|
CGISecurity - Website and Application Security News
|
All things related to website, database, SDL, and application security since 2000.
|
-
Security Industry Plagiarism: Finding 3 examples in 5 minutes with Google
UPDATE: One of the authors has posted two responses including an apology (accepted). I was taught in grade school that if you plan on writing something, never plagiarize. If you want to republish portions of existing content ensure you properly quote/reference them, and never represent this content as your own original work....
-
Quick defcon/blackhat preparation list
A couple of people had asked me what are some things that you can do prior to attending hacker cons such as Blackhat and Defcon. Kurt Cobain said it best "Just because you're paranoid, doesn't mean they're not after you'. Here's a short list (albeit not complete as I don't plan to...
-
Summary of Google+ browser security protections
Ray "Vanhalen" Kelly has written a post describing the security mechanisms used by Google+, as well as compares them to facebook. In particular he reviews each HTTP protection header and provides a good explanation of the purpose of each protection. Link: http://www.barracudalabs.com/wordpress/index.php/2011/07/21/google-gets-a-1-for-browser-security-3/
-
Paper: Web Application finger printing Methods/Techniques and Prevention
Anant Shrivastava has posted a whitepaper providing a rundown of application fingerprinting methodologies, as well as comparisons of various tools such as W3af, BlindElephant, and Wapplyzer. "This Paper discusses about a relatively nascent field of Web Application finger printing, how automated web application fingerprinting is performed in the current scenarios, what are...
-
Oracle website vulnerable to SQL Injection
Someone has published a SQL Injection in labs.oracle.com at http://www.thehackernews.com/2011/07/oracle-website-vulnerable-to-sql.html . That is all.
-
WASC Announcement: 'Static Analysis Tool Evaluation Criteria' Call For Participants
I sent the following out to The Web Security Mailing List (which I moderate) announcing a new WASC Project. "The Web Application Security Consortium is pleased to announce a new project "Static Analysis Tool Evaluation Criteria (SATEC)". Currently WASC is seeking volunteers from various sections of the community including security researchers, academics,...
-
Results of internet SSL usage published by SSL Labs
Ivan Ristic (of modsecurity fame) has published the results of an evaluation against over 900,000 websites supporting SSL. The goal of this evaluation was to see how people really use/misuse ssl in the wild, as well as report on the usage of browser protections such as the Secure cookie flag, and Strict-Transport-Security....
-
Another use of Clickjacking, Cookiejacking!
Rosario Valotta has published an interesting attack against IE that takes advantage of clickjacking. In a nutshell it combines origin flaws within IE with clickjacking to trick a user into copying/pasting their own cookies from any site! Demonstration below The technical details can be found at https://sites.google.com/site/tentacoloviola/cookiejacking and his slides at https://docs.google.com/viewer?a=v&pid=sites&srcid=ZGVmYXVsdGRvbWFpbnx0ZW50YWNvbG92aW9sYXxneDoxMWJlZTI5ZjVhYjdiODQx
-
NIST publishes 50kish vulnerable code samples in Java/C/C++, is officially krad
NIST has published a fantastic project (its been out since late December, but I only just became aware of it) where they've created vulnerable code test cases for much of MITRE's CWE project in Java and c/c++. From the README "This archive contains test cases intended for use by organizations and individuals...
-
How not to publish SCADA security advisories
"Luigi Auriemma" has posted an interesting series of SCADA vulnerabilities to the bugtraq security list this morning. From his email "The following are almost all the vulnerabilities I found for a quick experiment some months ago in certain well known server-side SCADA softwares still vulnerable in this moment. In case someone doesn't...
|
RT @Hacking_Scandal: #notw #hacking Boris's spin doctor who helped mastermind re-election now Murdoch's £250,000... http://t.co/XVtC0OlJ http://t.co/nUA4wElB
#notw #hacking Boris's spin doctor who helped mastermind re-election now Murdoch's £250,000... http://t.co/XVtC0OlJ http://t.co/nUA4wElB
#notw #hacking Boris's spin doctor who helped mastermind re-election now Murdoch's £250,000... http://t.co/V7PhQ9wS http://t.co/YpMgeYP5
http://t.co/i7msaxjb #php #hacking #cookie
#SITREP Chicago Police Department Website Hacked http://t.co/v6ol9MIT #hacking #security
HOIC - Een nieuw Anonymous DDO...
Wireless Man In The Middle (MI...
Drupal Security Scanner - DPSc...
Cracking WEP using OpenWRT on ...
Johnny - GUI voor John the Rip...
Johnny - GUI voor John the Rip...
HOIC - Een nieuw Anonymous DDO...
More...