-
Twitter response to xss worm attack
Twitter has posted an entry on it's xss worm issues this weekend. "On a weekend normally reserved for bunnies, a worm took center stage. A computer worm is a self-replicating computer program sometimes introduced by folks with malicious intent to do some harm to a network. Please note that no passwords, phone numbers, or other…
-
Two XSS Worms Slam Twitter
UPDATE: F-Secure has posted more detailed information. "Some 24 hours after a worm spread advertising on Twitter, the popular social networking website, a second worm emerged on Sunday. Both worms appear to be created by Mikeyy Mooney, a 17-year-old from Brooklyn, New York. The first worm emerged on Saturday when Twitter profiles began posting messages…
-
XSS (Cross Site Scripting) Prevention Cheat Sheet
"This article provides a simple positive model for preventing XSS using output escaping/encoding properly. While there are a huge number of XSS attack vectors, following a few simple rules can completely defend against this serious attack. These rules apply to all the different varieties of XSS. Both reflected and stored XSS can be addressed by…
-
Blackhat 2006 RSS Security Talk Video Available
In 2006 I gave a talk on hacking RSS feeds, and feed readers. I stumbled upon the video for blackhat 2006 by accident the other day and thought it was worth posting. Video: http://media.blackhat.com/bh-usa-06/video/2006_BlackHat_Vegas-V36-Auger_and_Sima-0day_subscriptions.mp4Slides: http://www.cgisecurity.com/papers/RSS-Security.pptPaper: http://www.cgisecurity.com/papers/HackingFeeds.pdf
-
Tool: XSS Rays
"I’ve developed a new XSS scanner tool that’s written in Javascript called XSS Rays for Microsoft. They have given me permission to release the tool as open source which is awesome because it can be used for other open source applications. I recommend you use it as part of the web development process to make…
-
Protect Your Site With URL Rewriting
Bryan Sullivan over at Microsoft has published a lengthy article on the advantages of URL writing to prevent certain types of attacks. "Tim Berners-Lee once famously wrote that "cool URIs don't change." His opinion was that broken hyperlinks erode user confidence in an application and that URIs should be designed in such a way that…
-
Practical Example of csSQLi Using (Google) Gears Via XSS
"Yesterday, at the Blackhat DC security conference, I spoke about the dangers of persistent web browser storage. Part of the talk focused on how emerging web browser storage solutions such as Gears (formerly Google Gears) and the Database Storage functionality included in the emerging HTML 5 specification, could be attacked on sites with existing cross-site…
-
F-Secure Hacked Via XSS, SQL injection
"A Romanian hacker site said on Wednesday it was able to breach the website of Helsinki-based security firm F-Secure just as it had gained access to the sites of two other security companies earlier in the week. F-Secure is "vulnerable to SQL Injection plus Cross Site Scripting," an entry on the HackersBlog site said. "Fortunately,…
-
Firefox 3.0.6 Released To Address Multiple Security Issues
Fixed in Firefox 3.0.6 MFSA 2009-06 Directives to not cache pages ignored MFSA 2009-05 XMLHttpRequest allows reading HTTPOnly cookies MFSA 2009-04 Chrome privilege escalation via local .desktop files MFSA 2009-03 Local file stealing with SessionStore MFSA 2009-02 XSS using a chrome XBL method and window.eval MFSA 2009-01 Crashes with evidence of memory corruption (rv:1.9.0.6) Additional…
-
The security industry needs to re-align its training expectations for QA
I've been involved in the security community for over 10 years and have worked for small, medium, andlarge companies. I have also worked in Quality Assurance and base my comments here on my experiences being a QA tester, and speaking with them as an outsider. I've seen advice in articles, and conferences discussing the need…
-
Microsoft’s SDL and the CWE/SANS Top 25
"Bryan here. The security community has been buzzing since SANS and MITRE’s joint announcement earlier this month of their list of the Top 25 Most Dangerous Programming Errors. Now, I don’t want to get into a debate in this blog about whether this new list will become the new de facto standard for analyzing security…
-
Web Application Scanners Comparison
anantasec posted a scanner comparison to the web security mailing list today. "In the past weeks, I've performed an evaluation/comparison of three popular web vulnerability scanners.This evaluation was ordered by apenetration testing company that will remain anonymous. The vendorswere not contacted during or after the evaluation. The applications (web scanners) included in this evaluation are:–…
-
Thunderbird 2.0.0.19 Released With Security Fixes
MFSA 2008-60 – Crashes with evidence of memory corruption (rv:1.9.0.5/1.8.1.19) MFSA 2008-61 Information stealing via loadBindingDocument MFSA 2008-64 XMLHttpRequest 302 response disclosure MFSA 2008-65 Cross-domain data theft via script redirect error message| MFSA 2008-66 Errors parsing URLs with leading whitespace and control characters MFSA 2008-67 Escaped null characters ignored…
-
It’s unanimous, Web application security has arrived
Jeremiah Grossman has posted an entry discussing the various security reports and how they are labeling web application security as a primary concern. "It’s unanimous. Web application security is the #1 avenue of attack according to basically every industry data security report available (IBM, Websense, Sophos, MessageLabs, Cisco, APWG, MITRE, Symantec, Trend Micro, SecureWorks, ScanSafe,…
-
American Express web bug exposes card holders
"A glaring vulnerability on the American Express website has unnecessarily put visitors at risk for more than two weeks and violates industry regulations governing credit card companies, a security researcher says. Among other things, the cross-site scripting (XSS) error on americanexpress.com allows attackers to steal users' authentication cookies, which are used to validate American Express…
-
Opera releases update for ‘extremely severe’ vulns
"Opera pushed out an update to its popular web browser on Tuesday that fixes vulnerabilities it described as "extremely severe". The update fixes seven security bugs, some of which were previously known. Version 9.63 of the browser addresses separate code injection risks stemming from flaws in HTML parsing and text inputing, respectively. A critical bug…
-
Anti-XSS 3.0 Beta and CAT.NET Community Technology Preview now Live
"CAT.NET – Community Technology Preview CAT.NET is a managed code static analysis tool for finding security vulnerabilities. It's exactly the same tool we use internally to scan all of our Line of Business (LOB) applications; it runs as a Visual Studio plug-in or as a stand-alone application. It was engineered by this group (CISG) and…
-
Executing scripts with non-english characters
There is a write up at Coding Insecurity on filtering non ascii characters to prevent XSS attacks. "I have been working on a medium-sized development project lately and, came across a peculiar phenomenon where I could execute scripts on a page without the use of less-than (<) or greater-than (>) symbols. Instead I used double-byte…
-
Internet Explorer 8.0 Beta 2 Anti-XSS Filter Vulnerabilities
Rafel Ivgi has published an extensive list of IE8 XSS filter evasions. "Aspect9 has discovered several vulnerabilities in Microsoft Windows Internet Explorer 8.0 Beta 2. This new version of Microsoft's famous browser includes new security improvements such as a Cross Site Scripting(XSS) filter. This version also includes a new object that safely allows transferring data…
-
Fxcop HtmlSpotter – Spotting ASP.NET XSS using Fxcop and Html encoding document
An anonymous user writes "In his previous blog post, Sacha provided an updated list of the asp.net control html encoding information. He now integrated the content into FXCop to help quickly identify spots in asp.net binaries that should be reviewed for XSS issues." Read more: http://blogs.msdn.com/sfaust/archive/2008/09/18/fxcop-htmlspotter-spotting-asp-net-xss-using-fxcop-and-html-encoding-document.aspx
-
Real World XSS Vulnerabilities in ASP.NET Code
Microsoft has posted an article on what real world XSS vulnerable code looks like in ASP.NET applications. Handy if you develop asp.net or audit it for issues. "From couple of weeks we have been seeing some XSS vulnerabilities in asp.net code. Today I wanted to show you guys some real world examples ranging from property…
-
WASC Announcement: 2007 Web Application Security Statistics Published
The Web Application Security Consortium (WASC) is pleased to announce the WASC Web Application Security Statistics Project 2007. This initiative is a collaborative industry wide effort to pool together sanitized website vulnerability data and to gain a better understanding about the web application vulnerability landscape. We ascertain which classes of attacks are the most prevalent…
-
How To: Detect Cross Site Scripting Vulnerabilities using XSSDetect
"Last time we saw how to fix a cross site scripting (XSS) vulnerability. This time we look at how we can detect cross site scripting vulnerabilities using automated tools. Being the most common vulnerability found in web applications, it is very important to detect and mitigate XSS vulnerabilities early in development cycle. Arming developers with…
-
Article: SDL Embraces The Web
Bryan Sullivan from Microsoft has posted an article on SDL use to secure web applications. "The Security Development Lifecycle (SDL) team recently released details of the SDL process that has been so successful in helping to make Microsoft products more secure. You can find these documents at microsoft.com/sdl. As you read through this SDL guidance…
-
Which ASP.NET Controls Automatically HTML Entity Output Encodes?
Sacha Faust has just published a grid mapping which asp.net controls automatically perform html entity output encoding when used. Link: http://blogs.msdn.com/sfaust/archive/2008/09/02/which-asp-net-controls-automatically-encodes.aspx Grid: http://blogs.msdn.com/sfaust/attachment/8918996.ashx
Favorite Links
- Security Templates (New)
- The Web Application Security Consortium
- QA Security
- The Web Security Mailing List
- Romain Gaucher’s Blog
- Jeremiah Grossman’s Blog
Popular Pages
WASC Threat Classification
- Abuse of Functionality
- Application Misconfiguration
- Brute Force Attack
- Content Spoofing
- Credential/Session Prediction
- Denial of Service
- Directory Indexing
- Information Leakage
- Remote File Inclusion Attack
- Routing Detour Attack
- SOAP Array Abuse
- XML Attribute Blowup
- XML Injection
- XML External Entity Attack