Comment The XSS FAQ (Score 2, Informative) 160
The Cross-site Scripting (XSS) FAQ http://www.cgisecurity.com/xss-faq.html
The Cross-site Scripting (XSS) FAQ http://www.cgisecurity.com/xss-faq.html
Comment The XSS FAQ (Score 2, Informative) 145
The Cross-site Scripting FAQ
http://www.cgisecurity.com/xss-faq.html
Comment VAX VMS (Score 3, Interesting) 562
What, no VAX VMS or OpenVMS? People still use it in healthcare systems even though it came out around 1978.
How I miss the good old days in the 1990's using a vax/vms in high school and UUCP'ing to send mail out of the building, and using our student BBS authored in DCL.
Submission + - Transparent proxy architectural flaw discovered (thesecuritypractice.com)
MrFoobar writes: "Transparent proxies allow organizations to influence and monitor the traffic from its users without their knowledge or participation. Transparent proxies act as intermediaries between a user and end destination, and aren't generally apparent to users sitting behind them. Enterprises, Hotels, and Internet Service Providers often use transparent proxy products to lower bandwidth consumption,speed up page loads for their users, and for monitoring and filtering of web surfing. When certain transparent proxy architectures are in use an attacker can achieve a partial Same Origin Policy Bypass resulting in access to any host reachable by the proxy via the use of client plug-in technologies (such as Flash, Applets, etc) with socket capabilities. This write up will describe this architecture, how it may be abused by Flash, its existence in various network layouts, and mitigations."
Submission + - New transparent proxy abuse discovered (thesecuritypractice.com) 1
mrhanky writes: ""Transparent proxies allow organizations to influence and monitor the traffic from its users without their knowledge or participation. Transparent proxies act as intermediaries between a user and end destination, and aren't generally apparent to users sitting behind them. Enterprises, Hotels, and Internet Service Providers often use transparent proxy products to lower bandwidth consumption,speed up page loads for their users, and for monitoring and filtering of web surfing. When certain transparent proxy architectures are in use an attacker can achieve a partial Same Origin Policy Bypass resulting in access to any host reachable by the proxy via the use of client plug-in technologies (such as Flash, Applets, etc) with socket capabilities. This write up will describe this architecture, how it may be abused by Flash, its existence in various network layouts, and mitigations""
Submission + - Appropriate QA Security Testing Expectations (cgisecurity.com)
WASC writes: ""Developers by nature are detail oriented and typically (the good ones anyways) have a deep understanding of flows, and processes from start to finish. QA on the other hand is a different animal, they understand business use cases provided to them, and ensuring that the business use cases work (positive testing). Good QA people add negative testing to this mix typically to generate errors/crash things to ensure the platform is fairly stable. The majority of QA people aren't interested in becoming security engineers or having a thourough understanding of vulnerabilities such as sql injection, os commanding, or http response splitting. You may be lucky at your company and have a few that
do care about these details but as a general rule they are in short supply and rarely sustainable. The security industry needs to re-align its security expectations for QA""
Comment Cross-site scripting FAQ (Score 1) 182
Gmail Reveals the Names of All Users 438
ihatespam writes "Have you ever wanted to know the name of admin@gmail.com? Now you can. Through a bug in Google calendars the names of all registered Gmail accounts are now readily available. All you need to find out the names of any gmail address is a Google calendar account yourself. Depending on your view this ranges from a harmless "feature" to a rather serious privacy violation. According to some reports, spammers are already exploiting this "feature"/bug to send personalized spam messages."
Submission + - The Web Incidents Hacking Database (webappsec.org)
mrkitty writes: The web hacking incident database (WHID) is a Web Application Security Consortium project dedicated to maintaining a list of web applications related security incidents. The database is unique in tracking only media reported security incidents that can be associated with a web application security vulnerability. We also try to limit the database to targeted attacks only. WHID goal is to serve as a tool for raising awareness of the web application security problem and provide information for statistical analysis of web applications security incidents.
Submission + - Greek spies plant rootkit in a phone exchange (ieee.org)
http://www.cgisecurity.com writes: "A highly sophisticated spying operation that tapped into the mobile phones of Greece's prime minister and other top government officials has highlighted weaknesses in telecommunications systems that still use decades-old computer code. The spying case, where the calls of around 100 people using Vodafone's network were secretly tapped, remains unsolved and is still being investigated. Also complicating the case are question marks over the suicide in March 2005 of a top engineer at Vodafone Group in Greece in charge of network planning.
A detailed writeup can be found at http://www.spectrum.ieee.org/jul07/5280"
Submission + - Patent Granted for Fault Injection (patentstorm.us)
techlists writes: "A Patent on Fault Injection (#7,185,232) has been granted by our friends at the patent office. This could seriously and negatively impact software/hardware testing across the industry. According to the filing, "A method of testing a target in a network by fault injection, "The method may further include, receiving a feedback from the target to determine fault occurrence.". They've been asked to comment, but will they say anything?""
Submission + - Cenzic patents the obvious, Fault Injection!
Super Appman Zero writes: In the endless comedy that is the USPTO, we have another doozy of a patent, this time company Cenzic lays claim to the age-old software/hardware testing process "fault injection"! According to the filing, "A method of testing a target in a network by fault injection, "The method may further include, receiving a feedback from the target to determine fault occurrence." When will the madness of patenting things that already exist end!? Even the company's own press release calls the invention obvious, "...focused on fault injection technology, which is commonly used by most security assessment scanners." This could seriously and negatively impact software/hardware testing across the industry. They've been asked to comment, but will they say anything?
Submission + - Unicode Encoding Implementation Flaw Widespread
LordNikon writes: According to CERT "Full-width and half-width encoding is a technique for encoding Unicode characters. Various HTTP content scanning systems fail to properly scan full-width/half-width Unicode encoded HTTP traffic. By sending specially-crafted HTTP traffic to a vulnerable content scanning system, an attacker may be able to bypass that content scanning system.". Proof of concepts affecting IIS are already being posted to security mailing lists, and Cisco IPS and other IDS products are also affected.
Submission + - Ways People Screw Up AJAX
foo writes: "People are aware of the good that technologies such as AJAX have added to sites such as gmail, digg, and slashdot. The negative aspects and implementations of AJAX have mostly avoided by the media and are rarely spoken. CGISecurity has published a top 5 list of problems which can be encountered by implementing AJAX improperly."
Submission + - Data Released On How Open Relay Proxies Are Abused
Ralph Wiggum writes: "The folks at the Web Application Security Consortium have published a report outlining how attackers are utilizing open web proxies in the wild. From the announcement "This first release of information is for data gathered
from January — April, 2007. During this timeframe, we had 7 internationally
placed honeypot sensors deployed and sending their data back to our central
logging host.""
