Web Application Security Mode:
(Page 1 of 334)  1 2 3 4 5 6 7 8 9 10 11  Next >
Arachni Framework v1.4 & WebUI v0.5.10 have been released (Web Application Security Scanner) 2016-02-09
Tasos Laskos (tasos laskos gmail com)
Hey folks,

There's a new version of Arachni, a modular and high-performance Web Application Security Scanner Framework.

The highlights of this release are:

* Massive performance improvements (approx. 5 times faster browser operations,
much reduced less RAM and CPU usage).
* Significantly improv

[ more ]  [ reply ]
Faraday v1.0.16: (Group vulns by fields, Filter false-positives, Canvas plugin) 2015-12-21
Francisco Amato (famato infobytesec com)
We are proud to present Faraday v1.0.16!

This version comes with major changes to our Web UI, including the
possibility to mark vulnerabilities as false positives. If you have a
Pro or Corp license you can now create an Executive Report using only
confirmed vulnerabilities, saving you even more tim

[ more ]  [ reply ]
Re: Whitepaper: SMTP Injection via recipient email addresses 2015-12-18
Amit Klein (aksecurity gmail com)
Well done, Takeshi. And very nice research, BTW.

Best,
-Amit

On Fri, Dec 18, 2015 at 5:13 AM, Takeshi Terada <mbsdtest01 (at) gmail (dot) com [email concealed]> wrote:
> Dear Amit Klein and all,
>
> Thanks for letting me know previous researches.
> I was not aware of Insomnia's paper mentioning injection to RCPT.
> I added

[ more ]  [ reply ]
Re: Whitepaper: SMTP Injection via recipient email addresses 2015-12-18
Takeshi Terada (mbsdtest01 gmail com)
Dear Amit Klein and all,

Thanks for letting me know previous researches.
I was not aware of Insomnia's paper mentioning injection to RCPT.
I added the links to the works you mentioned to the paper.
Revised version is available at the same URL:
http://www.mbsd.jp/Whitepaper/smtpi.pdf
I really apprec

[ more ]  [ reply ]
IoT Authentication 2015-12-17
Saghar Estehghari (s estehghari gmail com)
Hi,

Recently, I've started an IoT project with my team. We are trying to
implement cyber-security functions into embedded device in a way to
reduce the load on such devices. Currently, authentication is our
case of study. We are looking for a solution that applies to a small
group of embedded devi

[ more ]  [ reply ]
Re: Whitepaper: SMTP Injection via recipient email addresses 2015-12-16
Amit Klein (aksecurity gmail com)
Dear Takeshi Terada

Thanks for sharing your paper. I'd like to draw your attention to the following:

Injection into RCPT is mentioned in
https://www.insomniasec.com/downloads/publications/Common_Application_Fl
aws.ppt
(see slides 15-16) released November 2008 (see
https://www.insomniasec.com/releas

[ more ]  [ reply ]
Whitepaper: SMTP Injection via recipient email addresses 2015-12-09
Takeshi Terada (mbsdtest01 gmail com)
Dear all,

MBSD released a whitepaper titled "SMTP Injection via recipient email
addresses."
http://www.mbsd.jp/Whitepaper/smtpi.pdf

The paper discusses SMTP Injection attacks via malformed recipient
email addresses in some email libraries in Ruby, Java and PHP.

TOC
1. Introduction
2. How the atta

[ more ]  [ reply ]
SiteWIX - (edit_photo2.php id) SQL Injection Exploit 2015-10-21
ZoRLu Bugrahan (zorlu milw00rm com)
#!/usr/bin/env python
#-*- coding:utf-8 -*-

#Title : SiteWIX - (edit_photo2.php id) SQL Injection Exploit
#Author : ZoRLu / zorlu (at) milw00rm (dot) com [email concealed]
#Website : milw00rm.com / milw00rm.net / milw00rm.org / milw0rm.info
#Twitter : https://twitter.com/milw00rm or @milw00rm
#Test : Windows7 Ultimate
#Disc

[ more ]  [ reply ]
Re: hsecscan v0 (https://github.com/riramar/hsecscan) 2015-10-20
Ricardo Iramar dos Santos (riramar gmail com)
Yes, I saw Scott's website and other interesting stuff.
We changed some twitters
(https://twitter.com/Scott_Helme/status/639756303376773120).

On Tue, Oct 20, 2015 at 11:52 AM, Robin Wood <robin (at) digininja (dot) org [email concealed]> wrote:
> Have you seen this project by Scott?
>
> https://securityheaders.io/
>
> Similar

[ more ]  [ reply ]
Re: hsecscan v0 (https://github.com/riramar/hsecscan) 2015-10-20
Robin Wood (robin digininja org)
Have you seen this project by Scott?

https://securityheaders.io/

Similar to yours except works from a website rather than cli.

Robin

On 20 October 2015 at 14:24, Ricardo Iramar dos Santos
<riramar (at) gmail (dot) com [email concealed]> wrote:
> Make sense. I'll include your suggestion in my TODO list.
> My first goal for t

[ more ]  [ reply ]
Re: hsecscan v0 (https://github.com/riramar/hsecscan) 2015-10-20
Ricardo Iramar dos Santos (riramar gmail com)
Make sense. I'll include your suggestion in my TODO list.
My first goal for the version 0 was construct a simple "platform" and
make it usable.
One of the goals for version 1 is improve the database with users
feedback like yours.
Thanks!

On Tue, Oct 20, 2015 at 10:21 AM, Robin Wood <robin@digininj

[ more ]  [ reply ]
Re: hsecscan v0 (https://github.com/riramar/hsecscan) 2015-10-20
Robin Wood (robin digininja org)
I'd say both of those were references not recommendations, the
recommendation should be something along the lines of:

Ensure cookies protecting important data, such as session tokens, are
correctly protected (httponly and secure flags).
Beware session fixation

I may add ensure good entropy on sess

[ more ]  [ reply ]
Re: hsecscan v0 (https://github.com/riramar/hsecscan) 2015-10-20
Ricardo Iramar dos Santos (riramar gmail com)
Thanks for your advise and opinion.
Have you seen the recommendations field?
Do you have a suggestion for a better security description?

>> Recommendations: Please at least read these references:
>> https://tools.ietf.org/html/rfc6265#section-8 and
>> https://www.owasp.org/index.php/Session_Manag

[ more ]  [ reply ]
Re: hsecscan v0 (https://github.com/riramar/hsecscan) 2015-10-20
Robin Wood (robin digininja org)
On 19 October 2015 at 16:49, Ricardo Iramar dos Santos
<riramar (at) gmail (dot) com [email concealed]> wrote:
> Hi Robin Wood,
>
> This security description came from here
> https://tools.ietf.org/html/rfc6265#section-8 so we could ask your
> question to the author.
> But IMO the RFC author is saying the HTTPS is insufficient

[ more ]  [ reply ]
Re: hsecscan v0 (https://github.com/riramar/hsecscan) 2015-10-19
Ricardo Iramar dos Santos (riramar gmail com)
Hi Robin Wood,

This security description came from here
https://tools.ietf.org/html/rfc6265#section-8 so we could ask your
question to the author.
But IMO the RFC author is saying the HTTPS is insufficient because of
attacks like described here
https://www.usenix.org/conference/usenixsecurity15/tec

[ more ]  [ reply ]
hsecscan v0 (https://github.com/riramar/hsecscan) 2015-10-16
Ricardo Iramar dos Santos (riramar gmail com)
Hi All,

I started to develop in python a dumb tool called hsecscan
(https://github.com/riramar/hsecscan). I'll appreciate any feedback.
:)
It's a security scanner for HTTP response headers. Just finished the
usable version 0 with a few features.

$ ./hsecscan.py
usage: hsecscan.py [-h] [-P] [-p] [-

[ more ]  [ reply ]
Invitation to X0RC0NF Security Conference 2015 2015-10-11
xorconf security conference (info xorconf com)
Hello there,

We are inviting you to X0RC0NF Security Conference 2015 Kochi. X0RC0NF is an annual international security conference conducted in God's Own Country, Kerala. It is a platform for security researchers, hackers, enthusiasts, professionals and students. We promote security research and pr

[ more ]  [ reply ]
Faraday 1.0.15 (Continuous Scanning Tool: cscan, new Plugins: Pippingtom, SSHdefaultscan and pasteAnalyzer) 2015-10-08
Francisco Amato (famato infobytesec com)
A brand new version is ready for you to enjoy! Faraday v1.0.15
(Community, Pro & Corp) was published today with new exciting
features.

As a part of our constant commitment to the IT sec community we added
a tool that runs several other tools to all IPs in a given list. This
results in a major scan

[ more ]  [ reply ]
Arachni Framework v1.3 & WebUI v0.5.8 have been released (Web Application Security Scanner) 2015-10-07
Tasos Laskos (tasos laskos gmail com)
Hey folks,

There's a new version of Arachni, a modular and high-performance Web Application Security Scanner Framework.

The highlights of this release are:

* Simplified Issue structures in the generated reports.
* Support for populating the browsers' localStorage from a JSON file.
* Support for a

[ more ]  [ reply ]
Persistent xss liferay enterprise cms 2015-10-07
Tim Schughart (tim schughart icloud com)
Hey guys,

during a penatrationtest I have found an unknown persistent xss in liferay portal backend. Liferay is already informed.

##################
#General Information#
##################

Manufacture description:
Liferay Portal is an enterprise-web-platform for the development of business sol

[ more ]  [ reply ]
nullcon se7en CFP is open 2015-08-26
nullcon (nullcon nullcon net)
Dear Friends,

Welcome to nullcon se7en!

$git commit -a <sin>

<sin> := wrath | pride | lust | envy | greed | gluttony | sloth

nullcon is an annual security conference held in Goa, India. The focus
of the conference is to showcase the next generation of offensive and
defensive securi

[ more ]  [ reply ]
SpiderFoot 2.5.0 released 2015-08-02
Steve Micallef (steve binarypool com)
Hi all,

SpiderFoot 2.5.0 is now available, with more modules, added
functionality and bug fixes since 2.3.0 was last announced on this list.
SpiderFoot is an open source intelligence gathering / reconnaissance
tool utilising over 40 data sources and methods, all driven through a
snappy web UI.

[ more ]  [ reply ]
Arachni Framework v1.2 & WebUI v0.5.7.1 have been released (Web Application Security Scanner) 2015-07-16
Tasos Laskos (tasos laskos gmail com)
Hey folks,

There's a new version of Arachni, a modular and high-performance Web Application Security Scanner.

The highlights of this release are:

* Many optimizations to reduce RAM and CPU consumption.
* SSL interception for websites with HSTS.
* Support for tracking jQuery delegated events.
* Su

[ more ]  [ reply ]
CFP: Passwords 2015, Dec 7-9, Cambridge, UK 2015-07-10
Per Thorsheim (per thorsheim net)
========================================================================
=
Passwords 2015
The 9th International Conference on Passwords
7, 8, 9 December 2015
University of Cambridge, United Kingdom
http://www.cl.cam.ac.uk/events/passwords2015/
https://passwordscon.org/
===============================

[ more ]  [ reply ]
Ruxcon 2015 Final Call For Presentations 2015-07-06
cfp ruxcon org au
Ruxcon 2015 Final Call For Presentations
Melbourne, Australia, October 24-25
CQ Function Centre

http://www.ruxcon.org.au

The Ruxcon team is pleased to announce the first round of Call For Presentations for Ruxcon 2015.

This year the conference will take place over the weekend of the 24th and 25th

[ more ]  [ reply ]
Whitepaper: RPO exploitation techniques 2015-07-01
Takeshi Terada (mbsdtest01 gmail com)
Dear all,

MBSD released a whitepaper on RPO (Relative Path Overwrite) attack techniques.
http://www.mbsd.jp/Whitepaper/rpo.pdf

TOC
1. Introduction
2. Path manipulation techniques
2.1. Loading another file on IIS/ASP.NET
2.2. Loading another file on Safari/Firefox
2.3. Loading anothe

[ more ]  [ reply ]
t2'15: Call for Papers 2015 (Helsinki / Finland) 2015-06-01
Tomi Tuominen (tomi tuominen t2 fi)
#
# t2'15 - Call For Papers (Helsinki, Finland) - October 29 - 30, 2015
#

Why spend your valuable conference time in the longest lines you have seen in your life, getting a sun burn or totally lost in the canals with your rental boat, being deprived of chewing gum or waking up in Nong Palai without

[ more ]  [ reply ]
hardwear.io - Hardware Security Conference Call for Papers 2015-05-29
Hardwear Team (hw hardwear io)
Dear Hackers and Security Gurus,

hardwear is seeking innovative research on hardware security. If you
have done interesting research on attacks or mitigation on any
Hardware and want to showcase it to the security community, just
submit your research paper. Please find all the relevant details for

[ more ]  [ reply ]
SQL Injection within popular Magento blog extension (CVE-2015-3428) 2015-05-28
AppCheck Advisories (advisories appcheck-ng com)
Background
======================

The aheadWorks Blog extension for Magento prior to version 1.3.10 is vulnerable to a critical SQL Injection security flaw. A remote unauthenticated attacker could exploit this vulnerability to take complete control of the affected Magento server and database. With

[ more ]  [ reply ]
Re: Call for Papers: RAID 2015 2015-05-27
Skander Iversen (skander iversen gmail com)
Dear colleagues,

deadline to RAID 2015 has been extended to June 5th.
We kindly encourage to consider submitting your research work there.

Best regards,

sk

On Mon, May 11, 2015 at 9:08 AM, Skander Iversen
<skander.iversen (at) gmail (dot) com [email concealed]> wrote:
> Dear colleagues,
>
> I would like to announce the foll

[ more ]  [ reply ]
(Page 1 of 334)  1 2 3 4 5 6 7 8 9 10 11  Next >


 

Privacy Statement
Copyright 2010, SecurityFocus