Domain: webappsec.org
Stories and comments across the archive that link to webappsec.org.
Stories · 11
-
Unicode Encoding Flaw Widespread
LordNikon writes "According to this CERT advisory: 'Full-width and half-width encoding is a technique for encoding Unicode characters. Various HTTP content scanning systems fail to properly scan full-width/half-width Unicode encoded HTTP traffic. By sending specially-crafted HTTP traffic to a vulnerable content scanning system, an attacker may be able to bypass that content scanning system.' A proof of concept affecting IIS is already being posted to security mailing lists. Cisco IPS and other IDS products are also affected." The CERT advisory lists 93 systems, with 6 reported as vulnerable (including 3com, Cisco, and Snort), 5 known not vulnerable (including Apple and HP), and the rest unknown. -
Unicode Encoding Flaw Widespread
LordNikon writes "According to this CERT advisory: 'Full-width and half-width encoding is a technique for encoding Unicode characters. Various HTTP content scanning systems fail to properly scan full-width/half-width Unicode encoded HTTP traffic. By sending specially-crafted HTTP traffic to a vulnerable content scanning system, an attacker may be able to bypass that content scanning system.' A proof of concept affecting IIS is already being posted to security mailing lists. Cisco IPS and other IDS products are also affected." The CERT advisory lists 93 systems, with 6 reported as vulnerable (including 3com, Cisco, and Snort), 5 known not vulnerable (including Apple and HP), and the rest unknown. -
Adobe Acrobat JavaScript Execution Bug
QASec.com writes to mention that Stefano Di Paola and Giorgio Fedon discovered an unpatched vulnerability in Adobe Acrobat Reader that can allow an attacker to execute arbitrary JavaScript on any hosted PDF file. People are reporting different results based on browser and Acrobat versions. Most of the major sites discussed have already fixed the problem, but many smaller sites may still need to be patched. -
Number of Web Application Hacks Up
An anonymous reader writes "According to an article at Information Week, 'Web site hacks are on the rise and pose a greater threat than the broad-based network attacks...' Citing statistics from the Web Hacking Incidents Database, 'Web hacking attacks numbered 58 in 2005, up from 16 in 2004 and 9 in 2003. Another 20 attacks have been reported this year against sites including open-source repository Sourceforge.net and social network MySpace.com, putting 2006 on pace to be the worst year yet.'" -
Cross Site Scripting Discovered in Google
Security Test writes "Yair Amit posted a message early this morning to The Web Security Mailing List outlining a Cross Site Scripting flaw in Google that allows an attacker to carry out Phishing Attacks." -
Cross Site Scripting Discovered in Google
Security Test writes "Yair Amit posted a message early this morning to The Web Security Mailing List outlining a Cross Site Scripting flaw in Google that allows an attacker to carry out Phishing Attacks." -
New Web Application Security Mailing List
An anonymous reader writes "For those slashdotters interested in web application security, WASC (Web Application Security Consortium) has created a new mailing list aply named 'The Web Security Mailing List.' The list is open for discussing important topics such as new attacks types and vulnerabilities, software development, solutions, application firewalls, web servers, database security, tools, etc." -
New Web Application Security Mailing List
An anonymous reader writes "For those slashdotters interested in web application security, WASC (Web Application Security Consortium) has created a new mailing list aply named 'The Web Security Mailing List.' The list is open for discussing important topics such as new attacks types and vulnerabilities, software development, solutions, application firewalls, web servers, database security, tools, etc." -
New Web Application Attack - Insecure Indexing
An anonymous reader writes "Take a look at 'The Insecure Indexing Vulnerability - Attacks Against Local Search Engines' by Amit Klein. This is a new article about 'insecure indexing.' It's a good read -- shows you how to find 'invisible files' on a web server and moreover, how to see contents of files you'd usually get a 401/403 response for, using a locally installed search engine that indexes files (not URLs)." -
Blackhat/Defcon Report
Joe Barr writes "NewsForge [ed. note: part of OSTG along with Slashdot] is running its concluding piece on the week-long Blackhat/DEFCON hackerfest in Las Vegas. Want to know how little our police/intelligence agencies seem to have learned from their failures prior to 9/11? Or how a very large goon known only as Priest prevented outright political violence at a DEFCON presentation on Civil Disobedience? Or which of the two conferences is right for you? It's all here in the Blackhat/Defcon: Final report." Reader M. Curphey writes "The Web Application Security Consortium (WASC) announced at Blackhat the release of a 'Threat Classifications' document. This document attempts to clarify web security terminology such as Cross Site Scripting, Session Fixation, Cookie poisoning, and HTTP response splitting (to name a few)." -
Blackhat/Defcon Report
Joe Barr writes "NewsForge [ed. note: part of OSTG along with Slashdot] is running its concluding piece on the week-long Blackhat/DEFCON hackerfest in Las Vegas. Want to know how little our police/intelligence agencies seem to have learned from their failures prior to 9/11? Or how a very large goon known only as Priest prevented outright political violence at a DEFCON presentation on Civil Disobedience? Or which of the two conferences is right for you? It's all here in the Blackhat/Defcon: Final report." Reader M. Curphey writes "The Web Application Security Consortium (WASC) announced at Blackhat the release of a 'Threat Classifications' document. This document attempts to clarify web security terminology such as Cross Site Scripting, Session Fixation, Cookie poisoning, and HTTP response splitting (to name a few)."