An XSS worm has hit twitter this morning and appears to have affected hundreds of thousands of users. Sophos has a good technical writeup at http://www.sophos.com/blogs/gc/g/2010/09/21/twitter-onmouseover-security-flaw-widely-exploited/ ARSTechnica has some coverage about Magnus Holm, the author of the worm. http://arstechnica.com/security/news/2010/09/twitter-worms-spread-quickly-thanks-to-blatant-security-flaw.ars I'll update this post once a more accurate count of affected users is...
To commemorate this site turning 10 I've created a list of my top 10 thought provoking/innovate posts that people who haven't been following this site may be unaware of. The Cross-site Scripting FAQ (2001) In 2001 someone informed me of this new threat involving the injection of HTML/Javascript into a site's response...
Ten years ago today I started cgisecurity.com to fill a void in the application security space. At the time no other dedicated site existed, neither OWASP nor WASC had been created, and the www-mobile list was effectively the only place to discuss web related vulns and attacks . When I first started...
Fellow WASC officer Ryan Barnett has published an update to the Web Hacking Incident Database project. He sent the following to The Web Security List (a list which I operate) this morning. "Greetings everyone, I wanted to let you all know that we have released the new WHID report for 2010 -...
