Someone has published an amusing cheat sheet that will allow you to fuzz barcode scanning systems for common input validation issues such as XSS and SQL Injection. They even provide an online barcode generator which allows you to create your own payloads. Not much else to say really :) Link: http://www.irongeek.com/xss-sql-injection-fuzzing-barcode-generator.php
I haven't really been posting advisories on this website for the past year, however a series of XML Injection/XXe vulnerabilities in Adobe products caught my eye. XML Injection is to web services, what XSS is to web pages (an attacker controllable application response able to perform abuses against the consumer). This advisory...
Brian Holyfield has published an entry on using Windows WCF to perform backend port scanning. This is possible due to the callback functionality WCF provides. From his article "Last weekend at Shmoocon, I demonstrated how an attacker can trick certain WCF web services into performing an unauthorized port scan of machines behind...
I was luck enough to assist in this project and I must say that a lot of great discussions took place. Unlike many other top x security lists, SANS/MITRE's methodology is fairly extensive and well documented giving you insight into how decisions were made. I do want to point out that top...
Larry Suto published a report comparing the various commercial web application security scanners. As you'd expect the vendors are likely to respond about how inaccurate the report is, however in this case both HP and Acunetix argued valid points. From Acunetix "They were not found because Larry didn’t authenticated our scanner (didn’t...
The latest version of Apache 1.3.42 is the last 1.3 version of Apache that will be released. I admit I've been running 1.3 for ages now due to it being rock solid and having a decent security track record. The announcement states that security patches 'may be available' at http://www.apache.org/dist/httpd/patches/ but consider...
Sullo has sent the following announcement to the full disclosure mailing list indicating a new release of Nikto. "I'm happy to announce the immediate availability of Nikto 2.1.1! Nikto is an open source web server scanner which performs comprehensive tests against web servers for multiple items, including over 6100 potentially dangerous files/CGIs,...
