Comment The Cross-site Scripting (XSS) FAQ (Score 4, Informative) 102
The XSS FAQ
http://www.cgisecurity.com/xss-faq.html
http://www.cgisecurity.com/xss-faq.html
Comment The Cross-site Scripting FAQ and Resources (Score 1) 214
XSS FAQ
http://www.cgisecurity.com/xss-faq.html
WASC Threat Classification - Cross-site Scripting
http://projects.webappsec.org/Cross-Site+Scripting
http://www.cgisecurity.com/xss-faq.html
WASC Threat Classification - Cross-site Scripting
http://projects.webappsec.org/Cross-Site+Scripting
Comment Sounds like the cause could be (Score 1) 135
Submission + - Announcing the Web Application Security Scanner Ev (webappsec.org)
mrkitty writes: The Web Application Security Consortium is pleased to announce the release of version 1 of the Web Application Security Scanner Evaluation Criteria (WASSEC). The goal of the WASSEC project is to create a vendor-neutral document to help guide information security professionals during web
application scanner evaluations. The document provides a comprehensive list of features that should be considered when conducting an evaluation. The
WASSEC project does not promote any specific products or tools, but instead provides valuable information to help you make your own decision about which
of these tools best meets your needs.
The WASSEC document be found here in both wiki and PDF formats:
http://projects.webappsec.org/Web-Application-Security-Scanner-Evaluation-Criteria
application scanner evaluations. The document provides a comprehensive list of features that should be considered when conducting an evaluation. The
WASSEC project does not promote any specific products or tools, but instead provides valuable information to help you make your own decision about which
of these tools best meets your needs.
The WASSEC document be found here in both wiki and PDF formats:
http://projects.webappsec.org/Web-Application-Security-Scanner-Evaluation-Criteria
Submission + - WASC's Distributed Open Proxy Honeypot Project (webappsec.org)
WASC writes: "The idea behind the IT security concept known as the honeypot is all about luring hackers into a server or network so they can be tracked. The Web Application Security Consortium (WASC) has its own particular brand of honey to attract would-be attackers — a blend of open source and open proxies.
The WASC is now entering Phase Three of its Distributed Open Proxy Honeypot Project, including more participants, sensors and analytical reporting as the project moves into wide deployment. The aim remains the same, however: providing security researchers and law enforcement with a new resource in the battle against Web attacks.
"Ultimately what we're trying to identify is Web-based attacks — how are they are actually happening — because it's very hard to get real details," WASC Honeypot Project Leader Ryan Barnett told InternetNews.com."
Nmap 5.00 Released, With Many Improvements 73
iago-vL writes "The long-awaited Nmap Security Scanner version 5.00 was just released (download)! This marks the most important release since 1997, and is a huge step in Nmap's evolution from a simple port scanner to an all-around security and networking tool suite. Significant performance improvements were made, and dozens of scripts were added. For example, Nmap can now log into Windows and perform local checks (PDF), including Conficker detection. New tools included in 5.00 are Ncat, a modern reimplementation of Netcat (with IPv6, SSL, NAT traversal, port redirection, and more!), and Ndiff, for quickly comparing scan results. Other tools are in the works for future releases, but we're still waiting for them to add email and ftp clients so we can finally get off Emacs!"
Comment More info (Score 0) 288
Comment Additional coverager (Score 1) 5
Submission + - ImageShack Hacked! (mashable.com) 5
revjtanton writes: "Tonight a group calling themselves "Anti-Sec" hacked ImageShack and replaced many of the site's hosted images with one of their own detailing their manifesto. The group's grievance is against full-disclosure. They simply want the practice in security cirlces to end, and they've promised to cause mayhem and destruction if it doesn't.
These guys/gals are taking direct aim against a sect of the IT industry who is already armed to fight them...but they also already know that. It should be interesting to see how this plays out, whether you agree with them or not."
These guys/gals are taking direct aim against a sect of the IT industry who is already armed to fight them...but they also already know that. It should be interesting to see how this plays out, whether you agree with them or not."
Submission + - Antisec hackers replace all imageshack images! (cgisecurity.com)
hackers writes: "The hacking group antisec has replaced every image on imageshack with a hacked image and has posted the following message to the full disclosure mailing list. At this time imageshack has not addressed the issue or posted a statement."
Comment The XSS FAQ (Score 2, Informative) 160
The Cross-site Scripting (XSS) FAQ http://www.cgisecurity.com/xss-faq.html
Comment The XSS FAQ (Score 2, Informative) 145
The Cross-site Scripting FAQ
http://www.cgisecurity.com/xss-faq.html
Comment VAX VMS (Score 3, Interesting) 562
What, no VAX VMS or OpenVMS? People still use it in healthcare systems even though it came out around 1978.
How I miss the good old days in the 1990's using a vax/vms in high school and UUCP'ing to send mail out of the building, and using our student BBS authored in DCL.
Submission + - Transparent proxy architectural flaw discovered (thesecuritypractice.com)
MrFoobar writes: "Transparent proxies allow organizations to influence and monitor the traffic from its users without their knowledge or participation. Transparent proxies act as intermediaries between a user and end destination, and aren't generally apparent to users sitting behind them. Enterprises, Hotels, and Internet Service Providers often use transparent proxy products to lower bandwidth consumption,speed up page loads for their users, and for monitoring and filtering of web surfing. When certain transparent proxy architectures are in use an attacker can achieve a partial Same Origin Policy Bypass resulting in access to any host reachable by the proxy via the use of client plug-in technologies (such as Flash, Applets, etc) with socket capabilities. This write up will describe this architecture, how it may be abused by Flash, its existence in various network layouts, and mitigations."
Submission + - New transparent proxy abuse discovered (thesecuritypractice.com) 1
mrhanky writes: ""Transparent proxies allow organizations to influence and monitor the traffic from its users without their knowledge or participation. Transparent proxies act as intermediaries between a user and end destination, and aren't generally apparent to users sitting behind them. Enterprises, Hotels, and Internet Service Providers often use transparent proxy products to lower bandwidth consumption,speed up page loads for their users, and for monitoring and filtering of web surfing. When certain transparent proxy architectures are in use an attacker can achieve a partial Same Origin Policy Bypass resulting in access to any host reachable by the proxy via the use of client plug-in technologies (such as Flash, Applets, etc) with socket capabilities. This write up will describe this architecture, how it may be abused by Flash, its existence in various network layouts, and mitigations""
