|
Web Application Security
Auditing mailing scripts for web app pentesters Jul 15 2008 02:05PM Adrian Pastor (adrian pastor procheckup com) (1 replies) RE: Auditing mailing scripts for web app pentesters Jul 16 2008 03:08AM Brett Moore (brett moore insomniasec com) (1 replies) |
|
|
Privacy Statement |
Hash: SHA1
Hi Brett,
I came across this paper a while ago but had forgotten about it! Will
definitely keep it in mind for future assessments.
What percentage of ASP.NET/MS SQL environments would you say you find
vulnerable to this attack against "forgotten password" facilities?
Also, have you found other types of environments vulnerable to this
attack as well?
Brett Moore wrote:
| Hi.
|
| While not directly related to your papers topic. I think it would
| be beneficial to raise awareness of the issue illustrated in this
| paper by Gary O'Leary-Steele.
|
| http://www.sec-1labs.co.uk/advisories/BTA_Full.pdf
|
| Surprising how many forgotten password mail out features are vulnerable
| to this.
|
| Brett
|
| -----Original Message-----
| From: listbounce (at) securityfocus (dot) com [email concealed]
[mailto:listbounce (at) securityfocus (dot) com [email concealed]] On
| Behalf Of Adrian Pastor
| Sent: Wednesday, 16 July 2008 2:06 a.m.
| To: webappsec (at) securityfocus (dot) com [email concealed]
| Subject: Auditing mailing scripts for web app pentesters
|
| * PGP Signed by an unknown key
|
| Hi guys,
|
| We just released a paper aimed at web application pentesters. The paper
| ~ discusses auditing scripts for vulnerabilities that would allow using
| the target organization's mail servers for spamming/phishing purposes.
|
| The content of the paper is derived from real pentest experiences on
| live e-commerce environments. I hope you find it useful and can apply
| its content to your security testing assessments:
|
| http://www.procheckup.com/CRLFi.pdf
| --
| Adrian P. | Senior IT Security Consultant | ProCheckUp Ltd
|
| * Unknown Key
| * 0x06E653A6(L)
|
|
| ------------------------------------------------------------------------
-
| Sponsored by: Watchfire
| Methodologies & Tools for Web Application Security Assessment
| With the rapid rise in the number and types of security threats, web
| application security assessments should be considered a crucial phase
in the
| development of any web application. What methodology should be followed?
| What tools can accelerate the assessment process? Download this Whitepaper
| today!
|
| https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
| ------------------------------------------------------------------------
-
|
|
|
- --
Adrian P. | Senior IT Security Consultant | ProCheckUp Ltd
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFIfc3zUmN3xwbmU6YRAlFhAJ40Ld2qKwRBTI8JVjArjho+HjJlsACgpth/
glWdhF1abA88OU6QsjVvhY8=
=4eRV
-----END PGP SIGNATURE-----
------------------------------------------------------------------------
-
Sponsored by: Watchfire
Methodologies & Tools for Web Application Security Assessment
With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this Whitepaper today!
https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
------------------------------------------------------------------------
-
[ reply ]