"The FBI and Transportation Security Administration are investigating an IU doctoral student who created a Web site that generated fake Northwest Airlines boarding passes. Informatics graduate student Chris Soghoian reported Friday on his blog that the FBI showed up at his home in Bloomington and demanded he take down the Web site....
Hacking Web 2.0 Applications with Firefox
"AJAX and interactive web services form the backbone of “web 2.0” applications. This technological transformation brings about new challenges for security professionals. This article looks at some of the methods, tools and tricks to dissect web 2.0 applications (including Ajax) and discover security holes using Firefox and its plugins. The key learning...
Identifying Risks in the Development Cycle
Identifying security defects before a product ships reduces the risk of embarrassing public exposure, the cost of repairing the defect, and the risk to your customers. Your customers will not forget being compromised via a flaw in your product, and they may try to hold you accountable. Properly performing this security validation...
MySpace Accounts Compromised By Phishers
"MySpace, appears to have been compromised by phishers who have presented a spoof login form on the main site" ... "Because the fraudulent login page is hosted on MySpace's own servers and does not exhibit any signs of external content, such as cross-site scripting (XSS) or open redirects, it is convincing and...
ModSecurity 2.0 is out
"Ivan Ristic explains what's hot about the new release Interview ModSecurity is an open source web application firewall that runs as an Apache module, and version 2.0 offers many new features and improvements. Federico Biancuzzi interviewed Ivan Ristic to discuss the new logging system, events tracking and correlation, filtering AJAX or AFLAX...
IE7 Is out, and vulnerable
IE7 has finally been released but according to Secunia a vulnerability has already been published. They also provide a test that can be performed to see if you're vulnerable. Article Link: http://www.theregister.co.uk/2006/10/19/ie7_release/ Advisory Link: http://secunia.com/Internet_Explorer_Arbitrary_Content_Disclosure_Vulnerability_Test/ Download IE7: http://www.microsoft.com/windows/ie/default.mspx
Web Application Security Professionals Survey
The riffraff of the web application security space Jeremiah Grossman has polled a bunch of application security professionals and published the results on his site. "Two weeks ago I sent out an informal email survey to several dozen people I know in the web application security professional services business. People from large...
Hacker Pumpkins
RSnake is having a hacker pumpkin carving contest. Check out the XSS'd tricked out carving :) Article Link: http://ha.ckers.org/blog/20061016/hacker-pumpkin-carving-contest/
Zero day risks are Bullshit
"Patrick Clawson, newly appointed chief executive at PatchLink, poured scorn on the panic associated with “zero day vulnerabilities” calling it “bullshit”. “I’m calling bullshit on the whole zero day thing. These vulnerabilities are announced on that day, not released, it’s in the year running up to that date where they cause problems....
Exploit code hiding in cache servers
"According to Finjan Software, which has just released its latest Web trends report, caching technology used by search engines, ISPs and large companies has been discovered to harbour certain kinds of malicious code even after the website that hosted it has been taken down. Such "infection-by-proxy" code can remain in caches for...
Top 5 signs you've selected a bad web application package
5. The vendor's idea of a patch process involves you editing line X and replacing it with new code 4. The amount of total downloads is less than the application's age 3. It isn't running on the vendors homepage 2. The readme file states that you need to chmod a certain file...
Hailstorm of Microsoft Patches Released
"Microsoft today issued a record-breaking number of security updates, fixing at least 26 separate security holes in its Windows operating system and other products, including 16 vulnerabilities in Microsoft Office and Office components. By my count, this is the largest number of flaws Microsoft has fixed in one go outside of a...
Flash + JS + crossdomain.xml = phun
I was browsing Jeremiah Grossman's Blog and found an interesting post talking about a file named crossdomain.xml and extended uses of it in regards to cross site scripting. In a nutshell there's this file called crossdomain.xml used by flash to say 'I am www.domainb.com and I will allow users of www.domaina.com to...
Hacker cracks Google Blogger security
"Google was left red-faced on Saturday when a bug in its Blogger software allowed an unauthorised user to post a comment on the official Google blog. The post, which stayed up for around an hour before being pulled, claimed that Google had abandoned its click-to-call and Adwords partnership with eBay because of...
Top 10 Web 2.0 Attack Vectors
"On the “server-side”, XML based Web services are replacing some of the key functionalities and providing distributed application access through Web services interfaces. These remote capabilities to invoke methods over GET, POST or SOAP from the Web browser itself provide new openings to applications. On other side, RIA frameworks running on XML,...
Palisade Articles on Web Application Security
"Palisade is a monthly online magazine that focuses on application security. In each issue, we discuss topics of current interest in developing and using secure software." I stumbled upon this website by accident and it has quality articles worth checking out. Site Link: http://palisade.plynt.com/
Firefox Zero-Day Code Execution Hoax?
"A public claim by hackers that Mozilla's Firefox browser is vulnerable to multiple code execution vulnerabilities may be an overblown hoax. On the heels of a ToorCon presentation where two security researchers—Mischa Spiegelmock and Andrew Wbeelsoi—warned that Firefox's implementation of JavaScript was badly flawed and could allow PC takeover attacks, Mozilla's engineers...
More fun with CSS history
There's been a big fuss that with CSS you can identify if someone has visited a certain link. I started to think about expanding this and came up with a neat little trick you can do involving online advertising. You run www.sitea.com and www.siteb.com and www.sitec.com are competitors of yours. Now you...
Application Security: Countering The Professionals
"Security threats and attackers are turning professional. Network managers still need to stop the script-kiddies from defacing their websites, but it is becoming increasingly important to stop the professionals who want to steal valuable information. The new attackers search for vulnerabilities in the application and exploit these weaknesses. Attackers are bypassing die...