Feeds
13620 items (0 unread) in 75 feeds
-
Watchfire Application Security Insider
-
BlogSecurity
-
sirdarckcat
-
Google Online Security Blog
-
CGISecurity.com: Your Web Site and Application Security Resource
-
Switch/Twitch
-
mybeNi websecurity
-
cat slave diary
-
SecuriTeam Blogs
-
Curiouser and Curiouser
-
Alex's Corner
-
Billy (BK) Rios
-
Chris Shiflett
-
christian's weblog
-
funkatron.com
-
GNUCITIZEN
-
The Spanner
-
hackademix.net
-
Ruby on Rails Security Project
-
It's a shampoo world anyway
-
Web Security Blog
-
ha.ckers.org web application security lab
-
Yet Another Infosec Blog
-
PHP Security Blog
-
Security Thoughts
-
Sunnet Beskerming Security Advisories
-
Disenchant's Blog
-
Sylvan von Stuppe
-
Larholm.com
-
The Turkey Curse
-
Jeremiah Grossman
-
Anurag Agarwal - Application Security Evangelist
-
Ivan Ristic
-
deep inside | security & tools
-
omg.wtf.bbq.
-
BlueHat Security Briefings
-
Tactical Web Application Security
-
.:Computer Defense:.
-
tssci security
-
Plynt Penetration Testing Blog
-
Michael Howard's Web Log
-
Security Retentive
-
BindShell.Net
-
Dominic White's .tHE pRODUCT
-
SecurityFocus News
-
Justice League
-
Schneier on Security
-
Rational Survivability
-
terminal23
-
1 Raindrop
-
hiredhacker.com
-
Matasano Chargen
-
-
Michael on Security - Musings on Information Security
-
Fortify blog
-
The Art of Software Security Assessment
-
GDS Security Blog
-
Vodun.org
-
Robert Penz Blog
-
Mark Curphey - SecurityBuddha.com
-
Liminal states
-
Security Ripcord
-
ModSecurity Blog
-
IBM Internet Security Systems Frequency X Blog
-
Suspekt...
-
extern blog SensePost;
-
Zero in a bit
Items by Robert A.
CGISecurity.com: Your Web Site and Application Security Resource
-
Security Industry Plagiarism: Finding 3 examples in 5 minutes with Google
Posted: January 8th, 2012, 1:11am CST by Robert A.
Tags: Books [edit]
UPDATE: One of the authors has posted two responses including an apology (accepted). I was taught in grade school that if you plan on writing something, never plagiarize. If you want to republish portions of existing content ensure you properly quote/reference them, and never represent this content as your own original work.... -
Quick defcon/blackhat preparation list
Posted: July 28th, 2011, 3:25pm CDT by Robert A.
Tags: Events [edit]
A couple of people had asked me what are some things that you can do prior to attending hacker cons such as Blackhat and Defcon. Kurt Cobain said it best "Just because you're paranoid, doesn't mean they're not after you'. Here's a short list (albeit not complete as I don't plan to... -
Summary of Google+ browser security protections
Posted: July 27th, 2011, 12:03pm CDT by Robert A.
Tags: Browsers [edit]
Ray "Vanhalen" Kelly has written a post describing the security mechanisms used by Google+, as well as compares them to facebook. In particular he reviews each HTTP protection header and provides a good explanation of the purpose of each protection. Link: http://www.barracudalabs.com/wordpress/index.php/2011/07/21/google-gets-a-1-for-browser-security-3/ -
Paper: Web Application finger printing Methods/Techniques and Prevention
Posted: July 21st, 2011, 3:51pm CDT by Robert A.
Tags: IndustryNews [edit]
Anant Shrivastava has posted a whitepaper providing a rundown of application fingerprinting methodologies, as well as comparisons of various tools such as W3af, BlindElephant, and Wapplyzer. "This Paper discusses about a relatively nascent field of Web Application finger printing, how automated web application fingerprinting is performed in the current scenarios, what are... -
Oracle website vulnerable to SQL Injection
Posted: July 5th, 2011, 5:21pm CDT by Robert A.
Tags: Funny [edit]
Someone has published a SQL Injection in labs.oracle.com at http://www.thehackernews.com/2011/07/oracle-website-vulnerable-to-sql.html . That is all. -
WASC Announcement: 'Static Analysis Tool Evaluation Criteria' Call For Participants
Posted: June 27th, 2011, 2:26pm CDT by Robert A.
Tags: Announcements [edit]
I sent the following out to The Web Security Mailing List (which I moderate) announcing a new WASC Project. "The Web Application Security Consortium is pleased to announce a new project "Static Analysis Tool Evaluation Criteria (SATEC)". Currently WASC is seeking volunteers from various sections of the community including security researchers, academics,... -
Results of internet SSL usage published by SSL Labs
Posted: May 25th, 2011, 11:53am CDT by Robert A.
Tags: Browsers [edit]
Ivan Ristic (of modsecurity fame) has published the results of an evaluation against over 900,000 websites supporting SSL. The goal of this evaluation was to see how people really use/misuse ssl in the wild, as well as report on the usage of browser protections such as the Secure cookie flag, and Strict-Transport-Security.... -
Another use of Clickjacking, Cookiejacking!
Posted: May 25th, 2011, 11:37am CDT by Robert A.
Tags: Browsers [edit]
Rosario Valotta has published an interesting attack against IE that takes advantage of clickjacking. In a nutshell it combines origin flaws within IE with clickjacking to trick a user into copying/pasting their own cookies from any site! Demonstration below The technical details can be found at https://sites.google.com/site/tentacoloviola/cookiejacking and his slides at https://docs.google.com/viewer?a=v&pid=sites&srcid=ZGVmYXVsdGRvbWFpbnx0ZW50YWNvbG92aW9sYXxneDoxMWJlZTI5ZjVhYjdiODQx -
NIST publishes 50kish vulnerable code samples in Java/C/C++, is officially krad
Posted: March 31st, 2011, 12:17pm CDT by Robert A.
Tags: Announcements [edit]
NIST has published a fantastic project (its been out since late December, but I only just became aware of it) where they've created vulnerable code test cases for much of MITRE's CWE project in Java and c/c++. From the README "This archive contains test cases intended for use by organizations and individuals... -
How not to publish SCADA security advisories
Posted: March 22nd, 2011, 2:23pm CDT by Robert A.
Tags: IndustryNews [edit]
"Luigi Auriemma" has posted an interesting series of SCADA vulnerabilities to the bugtraq security list this morning. From his email "The following are almost all the vulnerabilities I found for a quick experiment some months ago in certain well known server-side SCADA softwares still vulnerable in this moment. In case someone doesn't... -
The OWASP AppSec USA 2011 Call for Papers (CFP)
Posted: March 18th, 2011, 2:47pm CDT by Robert A.
Tags: Announcements [edit]
Lorna Alamri writes in the following announcement "The OWASP AppSec USA 2011 Call for Papers (CFP) is now open. Visit the following URL to submit your abstract for the September 22-23, 2011 talks in Minneapolis, Minnesota: http://www.appsecusa.org/talks.html We're excited to announce that speakers will be in good company with our first keynote,... -
Easy Method For Detecting Caching Proxies
Posted: February 8th, 2011, 2:56pm CST by Robert A.
Tags: Browsers [edit]
While thinking about some of the transparent proxy problems I came up with a fairly reliable way to detect caching proxies. Caching proxies can be either explicit or transparent, but are typically used in a transparent mode by an ISP to cut down on upstream bandwidth. A side effect (and benefit :)... -
Announcing WASC Web Hacking Incident Database (WHID) Mail-list
Posted: January 25th, 2011, 11:56am CST by Robert A.
Tags: Incidents [edit]
Ryan Barnett (Leader of the WASC Web Hacking Incidents Database Project) has announced a new mailing list where users can subscribe to hear about the latest hacking incidents. From his email to The Web Security Mailing List "Greetings everyone, I wanted to let everyone know that we have setup a mail-list for... -
WASC Party at RSA
Posted: January 19th, 2011, 1:09pm CST by Robert A.
Tags: Announcements [edit]
The Web Application Security Consortium (in which I am a co founder) is throwing a party at RSA this year in San Francisco. Here's the formal announcement. "Take a Break @ RSA and Meet-up with Your Peers at the WASC Meet UP Join your Web application security peers for lunch at Jillian's@Metreon.... -
Tracking and understanding security related defects: Useful data points for shaping your SDLC program
Posted: January 11th, 2011, 11:34am CST by Robert A.
Tags: IndustryNews [edit]
In addition to CGISecurity, I also run a website called QASEC.com where I post SDLC related content. I've just published a lightweight article discussing tips and tricks for tracking software level vulnerabilities in larger organizations. Abstract: "If you work in infosec for a large organization it can be difficult to easily track... -
Most common password for Gawker users is 123456
Posted: December 14th, 2010, 12:51pm CST by Robert A.
Tags: Funny [edit]
Gawker was recently compromised and had its source code and user passwords leaked onto the web. The Wall Street Journal has published a list of the top 50 passwords with the #1 password being '123456'. The full list can be found at http://blogs.wsj.com/digits/2010/12/13/the-top-50-gawker-media-passwords/ -
Improving ASP.NET Security with Visual Studio 2010 Code Analysis
Posted: December 6th, 2010, 2:58pm CST by Robert A.
Tags: CSRF [edit]
Sacha Faust has published a great article on some of the security checking functionality in Visual Studio. From the article "Anyone doing ASP.NET development probably admits, openly or not, to introducing or stumbling upon a security issue at some point during their career. Developers are often pressured to deliver code as quickly... -
New Silicon Valley security conference - BayThreat
Posted: November 18th, 2010, 6:53pm CST by Robert A.
Tags: Announcements [edit]
A handful of people from silicon valley (myself included) have been discussing the lack of good hacker conference in the bay area (RSA does not count) for some time and decided to meet up during defcon to see what we could do about this. It was concluded that the only logical thing... -
Phrack #67 is out for 25th anniversary!
Posted: November 18th, 2010, 12:55pm CST by Robert A.
Tags: Announcements [edit]
To celebrate 25 years the phrack team has published issue #67. Introduction The Phrack Staff Phrack Prophile on Punk The Phrack Staff Phrack World News EL ZILCHO Loopback (is back) The Phrack Staff How to make it in Prison TAp Kernel instrumentation using kprobes ElfMaster ProFTPD with mod_sql pre-authentication, remote root FelineMenace... -
Interesting IE leak via window.onerror
Posted: November 12th, 2010, 11:54am CST by Robert A.
Tags: Browsers [edit]
Chris Evans has posted an interesting bug in IE involving using JavaScript's window.onerror to leak cross domain data. From his blog "The bug is pretty simple: IE supports a window.onerror callback which fires whenever a Javascript parse or runtime error occurs. Trouble is, it fires even if www.evil.com registers its own window.onerror... -
Palin e-mail snoop sentenced to a year in custody
Posted: November 12th, 2010, 11:48am CST by Robert A.
Tags: Incidents [edit]
"Former college student David Kernell, whose criminal prying into Sarah Palin's personal e-mail account caused an uproar two months before the 2008 presidential election, was today sentenced to a year and a day in federal custody by a judge who recommended that the time be served in a Knoxville, Tenn. halfway house.... -
TJX Hacker Gets Pwned, 20 Years In Prison
Posted: March 26th, 2010, 11:20am CDT by Robert A.
Tags: Incidents [edit]
Could the trend of claiming not to know any better while hacking due to asperger's be coming to an end? From Wired "Convicted TJX hacker Albert Gonzalez was sentenced to 20 years in prison on Thursday for leading a gang of cyberthieves who stole more than 90 million credit and debit card... -
Secure Application Development on Facebook Platform
Posted: March 19th, 2010, 12:14pm CDT by Robert A.
Tags: Development [edit]
Facebook and isecpartners have teamed up to write an article on developing secure applications on the Facebook platform. "This document provides a basic outline/best practice for developing secure applications on the Facebook platform. Facebook applications are web, desktop, or mobile applications that make use of the Facebook API to integrate tightly with... -
Random FireFox URL handling Behavior
Posted: March 11th, 2010, 3:29pm CST by Robert A.
Tags: Browsers [edit]
About a year ago I discovered this by accident and hadn't seen it published anywhere so thought it was worth mentioning. If you enter the following into the firefox URL bar it will follow them to www.cnn.com. [http://www.cnn.com] [http://]www.cnn.com [http://www].cnn.com Etc... You can also substitute [] for {} or " and it... -
Cryptography experts bicker with former NSA director at RSA panel
Posted: March 4th, 2010, 11:31am CST by Robert A.
Tags: Cryptography [edit]
I recently attended RSA and had a chance to see the cryptography panel. Towards the end of the panel an amusing amount of bickering began between the former NSA technical director (Brian snow) and folks such as Whit Diffie (inventor of diffie hellman key exchange), and Adi Shamir (co founder of RSA... -
Web Security Dojo v1.0 release
Posted: March 1st, 2010, 11:30am CST by Robert A.
Tags: Announcements [edit]
From the announcement "Web Security Dojo is a turnkey web application security lab with tools, targets, and training materials built into a Virtual Machine(VM). It is ideal for both self-instruction and training classes since everything is pre-configured and no external network connection is needed. All tools and targets are configured to use... -
Watcher 1.3.0 passive Web-vulnerability testing tool released
Posted: March 1st, 2010, 11:28am CST by Robert A.
Tags: Announcements [edit]
"A new update to the Watcher passive vulnerability detection and security testing tool has been released. Watcher is an open source addon to the Fiddler Web proxy that aids developers, auditors, and penetration testers in finding Web-application security issues as well as hot-spots for deeper review." - Casabasecurity The full announcement can... -
XSS, SQL Injection and Fuzzing Barcode Cheat Sheet
Posted: February 24th, 2010, 11:26am CST by Robert A.
Tags: Funny [edit]
Someone has published an amusing cheat sheet that will allow you to fuzz barcode scanning systems for common input validation issues such as XSS and SQL Injection. They even provide an online barcode generator which allows you to create your own payloads. Not much else to say really :) Link: http://www.irongeek.com/xss-sql-injection-fuzzing-barcode-generator.php -
Multiple Adobe products vulnerable to XML External Entity Injection And XML Injection
Posted: February 22nd, 2010, 4:32pm CST by Robert A.
Tags: IndustryNews [edit]
I haven't really been posting advisories on this website for the past year, however a series of XML Injection/XXe vulnerabilities in Adobe products caught my eye. XML Injection is to web services, what XSS is to web pages (an attacker controllable application response able to perform abuses against the consumer). This advisory... -
Post on Abusing Windows Communication Foundation to Perform Remote Port Scans
Posted: February 17th, 2010, 12:10pm CST by Robert A.
Tags: IndustryNews [edit]
Brian Holyfield has published an entry on using Windows WCF to perform backend port scanning. This is possible due to the callback functionality WCF provides. From his article "Last weekend at Shmoocon, I demonstrated how an attacker can trick certain WCF web services into performing an unauthorized port scan of machines behind... -
2010 SANS Top 25 Most Dangerous Programming Errors Released
Posted: February 16th, 2010, 1:05pm CST by Robert A.
Tags: Announcements [edit]
I was luck enough to assist in this project and I must say that a lot of great discussions took place. Unlike many other top x security lists, SANS/MITRE's methodology is fairly extensive and well documented giving you insight into how decisions were made. I do want to point out that top... -
Larry Suto Web Application Security Scanner Comparison Report Inaccurate Vendors Say
Posted: February 8th, 2010, 3:37pm CST by Robert A.
Tags: IndustryNews [edit]
Larry Suto published a report comparing the various commercial web application security scanners. As you'd expect the vendors are likely to respond about how inaccurate the report is, however in this case both HP and Acunetix argued valid points. From Acunetix "They were not found because Larry didn’t authenticated our scanner (didn’t... -
R.I.P. Apache 1.x: Apache 1.3.42 marks of end life
Posted: February 3rd, 2010, 12:29pm CST by Robert A.
Tags: Announcements [edit]
The latest version of Apache 1.3.42 is the last 1.3 version of Apache that will be released. I admit I've been running 1.3 for ages now due to it being rock solid and having a decent security track record. The announcement states that security patches 'may be available' at http://www.apache.org/dist/httpd/patches/ but consider... -
Nikto version 2.1.1 released
Posted: February 2nd, 2010, 2:44pm CST by Robert A.
Tags: Announcements [edit]
Sullo has sent the following announcement to the full disclosure mailing list indicating a new release of Nikto. "I'm happy to announce the immediate availability of Nikto 2.1.1! Nikto is an open source web server scanner which performs comprehensive tests against web servers for multiple items, including over 6100 potentially dangerous files/CGIs,... -
Weaning the Web off of Session Cookies Making Digest Authentication Viable
Posted: January 29th, 2010, 4:31pm CST by Robert A.
Tags: Articles [edit]
Timothy D. Morgan has published an excellent paper describing How UI limitations hinder adoption of HTTP based authentication How UI behaviors are/can be abused pertaining to HTTP auth Observations on Cookie limitations Proposals for browser vendors to allow for more widescale adoption of HTTP based auth such as digest From the paper... -
WASC RSA Meet-Up 2010!
Posted: January 28th, 2010, 11:58am CST by Robert A.
Tags: Events [edit]
The Web Application Security Consortium (WASC) is having an official meetup in San Francisco during the RSA conference.If you like to get free food/drinks, shoot pool, and chat appsec with many of the leading researchers in the appsec world this is your chance. WASC RSA 2010 Meet-up Wednesday, March 3, 2010 Lunch... -
Facebook security pretty much what you'd expect?
Posted: January 22nd, 2010, 4:46pm CST by Robert A.
Tags: Funny [edit]
An interview claiming to be with a facebook employee discusses a few things that you probably were hoping didn't happen. Here are some choice quotes from the article " Rumpus: Have you ever logged in to anyone’s account? Employee: I have. For engineering reasons. Rumpus: Have you ever done it outside of... -
Hacker Messes With Student's Schedule
Posted: January 12th, 2010, 11:42am CST by Robert A.
Tags: Funny [edit]
I don't usually post much about hacking incidents but this one was particularly funny. "A college student has been dropped from her classes twice, apparently the victim of someone who hacked into her schedule.Michelle McCoy-Lloyd was going to take two culinary classes at San Joaquin Delta College starting next week.Last month, someone... -
WASC Threat Classification to OWASP Top Ten RC1 Mapping
Posted: January 6th, 2010, 11:41am CST by Robert A.
Tags: IndustryNews [edit]
Jeremiah Grossman and Bil Corry have created a nice visual mapping between the OWASP Top Ten and the WASC Threat Classification v2. More Information: http://jeremiahgrossman.blogspot.com/2010/01/wasc-threat-classification-to-owasp-top.html -
Announcement: WASC Threat Classification v2 is Out!
Posted: January 1st, 2010, 6:08pm CST by Robert A.
Tags: Announcements [edit]
I am very pleased to announce that the WASC Threat Classification v2 is finally out the door. This project has by far been one of the most challenging, intellectually stimulating projects I've had the chance to work on. I have included the official announcement below. "The Web Application Security Consortium (WASC) is... -
Stephen Watt sentenced to 2 years in prison for role in TJX
Posted: December 24th, 2009, 12:56pm CST by Robert A.
Tags: Incidents [edit]
Stephen Watt (alias JimJones/Unix Terrorist/PHC/etc) was sentenced to 2 years in prison for his role in writing the blablah sniffer used by the folks involved in the TJX credit card incident. From wired magazine "While accused TJX hacker kingpin Albert Gonzalez awaits a possible sentence of 17 years or more in prison,... -
Adobe on Fuzzing Adobe Reader For Security Defects
Posted: December 21st, 2009, 5:01pm CST by Robert A.
Tags: Defense [edit]
Adobe has published an entry on their blog outlining how fuzzing plays a part in discovering security issues in their product prior to launching it. Its good to see a company such as Adobe publishing this information as its one of those things that is discussed frequently by the security community, however... -
Experimenting With WASC Threat Classification Views: Vulnerability Root Cause Mapping
Posted: December 13th, 2009, 7:08pm CST by Robert A.
Tags: Research [edit]
I currently lead the WASC Threat Classification Project and we're expecting to publish our latest version next month. One of the biggest changes between the TCv2 and TCv1 is that we're doing away with single ways to represent the data. In the TCv1 we had a single tree structure to convey appsec... -
132,000+ sites Compromised Via SQL Injection
Posted: December 10th, 2009, 11:26am CST by Robert A.
Tags: Incidents [edit]
Net-Security has posted an article on the discovery of 132k+ sites that have been SQL Injected. From the article "A large scale SQL injection attack has injected a malicious iframe on tens of thousands of susceptible websites. ScanSafe reports that the injected iframe loads malicious content from 318x.com, which eventually leads to... -
Potential risks of using Google's free DNS service
Posted: December 4th, 2009, 6:14pm CST by Robert A.
Tags: Commentary [edit]
Google has announced that they are offering a free DNS service to anyone wanting to use it. Unfortunately the privacy concerns aren't being discussed in as much detail as I'd like, and people aren't asking why google would offer such a free service. Several points to consider Google can profile a given... -
Potential risks of using Google's free DNS service?
Posted: December 4th, 2009, 6:14pm CST by Robert A.
Tags: Commentary [edit]
Google has announced that they are offering a free DNS service to anyone wanting to use it. Unfortunately the motivations/privacy concerns aren't being discussed in as much detail as I'd like, and people aren't asking the important question of why google is offering such a free service. Several points to consider Google... -
Preventing Security Development Errors: Lessons Learned at Windows Live by Using ASP.NET MVC
Posted: December 3rd, 2009, 4:46pm CST by Robert A.
Tags: CSRF [edit]
Microsoft has published a paper on its ASP.NET MVC framework, how to use it, and how utilization of an SDL eliminates the potential to introduce vulnerabilities such as XSRF. From the paper "On the Microsoft platform, most Web applications are based on ASP.NET and the Microsoft®.NET Framework. ASP.NET MVC is a new... -
Clientless SSL VPN products break web browser domain-based security models
Posted: December 1st, 2009, 11:59am CST by Robert A.
Tags: IndustryNews [edit]
A new CERT advisory has been published outlining a weakness in the way web based SSL clients operate, resulting in a Same Origin Policy breakage. Here's the meaty details. "As the web VPN retrieves web pages, it rewrites hyperlinks so that they are accessible through the web VPN. For example, a link... -
Nozzle: A Defense Against Heap-spraying Code Injection Attacks
Posted: November 24th, 2009, 6:07pm CST by Robert A.
Tags: Defense [edit]
Microsoft has been working on a tool called 'Nozzle' to prevent the exploitation of heap spraying attacks and released a whitepaper describing the process. From the whitepaper. "Heap spraying is a new security attack that significantly increases the exploitability of existing memory corruption errors in type-unsafe applications. With heap spraying, attackers leverage... -
Symantec SQL Injected, Seeks Counseling
Posted: November 23rd, 2009, 5:16pm CST by Robert A.
Tags: Funny [edit]
"The Romanian hacker who successfully broke into a web site owned by security vendor Kaspersky Lab has struck again, this time exposing shortcomings in a Symantec web server. The hacker, known only as Unu, said in a blog post today that he was able to access a server belonging to the security...