"This article describes how certain types of captchas (such as the ones used by a German online-banking site) can be automatically recognized using software. The attack does not recognize one particular captcha itself but exploits a design error allowing to average multiple captchas containing the same information." Article Link: http://www.cip.physik.uni-muenchen.de/~wwieser/misc/captcha/
Exploiting JSON Framework : 7 Attack Shots
Aditya K Sood writes "This article define the layout of the exploiting factors of web attacks ie where the JSON framework is compromised.The article is consistent in explaining the pros of the web attack related to JSON." Article Link: http://www.zeroknock.metaeye.org/mlabs/expjson.html
Infection Vectors In JUMP
Aditya K Sood Writes "This article clearly explain the infection vectors in the JSON Uniform Messaging Protocol.As we know definitively that JUMP uses mainly HTTP and a lightweight JSONrecord to edit number of web pages.This article explain the attack vectors in the protocol implementation where the infection can be occured.The infection here...
Microsoft, Hacker Attack XSS
trib e85@gma il.com quotes "Microsoft, Hacker Attack XSS JANUARY 22, 2007 | 5:30 PM -- It's an unlikely alliance, for sure. But a Microsoft engineer and RSnake, the founder of ha.ckers. org d sla.ckers.org -- which have brought attention to the epidemic of cross-site scripting (XSS) vulnerabilities in major Websites -- have...
Crawling Ajax-driven Web 2.0 Applications
Who cares? writes " Crawling web applications is one of the key phases of automated web application scanning. The objective of crawling is to collect all possible resources from the server in order to automate vulnerability detection on each of these resource s. A resource that is overlooked during this discovery phase...
*Results* Web Application Security Professionals Survey
An anonymous user writes "The results are in and the people have spoken! Our goal was to capture the thoughts of the crowd and boy did it ever! T he 59 respondents shared their battleground views of web application security and in doing so presented interesting persp ectives and great insights of...
Vulnerability tallies surged in 2006
"Flaws in Web applications boosted the bug counts for 2006 by more than a third over the previous year, according to data obtained by SecurityFocus from the four major vulnerability databases. On Monday, the Computer Emergency Response Team (CERT) Coordination Center released its final tally of the number of flaws the organization...
CGISecurity Article: The Cross-Site Request Forgery FAQ
The Cross-site Request Forgery FAQ has been released to address some of the common questions and misconceptions regarding this commonly misunderstood web flaw. This paper serves as a living document for Cross-Site Request Forgery issues and will be updated as new information is discovered. If you have any suggestions or comments please...
WASC RSA Meet-up
This years RSA Conference is being held at the San Francisco Moscone Center [2] (February 5 � 9) and every year, for the past couple years, we�ve coordinated an informal WASC Meet-Up. Usually about 20 or so people in the web application security community show up to have some fun sharing drinks,...
Rogue XML Specifications
Aditya K Sood Writes "This article solely relates to the the insecurities that remain in the XML schema defined for any web server that relates to peculiar web servicing application.This is actually based on the AJAX framework as the xml specifcation act as an interface to server objects.The interface which is being...
Web Application Security Professionals Survey (January)
"This monthly survey has become a really fun project. It's receiving great reviews and right when you think you know something, the answers to a couple questions reveal something unexpected. That's what we're really going for here. Exposing various aspects of web application security we previously didn't know, understand, or fully appreciate....
Writing Software Security Test Cases: Putting security test cases into your test plan
Besides CGISecurity.com I'm involved with my other project QASec.com a new website aimed at teaching security throughout the development cycle with a heavy focus on security testing I've just written an article explaining how Quality Assurance Engineers can include security testing into their test plans. "Part of software testing involves replicating customer...
Adobe Client Site Plugin Allows Universal XSS
An XSS issue in adobe acrobat allows you to xss a user against any website hosting a PDF file. UPDATE: Download Acrobat 8 it address this issue to protect yourself. If you host PDF files on a site it has been suggested that you associate the PDF mimetype on your web server...
NGSEC's Security Game #3 - BrainStorming
NGSEC has announced version 3 of their web application security challenge. "On each level you will be presented a form asking you to authenticate. You do not know the user and the password, the goal is to bypass the authentication mechanism." Challenge Link: http://quiz.ngsec.com/game3/
Vulnerability Scanners Review
Someone has written up a review of 11 security scanners specifically. ISS Internet Security Systems SSS Shadow Security Scanner Retina eEye Nessus GFI Languard Network Security Scanner Qualys www.qualys.com Nstealth Security Scanner www.nstalker.com Nikto Whisker Infiltrator infiltration-systems.com Nscan "I was looking at 3 main areas while evaluating the scanners. 1. Comprehensiveness of...