"The Captcha Trojan disguises itself as a stripper game that offers voyeurs the chance to see images of a model getting undressed. In order to get "Melissa" to lose an item of clothing, the user must identify the letters or numbers found within a scrambled text image that forms the basis of...
The time has come. I'm selling some security domain names I own because I just don't need them. webappfirewall.com webappfirewall.org webappfirewall.net j2eesecurity.com j2eesecurity.org j2eesecurity.net ajaxsecurity.org ajaxsecurity.net securecoding.net If you're interested either ping via sedo, or via the web form on this site.
United States Patent 7266699 was issued to AppSecInc. From the patent "The invention provides a transparent encryption infrastructure which allows the user to point-and-click on columns and tables to encrypt data. The creation of triggers and views are also easily implemented, to encrypt and decrypt data, to manage the encryption keys and...
"One of the biggest, constant problems we've seen our enterprise customers deal with and we here at Microsoft have to also contend with is that of the XSS (Cross Site Scripting) bug. It's very common and unfortunately, still an issue we have to deal with in many web applications. Internally, the ACE...
"There is a Great Divide in the realm of information technology. I'm not talking about Windows versus Linux or Java versus .NET-no, nothing like that. The gap I'm referring to is between software developers and the people who manage them - what I call hackers and suits. Let's clarify one thing first:...
"SWAT officers expected to find a victim shot to death, drugs and a belligerent armed suspect when they surrounded the home of an unsuspecting couple, but found they were only a part of a false emergency call caused by a teenager who hacked into the county’s emergency response system, authorities said. As...
Larry Suto has written a paper reviewing Webinspect, Appscan, and NTO Spider. From the article "The study centered around testing the effectiveness of the top three web application scanners in the following 4 areas. 1. Links crawled 2. Coverage of the applications tested using Fortify Tracer 3. Number of verified vulnerability findings...
The Russian Business Network is an ISP in St. Petersburg allowing for hosting of 'anything'. "The Russian Business Network sells Web site hosting to people engaged in criminal activity, the security experts say. Groups operating through the company's computers are thought to be responsible for about half of last year's incidents of...
"I wrote about three of my favorite Firefox extensions that help me stay safe when I'm browsing the darker areas of the Web and incoming email. Today, let's look at three other extensions: Those that can turn Firefox into a feature-filled, Web-hacking weapon. These extensions aren't required to use Firefox for hacking...
The final review of Web application security scanners has been released by darkreading. "As we wrap up our four-month Rolling Review series, we do want to award some partial credit. While only IBM's WatchFire AppScan automatically handled our Ajax applications, Acunetix Web Vulnerability Scanner, Cenzic Hailstorm and Hewlett-Packard WebInspect (post-update) were capable...
Rain Forest Puppy has written an article on vuln disclosure discussing ethics. "simply put: NO MATTER YOUR INTENTIONS, LOOKING FOR SECURITY VULNERABILITIES IN THIRD-PARTY WEB SITES (without permission) IS ILLEGAL PER THE LAWS OF YOUR COUNTRY. Period. That statement is so important, I will repeat it: NO MATTER YOUR INTENTIONS, LOOKING FOR...
Not that this is surprising but it appears rather then defacing sites outright attackers are now starting to target sites with adsense on them and replacing the codes in order to steal earnings. For those of you unfamiliar with adsense you stick a piece of javascript on your site with your code...
UPDATED: It appears the site has expired and no mirror exists. :( daath writes in to tell us about his SQL Injection cheat sheet. "I wrote a MS Access SQL Injection Cheat Sheet. You can find it here : http://www.webapptest.org/ms-access-sql-injection-cheat-sheet-EN.html" SQL Injection Cheat Sheet Link: http://www.webapptest.org/ms-access-sql-injection-cheat-sheet-EN.html
"Making it even easier to create secure applications out of the box is always a pleasure and with Rails 2.0 we’re doing it from a number of fronts. Most importantly, we now ship we a built-in mechanism for dealing with CRSF attacks. By including a special token in all forms and Ajax...
An interesting presentation was posted on the future of firefox, javascript, and the web worth checking out (click through the slides). "I just finished giving a presentation at the Future of Web Apps conference, here in London. Thanks to everyone who attended - I hope I didn’t sound too sleep deprived! In...
"Instead of jamming radar signals, Suter uses a more sophisticated approach of "hacking" into enemy defences. "The technology allows users to invade communications networks, see what enemy sensors see, and even take over as systems administrator so sensors can be manipulated into positions so that approaching aircraft can't be seen," Aviation Week...
"A hacked county website in California that redirected users to a pornographic site triggered the federal government late Tuesday to initiate a system-wide shutdown of all government sites in the Golden State. The process was never completed, after state officials urged the feds to reverse their decision to take offline all state...
My friend Joren forwarded to me the ror security cheatsheet which is a great central resource for ruby on rails security issues. If you code or are going to perform an audit against an ror application be sure to check this out. Article Link: http://www.rorsecurity.info/ruby-on-rails-security-cheatsheet/
