also know that people tend to share the same credentials across multiple sites however I haven’t seen any concrete research/metrics on how commonplace this is or the depth of…
-
DNS Vulnerability Leaked By Matasano Security After Being Asked Not To By Vulnerability Discoverer
"Two weeks ago, when security researcher Dan Kaminsky announced a devastating flaw in the internet's address lookup system, he took the unusual step of admonishing his peers not to publicly speculate on the specifics. The concern, he said, was that online discussions about how the vulnerability worked could teach black hat hackers how to exploit…
-
GRSecurity Author Outlines Lack of Full Vulnerability Disclosure by Linux Kernel Developers
From the 'If you don't know, now you know, !@#$!' department The following email was sent to the full disclosure mailing list today by Brad Spengler, the author of GRSecurity. "I doubt many of you are following the "discussions" (if they can be called that) that have been going on on LWN for the past…
-
My current stance on Web Application Firewalls
Andre Gironda has posted an interesting take on ‘what web application security really is’. I agree with some of his points however one in particular I’m going to have to disagree with and that related to using Web application firewalls. For many years I’ve been anti Web application firewall and as a general rule I…
-
How NOT to handle finding vulnerabilities at your company
UPDATED Link to Steve's interview with CrYpTiC_MauleR added below. At first I wasn't going to post about this but since it doesn't seem to be dying I will. Long story short 1. A Low level techie finds weaknesses/vulnerabilities at the company he works for (TJX) 2. ?He reports these issues to who he thinks should…
-
Bots Use SQL Injection Tool in Web Attack and Rant
"The Asprox botnet, a relatively small botnet known mainly for sending phishing emails, has been spotted in the last few days installing an SQL injection attack tool on its bots. The bots then Google for .asp pages with specific terms — and then hit the sites found in the search return with SQL injection attacks,…
-
Bruce Schneier rants about 1984
"Big Brother isn't what he used to be. George Orwell extrapolated his totalitarian state from the 1940s. Today's information society looks nothing like Orwell's world, and watching and intimidating a population today isn't anything like what Winston Smith experienced. Data collection in Nineteen Eighty-Four was deliberate; today's is inadvertent. In the information society, we generate…
-
Getting to see an enigma machine at RSA 2008
My week at RSA has been fairly interesting. One of the highlights was getting to see an enigma at the NSA booth. Here is a short video I made of the NSA Museum employee explaining how it works.
-
Calling all Web Hacks of 2007
Jeremiah Grossman, Rsnakez0r, and myself put together a top web hacks of 2006 last year and this year we're soliciting public participation to submit what you think made the list for 2007. From Jeremiah's blog "As RSnake, Robert Auger, and I released in 2006, we’ll be putting together a Top 10 Web Hacks for 2007.…
-
Browser Security: I Want A Website Active Content Policy File Standard!
UPDATE Before reading on any further I want to prefix that the purpose of this post is to begin a discussion on the ways a website can communicate to a browser to instruct it of what its behavior should be on that site. The example below is a "sample implementation" and isn’t meant to be…
-
5 amusing security vendor moments
This list was created based off of real security vendor interactions that I and a friend have experienced. 1.Customer: Have you had a security evaluation of your product? Vendor: Yes, Kevin Mitnick has performed a pen test against our product. (sorry kevin! 🙂 2. The vendor comes to your office and pitches you a presentation…
-
Cenzic Patent Case Worries Web Researchers, Vendors
"A patent infringement lawsuit recently filed by Cenzic against SPI Dynamics has Web application security companies and researchers on edge. If successful, the suit — which centers around Cenzic's patent on a Web application vulnerability scanning technology — could mean trouble for other scanner vendors, as well as researchers who develop scanning techniques. Cenzic, which…
-
My experience at blackhat/defcon
Vegas was interesting this year to say the least. For starters I finally got to attend NOT as a vendor which I gotta say was pretty nice. Here are the talks I attended. Intranet Invasion With Anti-DNS Pinning It's All About The Timing Tactical Exploitation (Part 1) Dangling Pointer IsGameOver(), anyone? The Art of Unpacking…
-
Rant: Security 2.0 and Ethics 0.2 Beta
UPDATE: There is a thread on the slackers forum talking about this below if you want to join in on the conversation. FX from Phenoelit has posted an interesting rant on the ethics and hype in the security industry. "The Web 2.0 has all the potential for the next big wave of FUD in security.…
-
Cenzic Patents the obvious: Fault Injection!
I monitor google news for anything application security related and found the following announced today by Cenzic. "the U.S. Patent and Trademark Office (PTO) has issued the company U.S. Patent No. 7,185,232, focused on fault injection technology, which is commonly used by most security assessment scanners." – Cenzic Cenzic is not the first application security…
-
A black market for search terms and user interests?
<thinking-out-loud>Google has recently added search history and this got me thinking about how this information could be useful. Currently gmail is linked to all of google and if you search for something while logged into google and have search history turned on, it gets recorded. Now you have data on what the user is searching…
-
Top 10 Web Hacks of 2006
I assisted Jeremiah Grossman and Rsnake in compiling a list of application security issues in the year 2006 that can be found on Jeremiah's blog. That is all.
-
Top 5 signs you’ve selected a bad web application package
5. The vendor's idea of a patch process involves you editing line X and replacing it with new code 4. The amount of total downloads is less than the application's age 3. It isn't running on the vendors homepage 2. The readme file states that you need to chmod a certain file or directory to…
-
More fun with CSS history
There's been a big fuss that with CSS you can identify if someone has visited a certain link. I started to think about expanding this and came up with a neat little trick you can do involving online advertising. You run http://www.sitea.com and http://www.siteb.com and http://www.sitec.com are competitors of yours. Now you know these companies…
-
ALERT: Cross HTTP Response Splitting Session Fixation Smuggling Scripting Vulnerability Discovered
CERT has issued a warning against a new web based threat entitled a "Cross HTTP Response Splitting Session Fixation Smuggling Scripting Vulnerability". According to the founder of DSHIELD Johannes Ullrich "If on April 1st you have specific non default settings in Internet Explorer, visit a serious of 4 specific websites in order through a specific…
-
Application Security Predictions For The Year 2006
In 2005 published application security vulnerabilities have exploded. If you're subscribed to mailing lists such as bugtraq you know just how often Cross Site Scripting, SQL Injection, or Remote Command Execution vulnerabilities are discovered and exploited. I've prepared a prediction outline for the year 2006 exclusively covering the threats that the web brings. Worms and…
-
OWASP vs WASC
CMP Media has written a nice comparison chart between WASC (an organization I co founded 🙂 and OWASP. While I may not agree with everything in this article, it does clearly outline a few key points between the two organizations. However I *don't* agree with the following: "Two organizations promise to help. The Open Web…
-
MRTG for Intrusion Detection with IIS 6
I found this interesting article on securityfocus which explains how to use mrtg (a popular traffic monitor tool) to monitor intrusion attempts against a IIS 6.0 machine. "But MRTG is also a very effective intrusion detection tool. The concept is simple: attacks often produce some kind of anomalous pattern and human brains are well-equipped to…
Favorite Links
- Security Templates (New)
- The Web Application Security Consortium
- QA Security
- The Web Security Mailing List
- Romain Gaucher’s Blog
- Jeremiah Grossman’s Blog
Popular Pages
WASC Threat Classification
- Abuse of Functionality
- Application Misconfiguration
- Brute Force Attack
- Content Spoofing
- Credential/Session Prediction
- Denial of Service
- Directory Indexing
- Information Leakage
- Remote File Inclusion Attack
- Routing Detour Attack
- SOAP Array Abuse
- XML Attribute Blowup
- XML Injection
- XML External Entity Attack