Yesterday a couple of 'researchers' published that a couple of major sites were vulnerable to CSRF. A general rule of thumb is that unless you are explicitly protecting against CSRF, or are accidentally protected, then you're vulnerable. CSRF in 2008 is what XSS was in 2002, somewhat understood and rarely protected against...
Insecure magazine #18 was just released. Here are a list of some of the articles within it. Network and information security in Europe today Browser security: bolt it on, then build it in Passive network security analysis with NetworkMiner Lynis - an introduction to UNIX system auditing Windows driver vulnerabilities: the METHOD_NEITHER...
An anonymous user writes "ASP.NET has had a mitigation to prevent against CSRF/One-Click attacks since 1.1 with the use of Page.ViewStateUserKey property. You can now make sure that the property is being used using FxCop." Link: https://blogs.msdn.com/sfaust/archive/2008/09/25/checking-for-viewstateuserkey-using-fxcop.aspx
Michal Zalewski of google has posted a proposal on browser security enhancements to the whatwg mailing list. "I am posting here on the advice of Ian Hickson; I'm new to the list, so please forgive me if any of this brings up long-dismissed concepts; hopefully not. For a couple of months now,...
The full disclosure mailing list is usually 95% junk but every once in awhile an amusing/informative post gets through. Today an amusing post came through regarding a 'Worldwide SQL Protocol Advisory'. That's not to say this post isn't junk, but I found it amusing :) Here's a peek "II. Problem description The...
Slashdot linked to a top 13 list of amusing error messages. Check them out at: http://technologizer.com/2008/09/18/errormessage/
Firefox 3.0.2 has been released which addresses the following security flaws. MFSA 2008-44 resource: traversal vulnerabilities MFSA 2008-43 BOM characters stripped from JavaScript before execution MFSA 2008-42 Crashes with evidence of memory corruption (rv:1.9.0.2/1.8.1.17) MFSA 2008-41 Privilege escalation via XPCnativeWrapper pollution MFSA 2008-40 Forced mouse drag Read more at : http://www.mozilla.org/security/known-vulnerabilities/firefox30.html#firefox3.0.2
"This document defines a mechanism to enable client-side cross-site requests. Specifications that want to enable cross-site requests in an API they define can use the algorithms defined by this specification. If such an API is used on http://example.org resources, a resource on http://hello-world.example can opt in using the mechanism described by this...
"Windows IT people everywhere owe thanks to Dr. Mark Russinovich, now a technical fellow at Microsoft and his less-famous partner Bryce Cogswell. Russinovich is famous both as an author, making the technical details of Windows accessible to the rest of us who dare to think we are technical, and as a programmer,...
An anonymous user writes "In his previous blog post, Sacha provided an updated list of the asp.net control html encoding information. He now integrated the content into FXCop to help quickly identify spots in asp.net binaries that should be reviewed for XSS issues." Read more: http://blogs.msdn.com/sfaust/archive/2008/09/18/fxcop-htmlspotter-spotting-asp-net-xss-using-fxcop-and-html-encoding-document.aspx
Motley fool wrote an article blaming Yahoo! for the Palin Hack. Computerworld has pointed out Gmail, Yahoo, and Hotmail as being vulnerable as well. To be clear any site supporting answering of common questions as a way to restore account access is vulnerable. The issue is not that these sites are vulnerable...
"ViewStateUserKey is not a completely effective mitigation against Cross-Site Request Forgery. It doesn't work for non post-backs (I.e. GET requests), and it doesn't work if the ViewState MAC is turned off. In several different places, we see a piece of advice repeated - use the ViewStateUserKey property to prevent One-Click Attacks. Often,...
While this is off topic for this site I do find it amusing :) "Hackers broke into the Yahoo! e-mail account that Republican vice presidential candidate Sarah Palin used for official business as Alaska's governor, revealing as evidence a few inconsequential personal messages she has received since John McCain selected her as...
Romain Gaucher posted the following email to The Web Security Mailing List today announcing a handy tool he authored. "I remember reading here a couple of emails about how to analyze the apache log in order to look for potential attacks. Since I needed to do exactly the same few times ago,...
"In another event for the "internet is broken" files, two prominent security researchers have pulled a scheduled talk that was to demonstrate critical holes affecting anyone who uses a browser to surf the web. Jeremiah Grossman and Robert "RSnake" Hansen say they planned to demonstrate serious "clickjacking" vulnerabilities involving every major browser...
"Mozilla's security chief said Apple should disclose more information about the steps it takes to protect customers from malware and other computer-born threats. At a security conference on Monday, Window Snyder said open communication about recently reported vulnerabilities and ongoing processes for locking down products is a core responsibility of security departments...
Microsoft has posted an article on what real world XSS vulnerable code looks like in ASP.NET applications. Handy if you develop asp.net or audit it for issues. "From couple of weeks we have been seeing some XSS vulnerabilities in asp.net code. Today I wanted to show you guys some real world examples...
In addition to running CGISecurity I also participate heavily in The Web Application Security Consortium and its projects. I sent the following email to The Web Security Mailing List seeking participants for v2 of the WASC Threat Classification document. "I'm sending this email to the list seeking people to contribute towards The...
I'm happy to announce CGISecurity's 8th year providing website, and application security news as of today. What started out as an excuse to learn about web based vulnerabilities has really evolved. Here are a few things to put into perspective - The following terms hadn't been coined yet - CSRF/XSRF/Cross-site Request Forgery...
"Users should wait to use Google Chrome after its vulnerabilities were exposed. Randy Abrams, director of Technical Education at ESET, claimed that as vulnerable code was used users should only use Chrome when they are not viewing sensitive pages. He claimed that the oversight by Google is indicative of either a lack...
"I happened to install Google Chrome (Alpha) the same day I installed Internet Explorer 8 (Beta). I noticed immediately, as I'm sure many of you have, that both browsers isolate tabs in different processes. Unix folks have known about the flexibility of forking a process forever. In Unix, fork() is just about...
" As live CD's have become more popular, specialized distributions have begun to emerge. One such specialty live CD is Samurai, a distribution squarely focused on web application penetration and vulnerability testing. Samurai is dubbed a "web testing framework" in much the same way that Metasploit is termed a framework. Samurai is...
The Web Application Security Consortium (WASC) is pleased to announce the WASC Web Application Security Statistics Project 2007. This initiative is a collaborative industry wide effort to pool together sanitized website vulnerability data and to gain a better understanding about the web application vulnerability landscape. We ascertain which classes of attacks are...
"Last time we saw how to fix a cross site scripting (XSS) vulnerability. This time we look at how we can detect cross site scripting vulnerabilities using automated tools. Being the most common vulnerability found in web applications, it is very important to detect and mitigate XSS vulnerabilities early in development cycle....
UPDATED: Yet another issue is discovered, this time a DOS. UPDATED: 3 hours later a vulnerability has been published. Google has just released an open sourced browser based on Apple's Webkit. I'm guessing it will be less than 48 hours before the first vulnerability is discovered. Since Safari uses Webkit it will...
Bryan Sullivan from Microsoft has posted an article on SDL use to secure web applications. "The Security Development Lifecycle (SDL) team recently released details of the SDL process that has been so successful in helping to make Microsoft products more secure. You can find these documents at microsoft.com/sdl. As you read through...
Sacha Faust has just published a grid mapping which asp.net controls automatically perform html entity output encoding when used. Link: http://blogs.msdn.com/sfaust/archive/2008/09/02/which-asp-net-controls-automatically-encodes.aspx Grid: http://blogs.msdn.com/sfaust/attachment/8918996.ashx
