Web Application Security Mode:
(Page 1 of 333)  1 2 3 4 5 6 7 8 9 10 11  Next >
nullcon HackIM Challenge 9-11 Jan 2015 2014-12-29
nullcon (nullcon nullcon net)
Namaste Ninjas,

Seasons greetings!
We are back for 6th time in Goa. nullcon 666 welcomes you to the
beastly devilish conference.
As nullcon is getting near, we are excited and ready to announce the
registration for HackIM CTF. Details at http://ctf.nullcon.net This
time HackIM is powered by EMC and

[ more ]  [ reply ]
File Upload with changed extension 2014-12-02
Jyotiranjan Acharya (jyotiranjan121 gmail com) (2 replies)
If you are able to upload a file with a changed extension, then will
that be a problem?
For example, you can not ,in any way, upload a .exe or .php/.jsp/.asp
file directly into a web App, but you can by changing their extension
to .JPG. What is the risk in such a case?

This list is sponsored by

[ more ]  [ reply ]
Re: File Upload with changed extension 2014-12-04
Michal Zalewski (lcamtuf coredump cx) (1 replies)
Re: File Upload with changed extension 2014-12-04
Robin Wood (robin digi ninja)
Re: File Upload with changed extension 2014-12-03
Guillermo Caminer (flaco webappsec gmail com) (1 replies)
Re: File Upload with changed extension 2014-12-03
Tobias Wassermann (mail tobias-wassermann de) (1 replies)
Re: File Upload with changed extension 2014-12-03
Seth Art (sethsec gmail com) (1 replies)
Re: File Upload with changed extension 2014-12-04
Paul Burbage (paul k burbage gmail com)
Tizen 2.2.1 WebKit Address Spoofing Vulnerability 2014-12-02
Ajin Abraham (ajin25 gmail com)
<!--
Title: Tizen 2.2.1 WebKit Address Spoofing Vulnerability
Author: Ajin Abraham | @ajinabraham
Website: http://opensecurity.in
Affected Product: Tizen Default Browser
Affected Version: Tizen 2.2.1
Video Demo: https://www.youtube.com/watch?v=QKbTSxlCX7c

-->
<html>
<head><title>Tizen Browser - Add

[ more ]  [ reply ]
Re: concurrent logins 2014-11-24
Stephen de Vries (stephen continuumsecurity net) (1 replies)
> The reason I was thinking about this is the thing I was reading was
> suggesting to prevent session hijacking that concurrent logins should
> not be allowed, 2FA stops actual logins but not hijacks.

Session hijacking is only possible after some other vulnerability in the site is exploited, e.g.

[ more ]  [ reply ]
Re: concurrent logins 2014-11-24
Robin Wood (robin digi ninja)
Social Security Number in Hidden field 2014-11-23
Jyotiranjan Acharya (jyotiranjan121 gmail com) (1 replies)
Hello,

There is an application which is present in an intranet. When, the
Admin of the application loads the user information page, a field
called SSN appears. It shows ###-##-####. But the actual SSN remains
in a hidden field.

Do you think there should be a security issue with this ?

Regards
Jyo

[ more ]  [ reply ]
Re: Social Security Number in Hidden field 2014-11-23
Robin Wood (robin digi ninja) (1 replies)
Re: Social Security Number in Hidden field 2014-11-23
snipe (snipe snipe net) (1 replies)
Re: Social Security Number in Hidden field 2014-11-23
Abhay Rana (capt n3m0 gmail com) (2 replies)
RE: Social Security Number in Hidden field 2014-11-24
Jeffory Atkinson (jatkinson zelvin com) (1 replies)
RE: [EXT] RE: Social Security Number in Hidden field 2014-11-24
Hambleton, Robert F (RHamble citgo com)
Re: Social Security Number in Hidden field 2014-11-24
Lorne Kates (lkates gmail com) (1 replies)
Re: Social Security Number in Hidden field 2014-11-24
Antti Virtanen (Antti Virtanen solita fi)
Re: concurrent logins 2014-11-21
Robin Wood (robin digi ninja)
On 19 November 2014 14:27, Aaron Sanders <malmoose37 (at) gmail (dot) com [email concealed]> wrote:
> Just thinking out loud (still haven't had coffee yet) but what about second
> factor? Is that in scope for this question? I would think you can allow all
> the concurrent sessions a user wants as long as all of them were valida

[ more ]  [ reply ]
Re: concurrent logins 2014-11-21
Robin Wood (robin digi ninja)
On 19 November 2014 15:42, Paul Robinson <paul (at) iconoplex.co (dot) uk [email concealed]> wrote:
> On 19 November 2014 10:30, Robin Wood <robin (at) digi (dot) ninj [email concealed]a> wrote:
>>
>> What are peoples opinions on allowing concurrent logins to web apps? I
>> suppose it depends on what the app is used for - forum, admin suite
>> etc - but do

[ more ]  [ reply ]
Re: concurrent logins 2014-11-21
Robin Wood (robin digi ninja)
On 19 November 2014 16:41, Seth Art <sethsec (at) gmail (dot) com [email concealed]> wrote:
> As a user, I love how gmail does it, and I would love to see that more.
>
> As a tester, I personally treat this one as more of a recommendation than a
> finding in most cases. I find this one is difficult to defend in findings
> revi

[ more ]  [ reply ]
Re: concurrent logins 2014-11-21
Robin Wood (robin digi ninja)
On 19 November 2014 18:22, Rogan Dawes <rogan (at) dawes.za (dot) net [email concealed]> wrote:
> You have been logged out, because someone has just logged in using your
> username and password. If this was you, please ignore this message.
>
> Otherwise, please change your password immediately, and contact our security
> depart

[ more ]  [ reply ]
(Page 1 of 333)  1 2 3 4 5 6 7 8 9 10 11  Next >


 

Privacy Statement
Copyright 2010, SecurityFocus