I'll be leaving for blackhat shortly and site updates will slow down a bit as well as moderation of the web security mailing list. If you're in vegas and want to chat appsec, be sure to RSVP to the huge OWASP/WASC party, I'll be there with just about every other application security...
US Denies Halvar Flake from presenting at blackhat
"I've been denied entry to the US essentially for carrying my trainings material. Wow. It appears I can't attend Blackhat this year. I was denied entry to the US for carrying trainings materials for the Blackhat trainings, and intending to hold these trainings as a private citizen instead of as a company....
Anti XSS using Ajax
"XSS have became a problem that most web developers still suffering from it tell now, simply because however you try hard to validate every user input it only takes a single line of code that prints out the user input without validation to render your whole application vulnerable to XSS attacks and...
Avoid the dangers of XPath injection
"As new technologies emerge and become well established so do threats against those technologies. Blind SQL injection attacks are a well know and recognized form of code injection attack, but there are many other forms, some not so well documented or understood. An emerging code injection attack is the XPath injection attack,...
Mozilla Protocol Abuse
Larholm writes "First they came for Safari, but no one complained because it was beta. Then they came for Internet Explorer, but no one cared because that was to be expected. Finally they came for Mozilla, but there was no one left to speak out." Article Link: http://larholm.com/2007/07/25/mozilla-protocol-abuse/
Mozilla confirms own URL handling bug
"The Mozilla Foundation acknowledged over the weekend that its own Firefox browser allows links that can send malicious code to external programs, a security issue that the group had previously argued should be fixed by the browser maker. In early July, three researchers found a way to execute code in Firefox -...
Hackers Can Now Deliver Viruses via Web Ads
"Web ads are becoming a delivery system of choice for hackers seeking to distribute viruses over the Internet. In a development that could threaten the explosive growth of online advertising, hackers have started to exploit security holes in the online-advertising chain to slip viruses into ads. Just going to a site that...
Interview with MPack Developer @ Securityfocus
Securityfocus has interviewed one of the developers of the MPack kit. "In June 2006, three Russian programmers started testing a collection of PHP scripts and exploit code to automate the compromise of computers that visit malicious Web sites. "A year later, the MPack kit has become an increasingly popular tool, allowing data...
Fox News Pwned
""While browsing around the Fox News website, I found that directory indexes are turned on. So, I started following the tree up, until I got to /admin. Eventually, I found my way into /admin/xml_parser/zdnet/, in which, there is a shell script. Seeing as it's a shell script, and I use Linux, I...
SOAs 6 burning questions
"Traditional application security is "ineffective and unwieldy in a SOA" because identity and access rights -- including passwords and privileges -- vary widely among applications, West of Saugatuck Technology writes in a research paper released last year. Single sign-on has not proved scalable in large organizations and is complicated by privacy and...
OFFTOPIC: Selling some application firewall domain names
This is off topic but I'm selling some application firewall domain names. If you're interested please ping me via the contact form. Serious offers only. Domains * www.webappfirewall.com * www.webappfirewall.net * www.webappfirewall.org
Google Home-brews Powerful Automatic Scanning Fuzzer
"Google's security team is home-brewing a powerful combination scanner and fuzzing tool that experts say will be unique outside of the commercial domain. In a posting on the Google security team's blog, Srinath Anantharaju said on July 16 that the security team has been working on a black-box fuzzing tool called Lemon,...
Zero-day sales not "fair" -- to researchers
" Two years ago, Charles Miller found a remotely exploitable flaw in a common component of the Linux operating system, and as many enterprising vulnerability researchers are doing today, he decided to sell the information. “ I don't think it fair that researchers don't have the information and contacts they need to...
Rant: Security 2.0 and Ethics 0.2 Beta
UPDATE: There is a thread on the slackers forum talking about this below if you want to join in on the conversation. FX from Phenoelit has posted an interesting rant on the ethics and hype in the security industry. "The Web 2.0 has all the potential for the next big wave of...
Tool: SQL Power Injector 1.2
"SQL Power Injector is an application created in .Net 1.1 that helps the penetration tester to find and exploit SQL injections on a web page. For now it is SQL Server, Oracle, MySQL, Sybase/Adaptive Server and DB2 compliant, but it is possible to use it with any existing DBMS when using the...
HDIV: Struts 2 Security Plugin
Gorka Vicente writes "HDIV 1.3 has just been released including Struts 2 support. HDIV is an open-source project that extends Struts ( Struts 1.x and Struts 2) behavior by adding web application level Security functionalities (Integrity, Confident iality of non editable data and Generic Validations of the Editable Data), maintaining the API...
Dangerous Java flaw threatens virtually everything
"Google's Security team has discovered vulnerabilities in the Sun Java Runtime Environment that threatens the security of all platforms, browsers and even mobile devices. "This is as bad as it gets," said Chris Gatford, a security expert from penetration testing firm Pure Hacking. "It’s a pretty significant weakness, which will have a...
Greek spies plant rootkit in a phone exchange
"A highly sophisticated spying operation that tapped into the mobile phones of Greece's prime minister and other top government officials has highlighted weaknesses in telecommunications systems that still use decades-old computer code. The spying case, where the calls of around 100 people using Vodafone’s network were secretly tapped, remains unsolved and is...
Article: Java security: Is it getting worse?
" Java has long boasted a reputation for being a secure programming language. Lately, however, that reputation has come into question. Java has been accused of being susceptible to cross-site scripting (XSS) and other similar input attacks like SQL injection. Is the security of Java itself getting worse, or is the security...
Microsoft Patch Tuesday Addresses .NET Vuln
"The critical update covers flaws in Excel, Windows Active Directory, and .NET Framework. All create a possible means for hackers to inject hostile code onto vulnerable systems (remote code execution). Separate security bugs in Internet Information Server (Microsoft's web server software) and Microsoft Office Publisher also carry the same risk but earn...
Paper: DNS Pinning and Web Proxies
"DNS-based attacks can be used to perform a partial breach of browser same origin restrictions in some situations, enabling a malicious web site to perform two-way interaction with a different domain. The attacks that are normally conceived against browser-based DNS pinning are capable of being resolved through additional safeguards within browsers. However,...
XSS cross webmail worm
Rosario Valotta writes in to tell us "I realized a PoC of what I define a XWW - Cross webmail worm, based on exploitation of XSS vulnerabilities. Detailed informations and a video can be found at: http://rosario.valotta.googlepages.com/home" Article Link: http://rosario.valotta.googlepages.com/home
Securing Firefox: How to avoid hacker attacks on Mozilla's browser
"Security problems with Microsoft's dominant Internet Explorer browser helped pave the way for Mozilla Firefox to emerge as an alternative for Web surfers. However, Firefox users should be aware that hackers can exploit software flaws and design features to launch attacks. The following configuration changes, recommended by CERT/CC, can disable various features...
Average zero-day bug has 348-day lifespan, exec says
"The average zero-day (0day) bug has a lifespan of 348 days before it is discovered or patched, and some vulnerabilities live on for much longer, according to security vendor Immunity Inc.'s chief executive officer. Zero-day bugs are vulnerabilities that have not been patched or made public. When discovered and not disclosed, these...
Hacking Capitalism: electronic financial trading
"You'd think electronic financial trading would be extra secure, but not so much: One of the most popular application-layer protocols in the financial industry leaves these money applications wide open to attack, according to researchers. The application-layer FIX (financial information exchange) protocol is used by financial services firms, stock exchanges, and investment...
MPack Reveals Stingy Web Hosts
"According to reports, thousands of Web sites, predominantly in Italy, were recently compromised using the MPack malware kit, which contained iframe tags that pointed surfers towards hacker-controlled Web sites. A security researcher at the SANS Institute's Internet Storm Centre says that only one of the Web sites hosted on the machine had...
Security on AIR: Local file access through JavaScript
Fukami has published a post to The Web Security Mailing List outlining some risks with Adobe's AIR platform. I can tell you first hand that these sorts of applications are going to start popping on on many large sites in the next year.... "In general every file on local file system can...
CIA legend claims Belfast and Dublin major centres of industrial espionage
"A former top CIA agent has claimed Belfast and Dublin are world centres of industrial espionage where top corporations can buy secret information on their rivals. Bob Baer, whose life inspired the spy movie Syriana starring George Clooney, said Ireland was "just like Berlin during the Cold War". In an interview for...
Nearly 30,000 Malicious Web Sites Appear Each Day
"The number of malicious Web sites has skyrocketed over the past few months, going from 5,000 new ones a day in April to nearly 30,000 a day now. "This certainly is a huge increase," said Carole Theriault, a senior security consultant with Sophos, Inc., in an e-mail to InformationWeek. "In June, we...
Month of Search Engines Bugs Results Published
"In the project took part 33 search engines (30 web engines and 3 local engines) of 19 vendors, some vendors have several engines. The list of project’s participants (in order of appearance): Meta, Yahoo, HotBot, Gigablast, MSN, Clusty, Yandex, Yandex.Server (local engine), Search Europe, Rambler, Ask.com, Ezilon, AltaVista, AltaVista local (local engine),...
UCD School of Medicine hacked
"According to officials, 1,120 applicant records for the 2007-2008 class at the UC Davis School of Veterinary Medicine have been hacked, in what marks the first time an example of unauthorized access to the university's computer systems has been coupled with evidence of attempted fraud. According to the university, the incident was...