Web Application Security Mode:
(Page 1 of 330)  1 2 3 4 5 6 7 8 9 10 11  Next >
IJDSN - Special Issue on Research Advances in Security and Privacy for Smart Cities 2014-08-07
Georgios Kambourakis (gkamb aegean gr)
International Journal of Distributed Sensor Networks (IF 0.923)
Special Issue on Research Advances in Security and Privacy for Smart Cities

*** SUBMISSION DEADLINE EXTENDED TO Sept. 19, 2014 ***

Security for smart cities is considered to embrace both urban security
subsystems and infrastructure s

[ more ]  [ reply ]
nullcon CFP is open 2014-08-06
nullcon (nullcon nullcon net)
Dear Security Gurus,

6th year | CFP opens on 6th Aug 2014 | conference on 6th Feb 2015.

Welcome to nullcon 666! Bring out the beast in you.
http://en.wikipedia.org/wiki/666_(number)

we are happy to open the CFP. Time to tickle your gray cells and
submit your research.
Training: 4th-5th Feb 2015
C

[ more ]  [ reply ]
6 new vulnerabilities 2014-07-29
Mark Litchfield123 (mark securatary com)
I have released details of six new Bug Bounty vulnerabilities, 5 of
which resulted in total payouts of $33,217.00 Usual write ups with step
by step screen shots detailed.

I have chosen to move the content from securatary.com to now be hosted
on https://www.uzbey.com/bbp-funding the reasons for

[ more ]  [ reply ]
Ruxcon 2014 Final Call For Presentations 2014-07-15
cfp ruxcon org au
Ruxcon 2014 Call For Presentations
Melbourne, Australia, October 11th-12th
CQ Function Centre

http://www.ruxcon.org.au

The Ruxcon team is pleased to announce the Final Call For Presentations for Ruxcon 2014.

This year the conference will take place over the weekend of the 11th and 12th of October

[ more ]  [ reply ]
IJDSN SI on Research Advances in Security and Privacy for Smart Cities 2014-07-12
Georgios Kambourakis (gkamb aegean gr)
*Deadline is approaching*

International Journal of Distributed Sensor Networks (Impact factor: 0.727)
*Special Issue on Research Advances in Security and Privacy for Smart
Cities*
Online version of CFP: http://www.hindawi.com/journals/ijdsn/si/239803/cfp/

Security for smart cities is considered to

[ more ]  [ reply ]
t2'14: Call for Papers 2014 (Helsinki / Finland) 2014-05-19
Tomi Tuominen (tomi tuominen t2 fi)
#
# t2'14 - Call For Papers (Helsinki, Finland) - October 23 - 24, 2014
#

Do you feel like Las Vegas is too hot, Berlin too bohème, Miami too humid, Singapore too clean and Pattaya just totally confusing ? No worries! Helsinki will be the perfect match for you â?? guaranteed low temperature, high

[ more ]  [ reply ]
Re: Worst news story I have ever read 2014-05-16
Mark Litchfield (mark securatary com)
Update - SCMagazine (Steve Gold) has kindly removed the story. Thank you.

Also thanks to everyone that responded directly to me.

All the best

Mark

This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website

[ more ]  [ reply ]
Worst news story I have ever read 2014-05-15
Mark Litchfield (mark securatary com)
Worst article I have ever read, would expect a lot better from SC
Magazine. At least understand what you are writing about !!

http://www.scmagazineuk.com/make-money-from-paypal--but-not-legally/arti
cle/347142/

"Mark Litchfield, a researcher with Securatary, meanwhile, says he has
spotted a simil

[ more ]  [ reply ]
Re: PayPal Manager Admin Account Hijack 2014-05-15
Daniel Kester (dekester usgs gov)
Now that I think about it, we should make sure the WAFs are filtering this.

On Wed, May 14, 2014 at 06:48:19PM -0700, Mark Litchfield wrote:
> Date: Wed, 14 May 2014 18:48:19 -0700
> From: Mark Litchfield <mark (at) securatary (dot) com [email concealed]>
> Subject: PayPal Manager Admin Account Hijack
> To: webappsec@securityf

[ more ]  [ reply ]
PayPal Manager Admin Account Hijack 2014-05-15
Mark Litchfield (mark securatary com)
Hi All,

I have just released a new vulnerability at
http://www.securatary.com/vulnerabilities outlining a hack on
http://manager.paypal.com that in the end allowed full admin access.

PayPal were very quick to fix this issue, so nice job PayPal Security /
Engineering team

--
All the best

Mark

[ more ]  [ reply ]
Breakpoint 2014 Call For Presentations 2014-05-07
cfp ruxcon org au
Breakpoint 2014 Call For Papers
Melbourne, Australia, October 8th-9th
Intercontinental Rialto
http://www.ruxconbreakpoint.com

.[x]. Introduction .[x].

The Ruxcon team is pleased to announce Call For Papers for Breakpoint 2014.

Breakpoint showcases the work of expert security researchers from a

[ more ]  [ reply ]
Ruxcon 2014 Call For Papers 2014-05-05
cfp ruxcon org au
Ruxcon 2014 Call For Presentations
Melbourne, Australia, October 11th-12th
http://www.ruxcon.org.au

The Ruxcon team is pleased to announce the Call For Presentations for Ruxcon 2014.

This year the conference will take place over the weekend of the 11th and 12th
of October at the CQ Function Cent

[ more ]  [ reply ]
SpiderFoot 2.1.4 released 2014-04-28
Steve Micallef (steve binarypool com)
Hi all,

SpiderFoot 2.1.4 is now available, and will be the last enhancement
release on the 2.1 branch as I focus on 2.2. SpiderFoot is an open
source footprinting and intelligence gathering tool, written in Python
and runs on Linux, *BSD and Windows.

Since 2.1.0 was announced here in January, t

[ more ]  [ reply ]
OWASP ZAP 2.3.0 2014-04-10
psiinon (psiinon gmail com)
Hi folks,

OWASP ZAP 2.3.0 is now available :
http://code.google.com/p/zaproxy/wiki/Downloads?tm=2

Quick summary of the main changes:

* A ZAP 'lite' version in addition to the existing 'full' version
* View, intercept, manipulate, resend and fuzz client-side (browser) events
* Enhanced authenticat

[ more ]  [ reply ]
Re: Web Application Vulnerability Categorization 2014-04-02
m@d m0nk (th3madm0nk gmail com)
Thank you guys - got the idea.

On Wed, Apr 2, 2014 at 7:10 PM, Eric Schultz <fire0088 (at) gmail (dot) com [email concealed]> wrote:
> Its important to note that you described two different findings.
>
> 1. Password recovery is brute forcable. If you stuck with owasp, the broken
> auth catagory is the best fit. Check if your

[ more ]  [ reply ]
Re: Web Application Vulnerability Categorization 2014-04-02
Dave Ferguson (gmdavef gmail com)
In terms of OWASP Top Ten, yes - I would categorize it under Broken
Auth & Session Management.

Also, check out the OWASP cheat sheet on this topic for helpful
remediation advice.
https://www.owasp.org/index.php/Forgot_Password_Cheat_Sheet

Dave

On Tue, Apr 1, 2014 at 1:27 PM, Seth Art <sethsec@gma

[ more ]  [ reply ]
Re: Web Application Vulnerability Categorization 2014-04-01
Seth Art (sethsec gmail com)
m0nk,

This CWE fits pretty closely: CWE-640: Weak Password Recovery
Mechanism for Forgotten Password -
http://cwe.mitre.org/data/definitions/640.html

-Seth

On Tue, Apr 1, 2014 at 2:24 PM, Seth Art <sethsec (at) gmail (dot) com [email concealed]> wrote:
> m0nk,
>
> This CWE fits pretty closely: CWE-640: Weak Password Recovery

[ more ]  [ reply ]
Web Application Vulnerability Categorization 2014-04-01
m@d m0nk (th3madm0nk gmail com)
Hello Team,

Greetings!!!.

I have a web app with a password recovery option. There is a secret
question and if the user enters the correct answer to the secret
question, the username and password is provided to the user.

If the password recover page / module allows multiple tries
(brute-force and

[ more ]  [ reply ]
Administrivia: Excessive CC's 2014-03-15
Andrew van der Stock (vanderaj greebo net)
Hi there,

There's a really useful question that I've rejected (along with a
great answer) as the question has about one bazillion security lists
in the To list.

I'd love to publish more discussions here and revitalise the list, but
not by by accepting a massive DDoS mail loop in the making, or
req

[ more ]  [ reply ]
Hacking in Schools 2014-02-25
Pete Herzog (lists isecom org)
How to teach hacking in school and open up education:

https://opensource.com/education/14/2/teach-hacking-schools-open-educati
on

Sincerely,
-pete.

--
Pete Herzog - Managing Director - pete (at) isecom (dot) org [email concealed]
ISECOM - Institute for Security and Open Methodologies

Need impartial, expert advice? Request a

[ more ]  [ reply ]
Google XXE Vulnerability 2014-02-21
Mark Litchfield (mark securatary com)
Hi All,

There was an XML external entity vulnerability within Googles Public
data explorer. This was submitted to Google as part of their Bug Bounty
Program.

For the full write up with screen shots -
http://www.securatary.com/vulnerabilities

--
All the best

Mark Litchfield
http://www.secura

[ more ]  [ reply ]
44CON 2014 September 11th - 12th CFP Open 2014-02-21
Steve (steve 44con com)
44CON is the UK's largest combined annual Security Conference and
Training event. Taking place on the 11th and 12th of September at the
ILEC Conference Centre near Earls Court, London, we will have a fully
dedicated conference facility, including catering, private bar and daily
Gin O?Clock break

[ more ]  [ reply ]
PHP wrapper question 2014-02-18
Mark Litchfield (mark securatary com)
Reaching out for some help / ideas.

I have an XXE that works but when processing large files it fails

For example, the below attack will work sending to my instance of Netcat
the base64 encoded string of win.ini. A nice POC, but not exactly what
I am looking. (We are using base64 to ensure any

[ more ]  [ reply ]
Shopify (Bug Bounty) - XML External Entity Vulnerability 2014-02-17
Mark Litchfield (mark securatary com)
Shopify suffered from an XXE attack within their online stores domain -
*.myshopify.com

They were extremely quick in confirming and fixing the issue (even
though it was a Sunday).

Full details with the usual screen shots can be found at
http://www.securatary.com

--
All the best

Mark Litchfie

[ more ]  [ reply ]
OWASP Xenotix XSS Exploit Framework V5 Released 2014-02-13
Ajin Abraham (ajin25 gmail com)
Hello,
Happy Valentines day wishes. I am glad to inform that, OWASP
Xenotix XSS Exploit Framework V5 is Released.

OWASP Xenotix XSS Exploit Framework is an advanced Cross Site
Scripting (XSS) vulnerability detection and exploitation framework. It
provides Zero False Positive scan results wit

[ more ]  [ reply ]
Ebay, Inc Bug Bounty - GoStoreGo Administrative Authentication Bypass to all online stores 2014-02-12
Mark Litchfield (mark securatary com)
This attack allowed for a cross store (so essentially unauthenticated,
as we have not authenticated to our target store) privilege escalation
attack creating an administrative user on any *.gostorego.com store.

As indicated by their own website, there are over 200,000 active
stores.This attack a

[ more ]  [ reply ]
International Journal of Distributed Sensor Networks (IF 0.727): Special Issue on Research Advances in Security and Privacy for Smart Cities 2014-02-09
Georgios Kambourakis (gkamb aegean gr)
[My apologies if you receive multiple copies of this message.]

Call for articles for International Journal of Distributed Sensor
Networks (IF 0.727)

Special Issue on
Research Advances in Security and Privacy for Smart Cities

http://www.hindawi.com/journals/ijdsn/si/239803/cfp/

Security for smar

[ more ]  [ reply ]
Damn Vulnerable IOS App v1.0 launched 2014-02-04
Prateek Gianchandani (prateek searchingeye gmail com)
Hi All,

It gives me great pleasure to announce v1.0 of Damn Vulnerable IOS =

Application http://damnvulnerableiosapp.com

Damn Vulnerable IOS App (DVIA) is an IOS application that is damn =

vulnerable. Its main goal is to provide a platform to mobile security =

enthusiasts/professionals or stu

[ more ]  [ reply ]
SmarterMail All Versions - Stealing other Users Emails 2014-02-03
Mark Litchfield (mark securatary com)
This attack allows an authenticated SmarterMail user to read other users
emails.

I tried to contact Smartmail with the usual security email aliases,
apparently they do not have any. I posted to their forum for a contact
and all I got was an email stating check you are running the latest
versio

[ more ]  [ reply ]
RE: Smarter Mail All Versions - Privilege Escalation 2014-02-04
Martin O'Neal (martin oneal corsaire com)

> Maybe they should consider a more different
> approach to people trying to report security issues

Hi Mark,

These probably don't need to be cross posted to all the lists. How about jut keeping it to bugtraq where most people drop their vulns?

Martin...

This list is sponsored by Cenzic
--

[ more ]  [ reply ]
(Page 1 of 330)  1 2 3 4 5 6 7 8 9 10 11  Next >


 

Privacy Statement
Copyright 2010, SecurityFocus