The Web Application Security Consortium (WASC) is pleased to announce the Static Analysis Technologies Evaluation Criteria. The goal of the SATEC project is to create a vendor-neutral set of criteria to help guide application security professionals during the process of acquiring a static code analysis technology that is intended to be used...
I sent the following out to The Web Security Mailing List (which I moderate) announcing a new WASC Project. "The Web Application Security Consortium is pleased to announce a new project "Static Analysis Tool Evaluation Criteria (SATEC)". Currently WASC is seeking volunteers from various sections of the community including security researchers, academics,...
Sacha Faust has published a great article on some of the security checking functionality in Visual Studio. From the article "Anyone doing ASP.NET development probably admits, openly or not, to introducing or stumbling upon a security issue at some point during their career. Developers are often pressured to deliver code as quickly...
To celebrate 25 years the phrack team has published issue #67. Introduction The Phrack Staff Phrack Prophile on Punk The Phrack Staff Phrack World News EL ZILCHO Loopback (is back) The Phrack Staff How to make it in Prison TAp Kernel instrumentation using kprobes ElfMaster ProFTPD with mod_sql pre-authentication, remote root FelineMenace...
For you python developers out there, Craig Younkins sent the following to The Web Security Mailing List (which I moderate) this morning. "I'd like to invite you to a new community - http://www.pythonsecurity.org/ - which is now the central hub for security in Python. We're writing articles on security topics and how...
Sacha Faust has published an IIS http module for the Strict Transport Security protocol. From his blog "I’ve been tackling the problem of users connecting to online services from untrusted network. At work we typically call this the “Startbucks” scenario where a user is connecting to a random wifi and accessing corporate...
Chris Sullo sent us the following news entry "DAVTest attempts to aid a penetration tester when facing WebDAV enabled services by quickly testing file type upload capability and features, as well as checking for code execution. It supports MOVE and MKCOL, authentication, and uploading of included shell files." Download: http://security.sunera.com/2010/04/davtest-quickly-test-exploit-webdav.html
Sullo writes in "CMS Explorer is designed to reveal the the specific modules, plugins, components and themes that various CMS driven web sites are running. It can also search OSVDB.org for vulnerabilities in found components, as well as "bootstrap" a security proxy by downloading potential file names from the component's code repository...
From the announcement "Web Security Dojo is a turnkey web application security lab with tools, targets, and training materials built into a Virtual Machine(VM). It is ideal for both self-instruction and training classes since everything is pre-configured and no external network connection is needed. All tools and targets are configured to use...
"A new update to the Watcher passive vulnerability detection and security testing tool has been released. Watcher is an open source addon to the Fiddler Web proxy that aids developers, auditors, and penetration testers in finding Web-application security issues as well as hot-spots for deeper review." - Casabasecurity The full announcement can...
Larry Suto published a report comparing the various commercial web application security scanners. As you'd expect the vendors are likely to respond about how inaccurate the report is, however in this case both HP and Acunetix argued valid points. From Acunetix "They were not found because Larry didn’t authenticated our scanner (didn’t...
Sullo has sent the following announcement to the full disclosure mailing list indicating a new release of Nikto. "I'm happy to announce the immediate availability of Nikto 2.1.1! Nikto is an open source web server scanner which performs comprehensive tests against web servers for multiple items, including over 6100 potentially dangerous files/CGIs,...
Adobe has published an entry on their blog outlining how fuzzing plays a part in discovering security issues in their product prior to launching it. Its good to see a company such as Adobe publishing this information as its one of those things that is discussed frequently by the security community, however...
Microsoft has been working on a tool called 'Nozzle' to prevent the exploitation of heap spraying attacks and released a whitepaper describing the process. From the whitepaper. "Heap spraying is a new security attack that significantly increases the exploitability of existing memory corruption errors in type-unsafe applications. With heap spraying, attackers leverage...
Microsoft has published the Enhanced Mitigation Evaluation Toolkit. This toolkit allows you to specify a process to add the following forms of protection (without recompiling). SEHOP This mitigation performs Structured Exception Handling (SEH) chain validation and breaks SEH overwrite exploitation techniques. Take a look at the following SRD blog post for more...
It was announced this morning that Rapid7 has purchased metasploit, and hdmoore! That is all. Rapid7 Announcement: http://www.rapid7.com/metasploit-announcement.jsp Metasploit Blog: http://blog.metasploit.com/2009/10/metasploit-rising.html Metasploit Blog: http://blog.metasploit.com/2009/10/joining-team.html More Coverage http://www.andrewhay.ca/archives/1085 http://blog.ianetsec.net/perspective/2009/10/nick-selby-metasploit-acquisition-shakes-up-the-pentest-landscape.html http://darkreading.com/vulnerability_management/security/management/showArticle.jhtml?articleID=220800067
"The Web Application Security Consortium is pleased to announce the release of version 1 of the Web Application Security Scanner Evaluation Criteria (WASSEC). The goal of the WASSEC project is to create a vendor-neutral document to help guide information security professionals during web application scanner evaluations. The document provides a comprehensive list...
"The open-source ESAPI WAF is a departure from commercial, network-based firewalls, as well as ModSecurity's free WAF, says Arshan Dabirsiaghi, developer of the ESAPI WAF and director of research for Aspect Security. Dabirsiaghi will roll out the WAF at the OWASP Conference in Washington, D.C., in November. "WAFs today are deployed as...
From the download pages. BinScope "BinScope is a Microsoft verification tool that analyzes binaries on a project-wide level to ensure that they have been built in compliance with Microsoft’s Security Development Lifecycle (SDL) requirements and recommendations. BinScope checks that SDL-required compiler/linker flags are being set, strong-named assemblies are in use, up-to-date build...
"Insecure.Org is pleased to announce the immediate, free availability of the Nmap Security Scanner version 5.00 from http://nmap.org/. This is the first stable release since 4.76 (last September), and the first major release since the 4.50 release in 2007. Dozens of development releases led up to this. Considering all the changes, we...
"Hi, Bryan here. Michael wrote last week on static analysis for native C/C++ code, and this week I’ll be following up by covering the tools we use for managed static analysis. The SDL requires teams writing managed code to use two static analysis tools: FxCop and CAT.NET. Both of these tools are...
"This is part one of a two part series of posts by myself and Bryan Sullivan; I will cover the static analysis tools we use at Microsoft (and make available publicly) for analyzing unmanaged (ie; Native) C and C++ code, and Bryan will cover managed code static analysis in a later post....
"Fuzzware is tool for pen-testers and software security testers that is designed to simplify the fuzzing process, while maximising the fuzzing quality and effectiveness. Fuzzware is adaptable to various testing scenarios (e.g. file fuzzing, Web Services fuzzing, etc), gives you fine grain control over the fuzzing techniques used and ensures any interesting...
"It's official: The famous password-cracking tool L0phtCrack is back, and its creators plan to keep it that way. L0phtCrack 6 tool, released Wednesday, was developed in 1997 by Christien Rioux, Chris Wysopal, and Peiter "Mudge" Zatko from the former L0pht Heavy Industries -- the hacker think tank best known for testifying before...
"The SamuraiWTF project team is proud to announce the immediate release of SamuraiWTF 0.6. This release contains a number of fixes and updates as well as the first release of a VM image. This VM requires Vmware 5.0 or better. It will also work in any version of VMWare Fusion.ThanksKevin Johnson" For...
"Memcpy() and brethren, your days are numbered. At least in development shops that aspire to secure coding. Microsoft plans to formally banish the popular programming function that's been responsible for an untold number of security vulnerabilities over the years, not just in Windows but in countless other applications based on the C...
Not website security related but still useful tools. Autoruns v9.5: This update to Autoruns, a powerful autostart manager, adds display of audio and video codecs, which are gaining popularity as an extension mechanism used by malware to gain automatic execution. PsLoglist v2.7: This version of PsLoglist, a command-line event log display utility,...
"Security researchers have released a proof-of-concept rootkit for Windows 7, in the hopes that its availability will assist in the prompt development of an antidote. Indian security researchers Vipin Kumar and Nitin Kumar demonstrated the toolkit, dubbed Vbootkit 2.0, at the Hack In The Box security conference in Dubai last month. Initially...
"This tool helps in assessing next generation application running on Web/enterprise 2.0 platform. It profiles HTTP requests and responses at runtime by configuring it as proxy. It identifies structures like JSON, XML, XML-RPC etc. along with key HTTP parameters like cookie, login forms, hidden values etc. Based on profile one can take...
"This tool demonstrates a system for identifying the real IP address of a web user, regardless of proxy settings, using a combination of client-side technologies and custom services. No vulnerabilities are exploited by this tool. A properly configured Tor setup should not result in any identifying information being exposed." Essentially this uses...
"Tenable is pleased to announce the release of Nessus version 4! This blog post highlights some of the enhancements and new features available in Nessus 4.0. One of the most notable features is the ability to create custom XSLT reports based on your scan results. Nessus now also supports a fully multi-threaded...
"I’ve developed a new XSS scanner tool that’s written in Javascript called XSS Rays for Microsoft. They have given me permission to release the tool as open source which is awesome because it can be used for other open source applications. I recommend you use it as part of the web development...
"Watcher is designed as a Fiddler plugin that passively monitors HTTP/S traffic for vulnerabilities. It gives pen-testers hot-spot detection for user-controlled inputs, open redirects, and other issues, and it gives auditors an easy way to find PCI compliance and other organizational issues. Here’s some of the issues Watcher has checks for now:...
"HP SWFScan is a free security tool to developers find and fix security vulnerabilities in applications developed with the Adobe Flash Platform. The tool is the first of its kind to decompile applications developed with the Flash platform and perform static analysis to understand their behaviors. This helps developers without security backgrounds...
"Aiming to better identify bugs that could lead to security issues, Microsoft announced on Wednesday that it planned to release a tool to help developers classify and assess program crashes. The tool, known as !exploitable and pronounced "bang exploitable," is a plugin for the Windows debugger that categorizes crash information using two...
HD Moore sent the following to bugtraq this morning. "WarVOX is a suite of tools for exploring, classifying, and auditing telephone systems. Unlike normal wardialing tools, WarVOX works with the actual audio from each call and does not use a modem directly. This model allows WarVOX to find and classify a wide...
"More than two years after Symantec pulled the plug on L0phtCrack, the venerable password cracking tool is being prepped for a return to the spotlight. The original creators of L0phtCrack has reacquired the tool with plans to release a new version at next week’s SOURCE Boston conference. A teaser post on the...
"Ensuring that the browser is up to date can help minimize security risks, but perhaps the most interesting feature of Firefox from a security perspective is the possibility of enhancing the browser's security with the addition of browser extensions or add-ons. Of course any add-ons risks adding new vulnerabilities, but if they...
"Many different resources define fuzzing many different ways. I believe this definition is more suiting than most: "Fuzzing is targeting input and delivering data that is handled by a target with the intent of identifying bugs." Fuzzing can occur theoretically where ever input is possible. There are two kinds of fuzzing: "dumb"...
I've been reading web application vulnerability reports from tools and services for 6-7 years and found that 99% of these reports are geared towards security engineers or system administrators. Many of the reports I see focus on The type of flaw and what it its impact is The URL affected Links to...
"Bryan here. The security community has been buzzing since SANS and MITRE’s joint announcement earlier this month of their list of the Top 25 Most Dangerous Programming Errors. Now, I don’t want to get into a debate in this blog about whether this new list will become the new de facto standard...
anantasec posted a scanner comparison to the web security mailing list today. "In the past weeks, I've performed an evaluation/comparison of three popular web vulnerability scanners.This evaluation was ordered by a penetration testing company that will remain anonymous. The vendors were not contacted during or after the evaluation. The applications (web scanners)...
"The first beta release. "Beta" means that there will be no significant changes till the final v2.00. Now it supports memory and hardware breakpoints. They are fully conditional, and the number of memory breakpoints is unlimited. Fast command emulation takes memory breakpoints into account. In fact, run trace may be much faster...
"The Metasploit Decloak Engine is now back online with a handful of new updates and bug fixes. Decloak identifies the real IP address of a web user, regardless of proxy settings, using a combination of client-side technologies and custom services. The first version was announced in June of 2006 and was eventually...
"CAT.NET - Community Technology Preview CAT.NET is a managed code static analysis tool for finding security vulnerabilities. It's exactly the same tool we use internally to scan all of our Line of Business (LOB) applications; it runs as a Visual Studio plug-in or as a stand-alone application. It was engineered by this...
From tssci "This week, I was doing an internal penetration test for a client of a web service, which is used by applications loaded on kiosk machines around the country. I didn’t have much time to do the test, so I had a couple advantages, like having network access to the service,...
"The team I work in uses both automated scanners, along with a few humans testing (minimum of 2)… A good tester should know the weaknesses of the automated testers.. The problem with automated testers, is, simply put, they are not human. That is they will not have intuition that a given function...
"Contact: H D Moore FOR IMMEDIATE RELEASE Email: hdm[at]metasploit.com Austin, Texas, November 19th, 2008 -- The Metasploit Project announced today the free, world-wide availability of version 3.2 of their exploit development and attack framework. The latest version is provided under a true open source software license (BSD) and is backed by a...
The creators of BURP Proxy are making major updates to this free web proxy. "The next release of Burp Suite is near to completion, and will be made available during December if all goes well. This is a significant upgrade, with major enhancements to several existing components, and some exciting brand new...
A new version of Wireshark (Ethereal) has been released to address multiple security issues. "Impact It may be possible to make Wireshark crash by injecting a series of malformed packets onto the wire or by convincing someone to read a malformed packet trace file. Resolution Upgrade to Wireshark 1.0.4 or later. Due...
Dave Aitel has posted to dailydave with his thoughts on Static Analysis Industry. From his email "So OWASP was dominated by lots of talk from and about static code analysis tools. I wandered around with a friend of mine at the various booths (CodeSecure [1], Fortify[2], IBM AppScan[3], Ounce Labs) and tried...
" As important as security is, remaining current with every development is hard, and evaluating possible vulnerabilities across a network can be quite a chore. You need a way to both automate tests and make sure you're running the most appropriate and up-to-date tests. Open Vulnerability Assessment System (OpenVAS) is a network...
Romain Gaucher posted the following email to The Web Security Mailing List today announcing a handy tool he authored. "I remember reading here a couple of emails about how to analyze the apache log in order to look for potential attacks. Since I needed to do exactly the same few times ago,...
" As live CD's have become more popular, specialized distributions have begun to emerge. One such specialty live CD is Samurai, a distribution squarely focused on web application penetration and vulnerability testing. Samurai is dubbed a "web testing framework" in much the same way that Metasploit is termed a framework. Samurai is...
While attending defcon I got to check out a talk on a new web application security scanner called Grendel scanner. For those of you who don't know I used to work at spi dynamics on the webinspect product (now part of HP) and I got to say it is one of the...
"On Tuesday, Microsoft issued new tools to assist Microsoft ASP and ASP.NET technologies against recent Web-based attacks. In April attackers went after Microsoft SQL sites by injecting malicious JavaScript onto legitimate sites. The JavaScript would direct a browser to a server hosting malicious software infecting the desktop with a variety of exploits....
From the 'Millions of peaches, peaches for me. Millions of peaches, peaches for free ' department The following was posted to the full disclosure mailing list. "Peach 2.1 BETA3 has been released! This new beta includes a lot of changes and makes Peach feature complete for the 2.1 release coming in the...
The following was sent to the daily dave list today by Michael Eddington "The latest in the Peach 2 series has been posted. This release includes many bug fixes, features, improvements, and supersedes 2.0 as the recommended version to use. * Fuzzers written in XML by defining data definitions * Unittests to...
Michal Zalewski has released tmin. From his announcement to bugtraq "I'd like to announce tmin - a free, quick, and handy tool to quickly and effortlessly minimize the size and syntax of complex test cases in automated security testing. I found the tool to be remarkably useful, as it saved me from...
My week at RSA has been fairly interesting. One of the highlights was getting to see an enigma at the NSA booth. Here is a short video I made of the NSA Museum employee explaining how it works.
There is a short interview at techtarget with the creator of nmap 'fyodor'. Interview Link: http://searchsecurity.techtarget.com.au/topics/article.asp?DocID=1288741
An interesting post on intercepting flash XMPP traffic. "This post is a result of ideas and tools developed during the review of client-side applications that use the XMPP protocol to communicate with a server (opening a raw socket, not using HTTP as a transport). The only way we could think of getting...
This article reviews various tools that can be used to brute force web forms and web based auth. "This mish-mash of security is the basis of Web login vulnerabilities and why passwords are often easily cracked. Be it form-based, HTTP Basic, or NT LAN Manager (NTLM) (the three main types of authentication...
Stefano writes "The first release of SWFIntruder has been released today by Stefano Di Paola, CTO of Minded Security. SWFIntruder (pronounced Swiff Intruder) is the first tool specifically developed for analyzing and testing security of Flash applications at runtime. It helps to find flaws in Flash applications using the methodology originally described...
tssci has a VERY long post about crawling in relation to vuln assessments. "This post isn’t intended to be a retort to Jeremiah Grossman’s post last month on Why crawling matters, but more of a follow-up post to my latest blog entry on Why pen-testing doesn’t matter. Hint: both pen-testing and crawling...
Sullo writes " Nikto is an open source (GPL) web server scanner which performs tests against web servers for multiple items, including over 3500 po tentially dangerous files/CGIs, versions on over 900 servers, and version specific problems on over 250 servers. Version 2 adds a ton of enhancements, including: - Fingerprinting web...
United States Patent 7266699 was issued to AppSecInc. From the patent "The invention provides a transparent encryption infrastructure which allows the user to point-and-click on columns and tables to encrypt data. The creation of triggers and views are also easily implemented, to encrypt and decrypt data, to manage the encryption keys and...
"One of the biggest, constant problems we've seen our enterprise customers deal with and we here at Microsoft have to also contend with is that of the XSS (Cross Site Scripting) bug. It's very common and unfortunately, still an issue we have to deal with in many web applications. Internally, the ACE...
Larry Suto has written a paper reviewing Webinspect, Appscan, and NTO Spider. From the article "The study centered around testing the effectiveness of the top three web application scanners in the following 4 areas. 1. Links crawled 2. Coverage of the applications tested using Fortify Tracer 3. Number of verified vulnerability findings...
"I wrote about three of my favorite Firefox extensions that help me stay safe when I'm browsing the darker areas of the Web and incoming email. Today, let's look at three other extensions: Those that can turn Firefox into a feature-filled, Web-hacking weapon. These extensions aren't required to use Firefox for hacking...
The final review of Web application security scanners has been released by darkreading. "As we wrap up our four-month Rolling Review series, we do want to award some partial credit. While only IBM's WatchFire AppScan automatically handled our Ajax applications, Acunetix Web Vulnerability Scanner, Cenzic Hailstorm and Hewlett-Packard WebInspect (post-update) were capable...
"Armorlogic, the Danish web application firewall provider, announces Profense™ Base, the only automated web application firewall available for free. And there is no catch. Free means free for commercial as well as non-commercial use, without time limitation." "ISO images and software licenses are available from www.armorlogic.com." I've never heard of this company...
"The range of products calling themselves "security scanners" is so broad that the designation is flirting with irrelevance. You have your vulnerability assessment software, which uses large databases of known vulnerabilities. Then there are penetration-testing applications that focus on fewer vulnerabilities but include the ability to exploit flaws instead of just identify...
"A patent infringement lawsuit recently filed by Cenzic against SPI Dynamics has Web application security companies and researchers on edge. If successful, the suit -- which centers around Cenzic's patent on a Web application vulnerability scanning technology -- could mean trouble for other scanner vendors, as well as researchers who develop scanning...
The Web Application Security Consortium is pleased to announce a new project " Web Application Security Scanner Evaluation Criteria (WASSEC)". Currently WASC is seeking volunteers from various sections of the community including penetration testers, scanner vendors, security researchers and also end users to contribute to the project. A brief description of the...
"Mozilla has been using an open-source application security testing tool, known as a fuzzer, for JavaScript to detect and fix dozens of security bugs in Firefox, Mozilla director of ecosystem development Window Snyder said Thursday at the Black Hat USA 2007 conference in Las Vegas. The JavaScript fuzzer found 280 bugs in...
"SQL Power Injector is an application created in .Net 1.1 that helps the penetration tester to find and exploit SQL injections on a web page. For now it is SQL Server, Oracle, MySQL, Sybase/Adaptive Server and DB2 compliant, but it is possible to use it with any existing DBMS when using the...
Gorka Vicente writes "HDIV 1.3 has just been released including Struts 2 support. HDIV is an open-source project that extends Struts ( Struts 1.x and Struts 2) behavior by adding web application level Security functionalities (Integrity, Confident iality of non editable data and Generic Validations of the Editable Data), maintaining the API...
"The Secure Systems Lab at the Technical University of Vienna has released the newest version of Pixy, an open-source vulnerability scanner. Here are some of the highlights: - detection of SQL injection and XSS vulnerabilities in PHP source code - automatic resolution of file inclusions - computation of dependence graphs that help...
icesurfer writes "Hello fellow security enthusiasts, a new version of sqlninja is out at sourceforge ! Introduction ============ sqlninja is a tool to exploit SQL Injection vulnerabilities on a web application that uses Microsoft SQL Server as its back-end. Its main goal is to provide a remote shell on the vulnerable DB...
Piotr Musial writes "Ccrp was designed to be a highly secure private key encryptor for small files and messages, and uses bit-move logic as the primary means of "scrambling" the plaintext. Ccrp also uses a lookup table instead of a pseudorandom bit generator, and so to obtain good se curity with that...
I monitor google news for anything application security related and found the following announced today by Cenzic. "the U.S. Patent and Trademark Office (PTO) has issued the company U.S. Patent No. 7,185,232, focused on fault injection technology, which is commonly used by most security assessment scanners." - Cenzic Cenzic is not the...
"untidy is general purpose XML Fuzzer. It takes a string representation of a XML as input and generates a set of modified, potentially invalid, XMLs based on the input." Tool Link: http://untidy.sourceforge.net/
"SQL Injection is perhaps the most common web-application hacking technique which attempts to pass SQL commands through a web application for execution by the back-end database. The vulnerability is presented when user input is incorrectly sanitized and thereby executed. Checking for SQL Injection vulnerabilities involves auditing your web applications and the best...
I found this linked off of jeremiah's blog "As applications evolve, new vulnerabilities emerge. For this Rolling Review series we'll examine how Web application scanners help address the security weaknesses found in RIAs in general, and Ajax in particular." "Web application scanners can help, but implementation is tricky. For this Rolling Review,...
<rant> We've heard of source code analysis tools, and blackbox scanning tools and they have value to help secure your application. Unfortunately they have a major downside, they require the discipline of using them. If your developers don't run them they can still check in vulnerable code to your source code repository....
"Metasploit is pleased to announce the immediate free availability of the Metasploit Framework version 3.0 from http://framework.metasploit.com/. The Metasploit Framework ("Metasploit") is a development platform for creating security tools and exploits. Version 3.0 contains 177 exploits 104 payloads 17 encoders and 3 nop modules. Additionally 30 auxiliary modules are included that perform...
"The tool, called Jikto, can make an unsuspecting Web user's PC silently crawl and audit public Web sites, and send the results to a third party, Hoffman said. But, in a change of plans, Hoffman did not publicly release Jikto. "The higher-ups first say we can, and then they change their mind,"...
Jeremiah Grossman (Whitehat Security) has typed up an entry on automated vulnerability scanning verses humans. If you're in the position to perform an assessment it's worth the read. Article Link: http://jeremiahgrossman.blogspot.com/2007/02/automated-scanners-vs-low-hanging-fruit.html
I've written a short blurb on my other site QASEC.com on why using fuzzers in QA can pay off. This is a new site focused on speaking to the various people involved in a development cycle using a language that they are familiar with in short to the point articles. "Fuzzers are...
Someone has written up a review of 11 security scanners specifically. ISS Internet Security Systems SSS Shadow Security Scanner Retina eEye Nessus GFI Languard Network Security Scanner Qualys www.qualys.com Nstealth Security Scanner www.nstalker.com Nikto Whisker Infiltrator infiltration-systems.com Nscan "I was looking at 3 main areas while evaluating the scanners. 1. Comprehensiveness of...
"For defence in depth, developers may wish to use the Microsoft Anti-Cross Site Scripting Library to encode output. This library differs from most encoding libraries in that it uses the "principle of inclusions" technique to provide protection against XSS attacks. This approach works by first defining a valid or allowable set of...
Shreeraj Shah has written an article outling some of the 'Web 2.0' risks. He covers RSS Security, JSON, Ajax Security, Cross Site Request Forgery and other related issues. Article Link: http://www.securityfocus.com/infocus/1881
One of our readers 'J. Oquendo' "got bored" and wrote an article titled 'Securing LAMP and using ModSecurity as an IPS'. "Many times administrators often forget to do security checks from the ground up. They often will rely on simple methods of testing a machine. An NMAP scan here, a Metasploit scan...
An anonymous poster contributes "Web application source code, independent of languages and platforms, is a major source for vulnerabilities. One of the CSI surveys on vulnerability distribution suggests that 64% of the time, a vulnerability crops up due to programming errors and 36% of the time, due to configuration issues. According to...
"Ivan Ristic explains what's hot about the new release Interview ModSecurity is an open source web application firewall that runs as an Apache module, and version 2.0 offers many new features and improvements. Federico Biancuzzi interviewed Ivan Ristic to discuss the new logging system, events tracking and correlation, filtering AJAX or AFLAX...
"With BrowserShield, Wang argues, many such attacks could be blocked. BrowserShield can be used as a framework that rewrites HTML pages to deny any attempt at executing harmful code on browsers. "We basically intercept the Web page, inject our logic and transform the page that is eventually rendered on the browser," Wang...
"Hacme Casino is an online casino, built with Ruby on Rails, with plenty of AJAX functionality. It has security vulnerabilities baked- in, and is meant to help educate developers and testers about web application security in the context of new technologies. If you are interested in the security aspects Ruby on Rails...
"The offerings consist of IBM Secure Shell Library for Java, which automatically allows customers to encrypt Java application data transferred from one server to another, and the Security Workbench Development Environment for Java, which lets developers test and validate applications." Download Link: http://www.alphaworks.ibm.com/tech/sshlite Article Link: http://www.scmagazine.com/uk/news/article/565999/ibm+offers+free+tools+application+security/
