Web Application Security Mode:
(Page 1 of 333)  1 2 3 4 5 6 7 8 9 10 11  Next >
Re: File Upload with changed extension 2014-12-04
Robin Wood (robin digi ninja)
No one has mentioned the ability to use the server as a warez server,
that could be a problem if the max upload file size is large enough.

On 4 December 2014 at 01:25, Michal Zalewski <lcamtuf (at) coredump (dot) cx [email concealed]> wrote:
> I can't say I'm convinced about other attacks discussed in this
> thread, but if you

[ more ]  [ reply ]
Re: File Upload with changed extension 2014-12-04
Michal Zalewski (lcamtuf coredump cx)
I can't say I'm convinced about other attacks discussed in this
thread, but if you have a web server that allows arbitrary file
uploads and then serves them back from a sensitive origin without
taking *a lot* of additional precautions (the list of which is long
and ever-changing), then you probably

[ more ]  [ reply ]
Re: File Upload with changed extension 2014-12-04
Paul Burbage (paul k burbage gmail com)
Also,

An extension blacklisting is not preferred - since you can get PHP
execution on the following extensions to name a few:

.PHP (upper case)
.php. (Trailing period)

Furthermore, don't trust the mimetype. It's easy to append PHP to a
GIF header file to bypass mimetype checks:

$ head -c 20 some

[ more ]  [ reply ]
Re: File Upload with changed extension 2014-12-03
Seth Art (sethsec gmail com)
Tobias - One question about the gif/js thing: As far as I can tell
from Ajin's blog, you need to be able to write a script tag into the
page, in order for it the gif to be interpreted as js. If that is
correct, I would think that just having the ability to upload the gif
with js in it is not enou

[ more ]  [ reply ]
Re: File Upload with changed extension 2014-12-03
Tobias Wassermann (mail tobias-wassermann de)
Hi,

it could be also a risk on the client for some XSS. There is a existing and very easy scenario to implement: Using a valid GIF-file to inject JavaScript-code to a page. If the page provides some upload functionality and the uploaded files will be visible to other users afterwards you can use th

[ more ]  [ reply ]
Re: File Upload with changed extension 2014-12-03
Guillermo Caminer (flaco webappsec gmail com)
Hi!

There could be a risk involved, if:
1) The image is uploaded inside the Document Root
2) Have some malicious code inside (ex: a php shell) that is not validated
3) The Web Server somehow executes this malicious code (for example, you can put php code inside a
GIF, after the magic number, and th

[ more ]  [ reply ]
File Upload with changed extension 2014-12-02
Jyotiranjan Acharya (jyotiranjan121 gmail com)
If you are able to upload a file with a changed extension, then will
that be a problem?
For example, you can not ,in any way, upload a .exe or .php/.jsp/.asp
file directly into a web App, but you can by changing their extension
to .JPG. What is the risk in such a case?

This list is sponsored by

[ more ]  [ reply ]
Tizen 2.2.1 WebKit Address Spoofing Vulnerability 2014-12-02
Ajin Abraham (ajin25 gmail com)
<!--
Title: Tizen 2.2.1 WebKit Address Spoofing Vulnerability
Author: Ajin Abraham | @ajinabraham
Website: http://opensecurity.in
Affected Product: Tizen Default Browser
Affected Version: Tizen 2.2.1
Video Demo: https://www.youtube.com/watch?v=QKbTSxlCX7c

-->
<html>
<head><title>Tizen Browser - Add

[ more ]  [ reply ]
RE: [EXT] RE: Social Security Number in Hidden field 2014-11-24
Hambleton, Robert F (RHamble citgo com)
I completely agree. Even with just the last 4 digits, the application needs to have a role based security framework, the pages should be non-caching and SSL should be utilized. This would be for intranet and internet based applications, traffic can be sniffed on any network.

-----Original Mes

[ more ]  [ reply ]
RE: Social Security Number in Hidden field 2014-11-24
Jeffory Atkinson (jatkinson zelvin com)
In this day in age the SSN should never be a hidden variable. SSN should be treated nearly like a password. If an application needs the ssn for some sort of operations it should be masked and index on the back end. (Ie. if the application is providing the ssn number it should look something like xxx

[ more ]  [ reply ]
Re: concurrent logins 2014-11-24
Robin Wood (robin digi ninja)
On 24 November 2014 at 08:03, Stephen de Vries
<stephen (at) continuumsecurity (dot) net [email concealed]> wrote:
>> The reason I was thinking about this is the thing I was reading was
>> suggesting to prevent session hijacking that concurrent logins should
>> not be allowed, 2FA stops actual logins but not hijacks.
>
>
> Sess

[ more ]  [ reply ]
Re: Social Security Number in Hidden field 2014-11-24
Antti Virtanen (Antti Virtanen solita fi)
For a similar reason I have also implemented such a feature once. The

customer was fully aware that the information is not really safe, but they

wanted to prevent casual observer from seeing such information. In modern

office environments the observer doesnâ??t need to be in close proximity and

[ more ]  [ reply ]
Re: concurrent logins 2014-11-24
Stephen de Vries (stephen continuumsecurity net)
> The reason I was thinking about this is the thing I was reading was
> suggesting to prevent session hijacking that concurrent logins should
> not be allowed, 2FA stops actual logins but not hijacks.

Session hijacking is only possible after some other vulnerability in the site is exploited, e.g.

[ more ]  [ reply ]
Re: Social Security Number in Hidden field 2014-11-24
Lorne Kates (lkates gmail com)
I once coded an admin page like this. Admins had to have access to
SSNs (or SIN, since it was a Canadian company) of applicants. But
they didn't want the SSN on the screen all the time. So a button was
added that de-masked the SSN when clicked.

The company was fully aware that visually hiding th

[ more ]  [ reply ]
Re: Social Security Number in Hidden field 2014-11-23
Abhay Rana (capt n3m0 gmail com)
No, putting it in a hidden field is same as showing it to a tech-savvy
admin. Unless admins are supposed to see the SSN (and are authorized
to), there is no reason for it to be in a hidden field.

If you really need it there (for some future requests in the form), it
might be better to instead put t

[ more ]  [ reply ]
Re: Social Security Number in Hidden field 2014-11-23
snipe (snipe snipe net)
I canâ??t think of a single legitimate reason why SS# should be in a hidden field.

As to whether itâ??s a security risk, that depends on whether the intranet app is accessible from the outside world, whether it runs over SSL, etc. Does the hidden field only show up for admins? Given what seems like

[ more ]  [ reply ]
Re: Social Security Number in Hidden field 2014-11-23
Robin Wood (robin digi ninja)
Is there any reason for the SSN being included in the page? Is it
used, i.e. can it be edited on the page?

If not it shouldn't be there by the sound of it.

Robin

On 23 November 2014 at 20:12, Jyotiranjan Acharya
<jyotiranjan121 (at) gmail (dot) com [email concealed]> wrote:
> Hello,
>
> There is an application which is prese

[ more ]  [ reply ]
Social Security Number in Hidden field 2014-11-23
Jyotiranjan Acharya (jyotiranjan121 gmail com)
Hello,

There is an application which is present in an intranet. When, the
Admin of the application loads the user information page, a field
called SSN appears. It shows ###-##-####. But the actual SSN remains
in a hidden field.

Do you think there should be a security issue with this ?

Regards
Jyo

[ more ]  [ reply ]
Re: concurrent logins 2014-11-21
Robin Wood (robin digi ninja)
On 19 November 2014 14:27, Aaron Sanders <malmoose37 (at) gmail (dot) com [email concealed]> wrote:
> Just thinking out loud (still haven't had coffee yet) but what about second
> factor? Is that in scope for this question? I would think you can allow all
> the concurrent sessions a user wants as long as all of them were valida

[ more ]  [ reply ]
Re: concurrent logins 2014-11-21
Robin Wood (robin digi ninja)
On 19 November 2014 15:42, Paul Robinson <paul (at) iconoplex.co (dot) uk [email concealed]> wrote:
> On 19 November 2014 10:30, Robin Wood <robin (at) digi (dot) ninj [email concealed]a> wrote:
>>
>> What are peoples opinions on allowing concurrent logins to web apps? I
>> suppose it depends on what the app is used for - forum, admin suite
>> etc - but do

[ more ]  [ reply ]
Re: concurrent logins 2014-11-21
Robin Wood (robin digi ninja)
On 19 November 2014 16:41, Seth Art <sethsec (at) gmail (dot) com [email concealed]> wrote:
> As a user, I love how gmail does it, and I would love to see that more.
>
> As a tester, I personally treat this one as more of a recommendation than a
> finding in most cases. I find this one is difficult to defend in findings
> revi

[ more ]  [ reply ]
Re: concurrent logins 2014-11-21
Robin Wood (robin digi ninja)
On 19 November 2014 18:22, Rogan Dawes <rogan (at) dawes.za (dot) net [email concealed]> wrote:
> You have been logged out, because someone has just logged in using your
> username and password. If this was you, please ignore this message.
>
> Otherwise, please change your password immediately, and contact our security
> depart

[ more ]  [ reply ]
AW: concurrent logins 2014-11-21
Wolfgang Abbas (wolfgang abbas de)
Good points so far!

Additionally, I think in some cases it makes sense to divide internal access to applications depending on the criticality of the application.

For example: I did a hardening of a cms-based extranet for a client of mine. You may log into the system with up to three devices (phone

[ more ]  [ reply ]
RE: concurrent logins 2014-11-21
Nigel Ball (Nigel K Ball dsl pipex com)
Hi,

Not really another option but something that could be added to the options already listed is automatically logging out inactive sessions. How long you wait (minutes / hours / days) before deciding a session is inactive and logging it out would depend on the type of application and security conc

[ more ]  [ reply ]
RE: concurrent logins 2014-11-19
Zaakiy Siddiqui (zaakiy nticon com au)
Hi all,

I'm in favour of Arvind's Option Number 2: i.e., in my way of thinking it: Display to the user the Geolocation of other source IPs that have logged in with the same account.

Need to ensure though that if your users are using 3rd party services to login (common scenario is they use a featur

[ more ]  [ reply ]
Re: concurrent logins 2014-11-19
Seth Art (sethsec gmail com)
As a user, I love how gmail does it, and I would love to see that more.

As a tester, I personally treat this one as more of a recommendation
than a finding in most cases. I find this one is difficult to defend
in findings review meetings, especially given the challenges you
mention, and the pervas

[ more ]  [ reply ]
Re: concurrent logins 2014-11-19
James Wright (jamfwright gmail com)
Hi Robin,

As you said, it depends a lot on what the application is for. If it
is something like email, a user may wish to access it on a computer
and a smartphone, and stay logged into both.

If the web based system requires more security, or is limited by a
license (100 concurrent user limit) or

[ more ]  [ reply ]
Re: concurrent logins 2014-11-19
Matt Konda (mkonda jemurai com)
Robin,

I think youâ??ve hit on the obvious options.

Whatâ??s the business purpose? You might be surprised what the business will and will not tolerate related to this ...

Although it doesnâ??t strictly itself prevent concurrent sessions, Iâ??ve seen people use a two factor system to discourage i

[ more ]  [ reply ]
Re: concurrent logins 2014-11-19
Arvind (arvind doraiswamy gmail com)
I think the best way to do this is to take a quick step back and look
at the risks in each. That's because there's no 1 right answer here as
you already mentioned.

TLDR 1 - There's really only 2 options - you allow it or you dont.
Allowing means anyone can login (more ease of use) and disallowing i

[ more ]  [ reply ]
Re: concurrent logins 2014-11-19
Robin Wood (robin digi ninja)
That is my number 3 but giving a warning when logging them out. Could
still result in a DoS and you'd have to either write very good copy on
the warning or train users what to do when that happens as I reckon
most would just click OK and then log back in again.

Robin

On 19 November 2014 14:14, Rog

[ more ]  [ reply ]
(Page 1 of 333)  1 2 3 4 5 6 7 8 9 10 11  Next >


 

Privacy Statement
Copyright 2010, SecurityFocus