"Hacme Casino is an online casino, built with Ruby on Rails, with plenty of AJAX functionality. It has security vulnerabilities baked- in, and is meant to help educate developers and testers about web application security in the context of new technologies. If you are interested in the security aspects Ruby on Rails...
"The hacker at the centre of an extradition storm after he broke into the US Military and NASA computer systems has said the charges against him in the US have been manufactured to ease his extradition there. "For it to be extraditable under their computer laws in America you have to have...
Rsnake has an interesting blog entry (yes it's a few days old, I don't read it daily, so whatever) regarding utilizing XSS to steal auto form fill values. "Some (not all) automated input automation tools do so blindly. That is, they don't ask for user input when they input data. In fact...
"Kevin Mitnick, the notorious former hacker turned security consultant and tech celebrity, has been targeted by Pakistani crackers in a series of web face defacements attacks. Four websites associated with Mitnick's various ventures were sprayed with digital graffiti on Monday in an apparently personal attack. The sites defensivethinking.com, mitsec.com, kevinmitnick.com and mitnicksecurity.com...
"Assessing the security of Java applications, and particularly client- server applications, can be a tedious process of modifying the code, compiling, deploying, testing and repeat. This becomes even more difficult when the source code to the application is not available. What security testers require is an easy means of interacting with the...
"We're still hard at work on Rails 1.2, which features all the new dandy REST stuff and more, but a serious security concern has come to our attention that needed to be addressed sooner than the release of 1.2 would allow. So here's Rails 1.1.5! This is a MANDATORY upgrade for anyone...
The microsoft guys started a blog entry regarding my talk at blackhat/whitepaper. "We designed and implemented the RSS features using the principles of the Secure Development Lifecycle as embraced by Microsoft. One of the principles is defense in depth. The idea being, even if script somehow were to sneak by the first...
"The Apache Software Foundation and The Apache HTTP Server Project are pleased to announce the 3.2.10 release of mod_python. Mod_python 3.2.10 is considered a stable release, suitable for production use. Mod_python is an Apache HTTP Server module that embeds the Python language interpreter within the server. With mod_python you can write web-based...
This is a copy of the slides I used at my Blackhat 2006 talk and a link to the paper accompying it. Zero Day Subscriptions: Using RSS and Atom Feeds As Attack Delivery Systems (Power Point) Feed Injection in Web 2.0: Hacking RSS and Atom Feed Implementations (Remote Copy)
I started researching RSS and Atom feed vulns last September but got distracted for 6 months or so with work/life. I've written a basic paper discussing the issues relating to Cross Site Scripting and web based feeds. I cover the risks associated with the following types of readers: * Web Based Readers...
