Be careful of "scheme relative urls" when performing 3xx redirects

Former coworker Sacha Faust has published an entry on how the lack of handling relative urls when implementing URL redirection can lead to open redirector's. Article: http://blogs.msdn.com/sfaust/archive/2010/03/30/saferedirect.aspx

TJX Hacker Gets Pwned, 20 Years In Prison

Could the trend of claiming not to know any better while hacking due to asperger's be coming to an end? From Wired "Convicted TJX hacker Albert Gonzalez was sentenced to 20 years in prison on Thursday for leading a gang of cyberthieves who stole more than 90 million credit and debit card...

Secure Application Development on Facebook Platform

Facebook and isecpartners have teamed up to write an article on developing secure applications on the Facebook platform. "This document provides a basic outline/best practice for developing secure applications on the Facebook platform. Facebook applications are web, desktop, or mobile applications that make use of the Facebook API to integrate tightly with...

Random FireFox URL handling Behavior

About a year ago I discovered this by accident and hadn't seen it published anywhere so thought it was worth mentioning. If you enter the following into the firefox URL bar it will follow them to www.cnn.com. [http://www.cnn.com] [http://]www.cnn.com [http://www].cnn.com Etc... You can also substitute [] for {} or " and it...

Cryptography experts bicker with former NSA director at RSA panel

I recently attended RSA and had a chance to see the cryptography panel. Towards the end of the panel an amusing amount of bickering began between the former NSA technical director (Brian snow) and folks such as Whit Diffie (inventor of diffie hellman key exchange), and Adi Shamir (co founder of RSA...

Web Security Dojo v1.0 release

From the announcement "Web Security Dojo is a turnkey web application security lab with tools, targets, and training materials built into a Virtual Machine(VM). It is ideal for both self-instruction and training classes since everything is pre-configured and no external network connection is needed. All tools and targets are configured to use...

Watcher 1.3.0 passive Web-vulnerability testing tool released

"A new update to the Watcher passive vulnerability detection and security testing tool has been released. Watcher is an open source addon to the Fiddler Web proxy that aids developers, auditors, and penetration testers in finding Web-application security issues as well as hot-spots for deeper review." - Casabasecurity The full announcement can...
Looking for something else or having a hard time finding a story? We recently moved things around so please use the search bar on the right!