Web Application Security Mode:
(Page 1 of 333)  1 2 3 4 5 6 7 8 9 10 11  Next >
t2'15: Call for Papers 2015 (Helsinki / Finland) 2015-06-01
Tomi Tuominen (tomi tuominen t2 fi)
#
# t2'15 - Call For Papers (Helsinki, Finland) - October 29 - 30, 2015
#

Why spend your valuable conference time in the longest lines you have seen in your life, getting a sun burn or totally lost in the canals with your rental boat, being deprived of chewing gum or waking up in Nong Palai without

[ more ]  [ reply ]
hardwear.io - Hardware Security Conference Call for Papers 2015-05-29
Hardwear Team (hw hardwear io)
Dear Hackers and Security Gurus,

hardwear is seeking innovative research on hardware security. If you
have done interesting research on attacks or mitigation on any
Hardware and want to showcase it to the security community, just
submit your research paper. Please find all the relevant details for

[ more ]  [ reply ]
SQL Injection within popular Magento blog extension (CVE-2015-3428) 2015-05-28
AppCheck Advisories (advisories appcheck-ng com)
Background
======================

The aheadWorks Blog extension for Magento prior to version 1.3.10 is vulnerable to a critical SQL Injection security flaw. A remote unauthenticated attacker could exploit this vulnerability to take complete control of the affected Magento server and database. With

[ more ]  [ reply ]
Re: Call for Papers: RAID 2015 2015-05-27
Skander Iversen (skander iversen gmail com)
Dear colleagues,

deadline to RAID 2015 has been extended to June 5th.
We kindly encourage to consider submitting your research work there.

Best regards,

sk

On Mon, May 11, 2015 at 9:08 AM, Skander Iversen
<skander.iversen (at) gmail (dot) com [email concealed]> wrote:
> Dear colleagues,
>
> I would like to announce the foll

[ more ]  [ reply ]
Breakpoint 2015 Call For Presentations 2015-05-17
cfp ruxcon org au
Breakpoint 2015 Call For Papers
Melbourne, Australia, October 22th-23th
Intercontinental Rialto
http://www.ruxconbreakpoint.com

.[x]. Introduction .[x].

We are pleased to announce Call For Presentations for Breakpoint 2015.

Breakpoint showcases the work of expert security researchers from arou

[ more ]  [ reply ]
44CON CFP Open 2015-05-13
Steve (steve 44con com)
44CON London is the UK's largest combined annual Security Conference and Training event. Taking place on the evening of the 9th and all day on the 10th and 11th of September at the ILEC Conference Centre near Earls Court, London, we will have a fully dedicated conference facility, including secure w

[ more ]  [ reply ]
Call for Papers: RAID 2015 2015-05-11
Skander Iversen (skander iversen gmail com)
Dear colleagues,

I would like to announce the following CFP.
Please kindly consider submitting to this conference.

This year's RAID will take in marvelous Kyoto, Japan.

-----------------------------------------
RAID 2015
Kyoto, Japan, November 2-4, 2015
http://www.raid2015.org/

Call for Papers
-

[ more ]  [ reply ]
Arachni Framework v1.1 & WebUI v0.5.7 have been released (Web Application Security Scanner) 2015-05-01
Tasos Laskos (tasos laskos gmail com)
Hey folks,

There's a new version of Arachni, an Open Source, modular and high-performance
Web Application Security Scanner Framework.

The highlights of this release are:

* More sensible default options.
* Approximately 7-fold performance increase (YMMV depending on webapp characteristics).
* Supp

[ more ]  [ reply ]
whitepaper: Identifier based XSSI attacks 2015-04-20
Takeshi Terada (mbsdtest01 gmail com)
Hello list members,

We released a new technical whitepaper titled:
"Identifier based XSSI attacks"

URL:
http://www.mbsd.jp/Whitepaper/xssi.pdf

Summary:
Some new attack techniques and browser vulnerabilities regarding XSSI
(Cross-Site Script Inclusion) are explained. In the attacks, a method
of tr

[ more ]  [ reply ]
Ruxcon 2015 Call For Presentations 2015-04-13
cfp ruxcon org au
Ruxcon 2015 Call For Presentations
Melbourne, Australia, October 24-25
CQ Function Centre

http://www.ruxcon.org.au

The Ruxcon team is pleased to announce the first round of Call For Presentations for Ruxcon 2015.

This year the conference will take place over the weekend of the 24th and 25th of Oc

[ more ]  [ reply ]
SpiderFoot 2.3.0 released 2015-02-11
Steve Micallef (steve binarypool com)
Hi all,

SpiderFoot 2.3.0 is now available, and includes a ton of new
functionality since 2.1.4 was last announced here. SpiderFoot is an open
source intelligence gathering / reconnaissance tool utilising over 40
data sources and methods, all driven through a snappy web UI.

Here's what's new sin

[ more ]  [ reply ]
nullcon HackIM Challenge 9-11 Jan 2015 2014-12-29
nullcon (nullcon nullcon net)
Namaste Ninjas,

Seasons greetings!
We are back for 6th time in Goa. nullcon 666 welcomes you to the
beastly devilish conference.
As nullcon is getting near, we are excited and ready to announce the
registration for HackIM CTF. Details at http://ctf.nullcon.net This
time HackIM is powered by EMC and

[ more ]  [ reply ]
Re: File Upload with changed extension 2014-12-04
Robin Wood (robin digi ninja)
No one has mentioned the ability to use the server as a warez server,
that could be a problem if the max upload file size is large enough.

On 4 December 2014 at 01:25, Michal Zalewski <lcamtuf (at) coredump (dot) cx [email concealed]> wrote:
> I can't say I'm convinced about other attacks discussed in this
> thread, but if you

[ more ]  [ reply ]
Re: File Upload with changed extension 2014-12-04
Michal Zalewski (lcamtuf coredump cx)
I can't say I'm convinced about other attacks discussed in this
thread, but if you have a web server that allows arbitrary file
uploads and then serves them back from a sensitive origin without
taking *a lot* of additional precautions (the list of which is long
and ever-changing), then you probably

[ more ]  [ reply ]
Re: File Upload with changed extension 2014-12-04
Paul Burbage (paul k burbage gmail com)
Also,

An extension blacklisting is not preferred - since you can get PHP
execution on the following extensions to name a few:

.PHP (upper case)
.php. (Trailing period)

Furthermore, don't trust the mimetype. It's easy to append PHP to a
GIF header file to bypass mimetype checks:

$ head -c 20 some

[ more ]  [ reply ]
Re: File Upload with changed extension 2014-12-03
Seth Art (sethsec gmail com)
Tobias - One question about the gif/js thing: As far as I can tell
from Ajin's blog, you need to be able to write a script tag into the
page, in order for it the gif to be interpreted as js. If that is
correct, I would think that just having the ability to upload the gif
with js in it is not enou

[ more ]  [ reply ]
Re: File Upload with changed extension 2014-12-03
Tobias Wassermann (mail tobias-wassermann de)
Hi,

it could be also a risk on the client for some XSS. There is a existing and very easy scenario to implement: Using a valid GIF-file to inject JavaScript-code to a page. If the page provides some upload functionality and the uploaded files will be visible to other users afterwards you can use th

[ more ]  [ reply ]
Re: File Upload with changed extension 2014-12-03
Guillermo Caminer (flaco webappsec gmail com)
Hi!

There could be a risk involved, if:
1) The image is uploaded inside the Document Root
2) Have some malicious code inside (ex: a php shell) that is not validated
3) The Web Server somehow executes this malicious code (for example, you can put php code inside a
GIF, after the magic number, and th

[ more ]  [ reply ]
File Upload with changed extension 2014-12-02
Jyotiranjan Acharya (jyotiranjan121 gmail com)
If you are able to upload a file with a changed extension, then will
that be a problem?
For example, you can not ,in any way, upload a .exe or .php/.jsp/.asp
file directly into a web App, but you can by changing their extension
to .JPG. What is the risk in such a case?

This list is sponsored by

[ more ]  [ reply ]
Tizen 2.2.1 WebKit Address Spoofing Vulnerability 2014-12-02
Ajin Abraham (ajin25 gmail com)
<!--
Title: Tizen 2.2.1 WebKit Address Spoofing Vulnerability
Author: Ajin Abraham | @ajinabraham
Website: http://opensecurity.in
Affected Product: Tizen Default Browser
Affected Version: Tizen 2.2.1
Video Demo: https://www.youtube.com/watch?v=QKbTSxlCX7c

-->
<html>
<head><title>Tizen Browser - Add

[ more ]  [ reply ]
RE: [EXT] RE: Social Security Number in Hidden field 2014-11-24
Hambleton, Robert F (RHamble citgo com)
I completely agree. Even with just the last 4 digits, the application needs to have a role based security framework, the pages should be non-caching and SSL should be utilized. This would be for intranet and internet based applications, traffic can be sniffed on any network.

-----Original Mes

[ more ]  [ reply ]
RE: Social Security Number in Hidden field 2014-11-24
Jeffory Atkinson (jatkinson zelvin com)
In this day in age the SSN should never be a hidden variable. SSN should be treated nearly like a password. If an application needs the ssn for some sort of operations it should be masked and index on the back end. (Ie. if the application is providing the ssn number it should look something like xxx

[ more ]  [ reply ]
Re: concurrent logins 2014-11-24
Robin Wood (robin digi ninja)
On 24 November 2014 at 08:03, Stephen de Vries
<stephen (at) continuumsecurity (dot) net [email concealed]> wrote:
>> The reason I was thinking about this is the thing I was reading was
>> suggesting to prevent session hijacking that concurrent logins should
>> not be allowed, 2FA stops actual logins but not hijacks.
>
>
> Sess

[ more ]  [ reply ]
Re: Social Security Number in Hidden field 2014-11-24
Antti Virtanen (Antti Virtanen solita fi)
For a similar reason I have also implemented such a feature once. The

customer was fully aware that the information is not really safe, but they

wanted to prevent casual observer from seeing such information. In modern

office environments the observer doesnâ??t need to be in close proximity and

[ more ]  [ reply ]
Re: concurrent logins 2014-11-24
Stephen de Vries (stephen continuumsecurity net)
> The reason I was thinking about this is the thing I was reading was
> suggesting to prevent session hijacking that concurrent logins should
> not be allowed, 2FA stops actual logins but not hijacks.

Session hijacking is only possible after some other vulnerability in the site is exploited, e.g.

[ more ]  [ reply ]
Re: Social Security Number in Hidden field 2014-11-24
Lorne Kates (lkates gmail com)
I once coded an admin page like this. Admins had to have access to
SSNs (or SIN, since it was a Canadian company) of applicants. But
they didn't want the SSN on the screen all the time. So a button was
added that de-masked the SSN when clicked.

The company was fully aware that visually hiding th

[ more ]  [ reply ]
Re: Social Security Number in Hidden field 2014-11-23
Abhay Rana (capt n3m0 gmail com)
No, putting it in a hidden field is same as showing it to a tech-savvy
admin. Unless admins are supposed to see the SSN (and are authorized
to), there is no reason for it to be in a hidden field.

If you really need it there (for some future requests in the form), it
might be better to instead put t

[ more ]  [ reply ]
Re: Social Security Number in Hidden field 2014-11-23
snipe (snipe snipe net)
I canâ??t think of a single legitimate reason why SS# should be in a hidden field.

As to whether itâ??s a security risk, that depends on whether the intranet app is accessible from the outside world, whether it runs over SSL, etc. Does the hidden field only show up for admins? Given what seems like

[ more ]  [ reply ]
Re: Social Security Number in Hidden field 2014-11-23
Robin Wood (robin digi ninja)
Is there any reason for the SSN being included in the page? Is it
used, i.e. can it be edited on the page?

If not it shouldn't be there by the sound of it.

Robin

On 23 November 2014 at 20:12, Jyotiranjan Acharya
<jyotiranjan121 (at) gmail (dot) com [email concealed]> wrote:
> Hello,
>
> There is an application which is prese

[ more ]  [ reply ]
Social Security Number in Hidden field 2014-11-23
Jyotiranjan Acharya (jyotiranjan121 gmail com)
Hello,

There is an application which is present in an intranet. When, the
Admin of the application loads the user information page, a field
called SSN appears. It shows ###-##-####. But the actual SSN remains
in a hidden field.

Do you think there should be a security issue with this ?

Regards
Jyo

[ more ]  [ reply ]
(Page 1 of 333)  1 2 3 4 5 6 7 8 9 10 11  Next >


 

Privacy Statement
Copyright 2010, SecurityFocus