-
Trojan Horse Program Targetting Adsense
Apparently people are uploading malware to users computers in order to modify ads displayed on websites they visit with their own ad. "Techshout.com reports that a new, deceptive Trojan Horse program has surfaced. The program is engineered to produce fake Google ads that are formatted to look like legitimate ones. The ads are incorporated in…
-
Application Security Predictions For The Year 2006
In 2005 published application security vulnerabilities have exploded. If you're subscribed to mailing lists such as bugtraq you know just how often Cross Site Scripting, SQL Injection, or Remote Command Execution vulnerabilities are discovered and exploited. I've prepared a prediction outline for the year 2006 exclusively covering the threats that the web brings. Worms and…
-
More than 450 Phishing Attacks Used SSL in 2005
Netcraft has published some statistics about phishing on their site. "In its first year, the Netcraft Toolbar Community has identified more than 450 confirmed phishing URLs using "https" urls to present a secure connection using the Secure Sockets Layer (SSL). The number of phishing attacks using SSL is significant for several reasons. Anti-phishing education initiatives…
-
Security Vendors Form Application Security Industry Consortium (AppSIC)
Apparently Microsoft, Oracle, Red Hat, and SAP have formed a vendor based security consortium titled "AppSIC" or the Application Security Industry Consortium. Quoting the article "Herbert Thompson, the consortium's chair and director of security technology at Security Innovation, says AppSIC members will meet monthly to exchange ideas and vet papers to be issued under the…
-
Rootkits, cybercrime and OneCare By TheRegister
TheRegister has a little editorial outlining some of the highlights of the year 2005 including Sony's DRM, Microsoft OneCare, Viruses, Convictions, and phishing. Article Link: Rootkits, cybercrime and OneCare: The year in IT security (TheRegister)
-
Yahoo Cross Site Scripting Vulnerability Discovered
A posting to the Full Disclosure mailing list claims an unpatched Cross Site Scripting vulnerability in Yahoo!'s mail with example script code. Quoting the author "i didnt contact yahoo, because i contacted them previously regarding a similar vulnerability, and yes they fixed it "silently" without even sending me a thank you email, frankly i didnt…
-
PAPER: Preventing Http Session Fixation Attacks
Zinho Writes "I've published the final research about Http Session Fixation covering the most known attacks and how to prevent them. The paper is written from a web developer point of view and shows various techniques to be safe from fixation and hijacking." Paper Link: Preventing Http Session Fixation Attacks (Paper)
-
Top 7 PHP Security Blunders
Sitepoint has published an article covering the 7 most common vulnerability types applied to the PHP language as well as configuration options to futher lock down your environment. While I disagree with the structure/actual 7 the article is good and worth checking out. If you're lazy and just want the seven here it is. (I'm…
-
“2005 The Year of Phishing”
Phishing has exploded in 2005 so I've decided to dedicate a section of this site towards it. I have created a Phishing resource page providing a list of tools, news articles, whitepapers, and solutions to phishing. If there is a resource that I've missed please let me know. Phishing Link: Phishing HomePage
-
RSS Is Worm Bots Next Target
Yahoo news has an interesting article on worm propigation via rss feeds. "David Sancho, senior anti-virus research engineer at Trend Micro, warned that RSS feed hijacking will become commonplace when Microsoft Corp. ships Internet Explorer 7, a browser refresh that will feature built-in RSS support. In a white paper titled "The Future of Bot Worms,"…
-
OWASP vs WASC
CMP Media has written a nice comparison chart between WASC (an organization I co founded 🙂 and OWASP. While I may not agree with everything in this article, it does clearly outline a few key points between the two organizations. However I *don't* agree with the following: "Two organizations promise to help. The Open Web…
-
ModSecurity 1.9 FINAL has been released
Ivan Ristic Writes "ModSecurity 1.9 FINAL has been released. It is available for immediate download from: http://www.modsecurity.org/download/ After more than a year in development, ModSecurity 1.9 introduces a number of changes that further increase usefulness of this web application security tool. Changes (since 1.8) ——————- Major enhancements include: * A brand new audit logging subsystem…
-
PHP Worm in the Wild
"Virus writers have created a Linux worm which uses a recently discovered vulnerability in XML-RPC for PHP, a popular open source component used in many applications, to attack vulnerable systems." – The Register Article Link http://www.theregister.co.uk/2005/11/07/linux_worm/
Favorite Links
- Security Templates (New)
- The Web Application Security Consortium
- QA Security
- The Web Security Mailing List
- Romain Gaucher’s Blog
- Jeremiah Grossman’s Blog
Popular Pages
WASC Threat Classification
- Abuse of Functionality
- Application Misconfiguration
- Brute Force Attack
- Content Spoofing
- Credential/Session Prediction
- Denial of Service
- Directory Indexing
- Information Leakage
- Remote File Inclusion Attack
- Routing Detour Attack
- SOAP Array Abuse
- XML Attribute Blowup
- XML Injection
- XML External Entity Attack