Hosting generously provided by
|
|
How To: Detect Cross Site Scripting Vulnerabilities using XSSDetect
|
Posted 9/4/08 by Robert from the '.NET XSS Protection' department
"Last time we saw how to fix a cross site scripting (XSS) vulnerability. This time we look at how we can detect cross site scripting vulnerabilities using automated tools. Being the most common vulnerability found in web applications, it is very important to detect and mitigate XSS vulnerabilities early in development..."
Read More Of This Story:
Link:
News RSS Feed: Web
|
|
|
|
Google releases Chrome Web browser
|
Posted 9/2/08 by Robert from the 'First Mozilla Chrome, now Google Chrome' department
"Google has just released an open sourced browser based on Apple's Webkit. I'm guessing it will be less than 48 hours before the first vulnerability is discovered. Since Safari uses Webkit it will be interesting to see if vulnerabilities found in Chrome will also..."
Read More Of This Story:
Link:
News RSS Feed: Web
|
|
|
|
Article: SDL Embraces The Web
|
Posted 9/2/08 by Robert from the 'Secure Development Lifecycle' department
"Bryan Sullivan from Microsoft has posted an article on SDL use to secure web applications. "The Security Development Lifecycle (SDL) team recently released details of the SDL process that has been so successful in helping to make Microsoft products more secure. You can find these documents at microsoft.com/sdl. As you read..."
Read More Of This Story:
Link:
News RSS Feed: Web
|
|
|
|
Understanding the security changes in Flash Player 10 beta
|
Posted 8/29/08 by Robert from the 'gone in a flash' department
"The next version of Adobe Flash Player will offer a variety of new features and enhancements as well as some changes to the current behavior of Flash Player. Some of these changes may require existing content to be updated to comply with stricter security rules. Other changes introduce new abilities that..."
Read More Of This Story:
Link:
News RSS Feed: Web
|
|
|
|
Cross-site hacks and the art of self defence
|
Posted 8/29/08 by Robert from the 'XSS the mighty beast' department
"Generally, browsers stop cross-site communication by following the "same-origin policy". This rule is pretty simple: if your site has a different origin - protocol, domain, and port don't all match - you aren't allowed to access information from or send requests to the other site. Without this simple rule, there would..."
Read More Of This Story:
Link:
News RSS Feed: Web
|
|
|
|
Whitepaper: Bypassing ASP .NET "ValidateRequest" for Script Injection Attacks
|
Posted 8/21/08 by Robert from the 'food for the mind' department
"Richard Brain has published a whitepaper on bypassing .NET XSS protection. "The Microsoft .NET framework comes with a request validation feature, configurable by the ValidateRequest [1] setting. ValidateRequest has been a feature of ASP.NET since version 1.1. This feature consists of a series of filters, designed to prevent classic web input..."
Read More Of This Story:
Whitepaper: Bypassing ASP .NET "ValidateRequest" for Script Injection Attacks
Link:
News RSS Feed: Web
|
|
|
|
Attacking PHP weak PRNGs: mt_srand and not so random numbers
|
Posted 8/17/08 by Robert from the 'rand() 4 lyfe' department
"Stefan Esser has written a great article on attacking php PRNG's. "PHP comes with two random number generators named rand() and mt_rand(). The first is just a wrapper around the libc rand() function and the second one is an implementation of the Mersenne Twister pseudo random number generator. Both of these..."
Read More Of This Story:
Attacking PHP weak PRNGs: mt_srand and not so random numbers
Link:
News RSS Feed: Web
|
|
|
|
Tools: Grendel Scanner a new Web Application Security Scanner
|
Posted 8/12/08 by Robert from the 'new tools' department
While attending defcon I got to check out a talk on a new web application security scanner called Grendel scanner.
For those of you who don't know I used to work at spi dynamics on the webinspect product (now part of HP) and I got to say it is one of the more impressive looking open source options out there.
Article Link:
Read More Of This Story:
Tools: Grendel Scanner a new Web Application Security Scanner
Link:
News RSS Feed: Web
|
|
|
|
Affiliate Programs Vulnerable to Cross-site Request Forgery Fraud
|
Posted 8/4/08 by Robert from the 'sitting on shit sucks' department
After a long wait I have published a CSRF attack use case I've been sitting on for awhile. This entry
can be located on our new beta site . From the post
"The following describes a long-standing and common implementation flaw in online affiliate programs allowing for fraud. For those unfamiliar affiliate programs, they provide a way for companies to allow 3rd parties/website owners to direct traffic to their site in exchange for a share of the profits of user purchases. Most view affiliate programs as a great way to monetize their traffic by strategically placing a few links on their sites.
Affiliate programs generally operate by associating a web visitor with a particular affiliate when the visitor has followed a custom link provided by the affiliate. This custom link will contain some sort of identifier that instructs the site how traffic was directed towards them. After visiting the link an association is made (typically via a cookie) with that users session on the destination site. This association might last for a few minutes to a month depending on the business requirement of the program. "
Article Link:
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
Site News: New Design and beta site!
|
Posted 7/30/08 by Robert from the 'romain's elite design skills' department
The time has finally come to switch hosters as well as site designs. I have setup a new
beta site at
and thanks to we have a new kickass
site design. Below is an outline of the changes between the two.
- Added RSS descriptions (previously we only supported the titles)
- Added Atom and RSS2.0 Feed support
- Ability to post comments
- Tagging
- Cleaner UI
- Scrolling recent posts
I expect the site to be fully migrated sometime in august. If the site seems buggy or you have some feedback .
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
DNS Vulnerability Leaked By Matasano Security After Being Asked Not To By Vulnerability Discoverer
|
Posted 7/16/08 by Robert from the 'Biting the hand that feeds it' department
"Two weeks ago, when security researcher Dan Kaminsky announced a devastating flaw in the internet's address lookup system, he took the unusual step of admonishing his peers not to publicly speculate on the specifics. The concern, he said, was that online discussions about how the vulnerability worked could teach black hat hackers how to exploit it before overlords of the domain name system had a chance to fix it.
That hasn't stopped researcher Halvar Flake from posting a hypothesis that several researchers say is highly plausible. It describes a simple method for tampering with DNS name servers that get queried when a user tries to visit a specific website. As a result, attackers would redirect someone trying to visit a site such as bankofamerica.com to an impostor site that steals their credentials." The Register
Halvar's guess is located at
Reading more
"It would also demonstrate the difficulty researchers like Kaminsky face in trying to keep the specifics of a vulnerability quiet. While Flake is highly respected in security circles, he admits his knowledge of DNS is limited. He had to spend time reading a "DNS-for-dummies" text to get up to speed.
If a few weeks was enough for him to come up with an attack scenario, plenty of less scrupulous hackers almost certainly will be able to do the same thing, calling into question whether it's realistic to limit vulnerability disclosure in the way Kaminsky has proposed.
"It's the universal opinion of the research community that it's not a reasonable request," said Thomas Ptacek, a researcher at Matasano who is critical of the admonition against other researchers publicly discussing the flaw. Ptacek and several other researchers have received a briefing from Kaminsky in exchange for a promise not to discuss it publicly, a condition he says is perfectly OK." TheReg
Shortly after Halvar's posting Matasano Chargen's Tomas Ptacek (the guy quoted above by theregister) leaks the details to his
site then removed it shortly after as discussed at . Luckily a friendly slashdot viewer mirrored this post at .
I guess Thomas (having violated the trust of someone he knows) felt bad for disclosing Dan's researcha fter Dan asked him not to
that he posted a response to leaking the vuln details (. If you enjoy security drama/theater I'd suggest reading the replies.
TheRegister Entry:
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
Spring Framework vulnerabilities
|
Posted 7/16/08 by Robert from the 'sprung' department
Michelle let us know about the following story on techtarget
"A recent security assessment of an application by Ounce Labs has resulted in the discovery of two vulnerabilities that can affect Java Web applications that use the Spring Framework.
Spring has been downloaded more than 5 million times to date, which means the security vulnerabilities identified could affect countless companies that use this framework.
on its site to help users determine if they're at risk and what to do to prevent exploitation.
"
Article Link:
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
GRSecurity Author Outlines Lack of Full Vulnerability Disclosure by Linux Kernel Developers
|
Posted 7/16/08 by Robert from the 'If you don't know, now you know, !@#$!' department
The following email was sent to the full disclosure mailing list today by Brad Spengler, the author of .
"I doubt many of you are following the "discussions" (if they can be
called that) that have been going on on LWN for the past couple weeks
regarding security fixes being intentionally covered up by the Linux
kernel developers and -stable maintainers. Here are some references:
The Linux kernel has a formal policy in Documentation/SecurityBugs which
states under Section 2 Disclosure:
"We prefer to fully disclose the bug as soon as possible."
However, their policy in reality is quite different, as you can see for
yourself in the "discussion" going on now on LKML:
Some choice quotes from Linus that reflect how sad the current state is:
(on commenting about what he would allow to be included in a commit message)
"I literally draw the line at anything that is simply greppable for. If
it's not a very public security issue already, I don't want a simple
"git log + grep" to help find it."
(when talking about the security backports Linux vendors provide for customers)
"And they mostly do a crap job at it, only focusing on a small
percentage (the ones that were considered to be "big issues")"
They seem to have the impression that people who find an exploit kernel
vulnerabilities rely on the commit messages fixing the vulnerability
including some mention of security. As it should be clear to anyone
actually involved in the security community, or anyone who has ever
written an exploit (particularly for the myriad silently fixed
vulnerabilities in Linux), this is far from reality. The people who
*do* rely on these messages and announcements however are the smaller
distributions and individual users. Yet Linus et al believe they're
helping you by pulling the wool over your eyes regarding the exploitable
vulnerabilities in their OS.
To illustrate the point, in the 2.6.25.10 kernel, the following fix was
included with the commit message of:
Roland McGrath (1):
x86_64 ptrace: fix sys32_ptrace task_struct leak
The kernel was released with no mention of security vulnerabilities in
the announcement, only "assorted bugfixes".
Put simply, it only took about an hour or so to develop a PoC for this
exploitable vulnerability which affects 64bit x86_64 kernels since
January. So since the time of the fix itself (or even before that if
someone spotted it before the kernel developers did themselves) users
have been at risk. Yet in the imaginary world they live in, these
kernel developers think they're protecting you from that risk by not
telling you what you're vulnerable to.
Please let them know what you think of their policy of non-disclosure
and coverups. I hope someone also educates them on their ridiculous
notion of "untrusted local users" like Greg uses in his announcement of
the 2.6.25.11 kernel:
If you remain complacent about the state of affairs, you're only
enabling them to continue their current misguided foolishness.
-Brad"
Email Thread Link:
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
Breaking the Bank (Vulnerabilities in Numeric Processing within Financial Applications)
|
Posted 7/15/08 by Robert from the 'dollars and cents' department
"This paper draws attention to how the use of common programming APIs and
practices could lead to flaws in the processing of numeric data, which
could in-turn allow attackers to manipulate the outcome of transactions
or otherwise interfere with the accuracy of calculations.
It discusses the technical vulnerabilities typically observed in both
the validation and processing of numeric data that could expose an
organisation to unmanaged risk. It is intended for a technically
literate audience involved in developing or testing financial
applications, and to provide technical insight to those responsible for
their management.
The vulnerabilities are presented with source code examples, suggestions
on how to identify the flaws during the testing phases and
recommendations for mitigating the risk.
"
Article Link:
Breaking the Bank (Vulnerabilities in Numeric Processing within Financial Applications)
Link:
News RSS Feed: Web
|
|
|
|
Fallout From the Fall of CAPTCHAs
|
Posted 7/15/08 by Robert from the 'trashed captcha's' department
"CAPTCHA went from relatively obscure security measure perfected in 2000 by researchers at Carnegie Mellon University to deployment by most of the major Web e-mail sites and many other Web sites by 2007. Sites such as Yahoo Mail, Google's Gmail and Microsoft's Hotmail all used -- and, for that matter, continue to use -- CAPTCHA to make sure that only human beings, not bots, could get accounts or make postings.
Those days are long gone.
By January 2008, Yahoo Mail's CAPTCHA had been cracked. Gmail was ripped open in April. Hotmail's top got popped during the same month.
And then things got bad. "
Article Link:
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
OWASP/WASC Party at Blackhat in Las Vegas
|
Posted 7/10/08 by Robert from the 'drinking beers and talking shop' department
WASC and OWASP are throwing a party this year during blackhat at the shadow bar which is being sponsored by Breach.
This will be the 3rd party at the shadow bar, and 2nd joint WASC/OWASP conference. If you want to chat appsec this is where
everyone in appsec will be.
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
Widescale DNS flaw discovered
|
Posted 7/8/08 by Robert from the 'UDP 4 lyfe' department
A pretty nasty DNS vulnerability has been discovered in 81 products by Dan Kaminsky. This vulnerability type
seems to be the same described by Amit Klein and involves abusing the PRNG involved in transactions on DNS queries. Long story short
if you run a vulnerable caching DNS server you can have your cache poisoned. From CERT
"The DNS protocol specification includes a transaction ID field of 16 bits. If the specification is correctly implemented and the transaction ID is randomly selected with a strong random number generator, an attacker will require, on average, 32,768 attempts to successfully predict the ID. Some flawed implementations may use a smaller number of bits for this transaction ID, meaning that fewer attempts will be needed. Furthermore, there are known errors with the randomness of transaction IDs that are generated by a number of implementations. Amit Klein researched several affected implementations in 2007."
Dshield has a .
Article Link:
CERT Advisory with list of affected vendors:
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
Most Corporations Lack Proper SDLC
|
Posted 7/8/08 by Robert from the 'SDLC 4 lyfe' department
"The current state of secure software development by corporations both large and small is a mess.
Software vendors need to realize that they must begin exercising due diligence when producing their software products. Microsoft dedicated itself to secure development practices some years ago, yet its developers are still taking months to fix reported vulnerabilities. If an industry giant like Microsoft cannot get a grip, it really does not bode well for the rest of the industry.
While many companies make a passing attempt at improving their software products all too often other pressures win out. Software companies that will delay a products launch for the sake of a code audit, third-party threat testing, or an extended quality-assurance (QA) cycle are few and far between. Sadly, the secure development life cycle (SDLC) is not always adhered to by the software vendors, and the first casualty in this process is typically quality assurance." - Securityfocus
Part of my job involves creating an SDLC for the company I work for. Having spoke with many companies both large and small I agree
with this article that most companies haven't figured out proper integration of security testing in development and QA. I consider
this sort of initiative to still be fairly new to the industry with lots of room for improvement. The real challenge is finding
the right balance for your specific development organization, and understanding that one approach does not fit all even within
the same company.
Article Link:
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
Jason Taylor on Security Testing
|
Posted 7/7/08 by Robert from the 'security testing' department
Microsoft has a decent article on security testing for worth checking out.
"Tester Question: What is a cross-site request forgery attack? How do I test our website to see if it is vulnerable to this attack?"
Article Link:
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
Sony PlayStation's site SQL injected, redirecting to rogue security software
|
Posted 7/3/08 by Robert from the 'pwned like a noob' department
"The latest high trafficked web site to fall victim into the continuing waves of massive SQL injection attacks courtesy of
Sony PlayStation's site copycats and the ASProx botnet, is Sony's PlayStation U.S site according to a recent
post at SophosLabs's blog" - ZDNet
Article Link:
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
Firefox 2.0.0.15 Addresses Multiple Security Issues
|
Posted 7/3/08 by Robert from the 'patch your shit' department
Firefox 2.0.0.15 was released addressing the following security issues.
Ensure you to to your help menu and 'Check for Updates' to ensure you're protected.
Download Link:
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
Cloudsecurity.org Interviews Guido van Rossum: Google App Engine, Python and Security
|
Posted 7/2/08 by Robert from the 'eating linux zealots alive' department
"In this interview, cloudsecurity.org talks to Guido van Rossum about Python, Google App Engine and security.
Guido is the creator of the Python programming language and more recently, Google App Engine team member. His involvement with
the App Engine project was pretty late - the code "was almost ready for release" when he get involved. The security architect of App Engine was primarily project lead, Kevin Gibbs, supported by the rest of the App Engine crew and the Google Security Team."
Article Link:
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
|
Microsoft outlines extensive IE8 security improvements
|
Posted 7/2/08 by Robert from the 'eating linux zealots alive' department
Microsoft has posted a very extensive article outling the security improvements to IE8. Improvements have
been made to the following area's.
- Defenses
- Safer Mashups (HTML and JSON Sanitization)
- MIME-Handling Changes (Restrict Upsniff and Sniffing Opt-Out)
- Add-on Security
- Protected Mode
- Application Protocol Prompt
- File Upload Control
- Social Engineering Defenses
- Address Bar Improvements
-
From the blog
"Hi! I'm Eric Lawrence, Security Program Manager for Internet Explorer. Last Tuesday, Dean wrote about our principles for
delivering a trustworthy browser; today, I'm excited to share with you details on the significant investments we've made in
Security for Internet Explorer 8. As you might guess from the length of this post, we've done a lot of security work for
this release. As an end-user, simply upgrade to IE8 to benefit from these security improvements. As a domain administrator,
you can use Group Policy and the IEAK to set secure defaults for your network. As web-developer, you can build upon some of
these new features to help protect your users and web applications.
As we were planning Internet Explorer 8, our security teams looked closely at the common attacks in the wild and the trends that
suggest where attackers will be focusing their attention next. While we were building new Security features, we also worked hard
to ensure that powerful new features (like Activities and Web Slices) minimize attack surface and don't provide attackers with
new targets. Out of our planning work, we classified threats into three major categories: Web Application Vulnerabilities, Browser & Add-on Vulnerabilities, and Social Engineering Threats. For each class of threat, we developed a set of layered mitigations to provide defense-in-depth protection against exploits."
Article Link:
Link to this Story:
Link:
News RSS Feed: Web
|
|
|
Older News
The oldest application security website. Providing Web Security news since 2000.
Information contained on this website may not be copied without explicit permission.
Best Viewed with telnet.
Additional Site Sections:
|
|
|
Subscribe to CGISecurity.com
|
|
|
|
|
|
The Web Security Mailing List
|
|
|
|
|
Contact us
|
Post News, get linkage!
|
|
|
|
