Web Application Security Mode:
(Page 10 of 332)  < Prev  5 6 7 8 9 10 11 12 13 14 15  Next >
Passwords^12 : Call for Presentations 2012-04-15
Per Thorsheim (per thorsheim net)
For the third time I am happy to announce a Call for Presentations for
Passwords^12.

Passwords^12 will be held at the University of Oslo (Norway) on December
3-4, 2012. The 2-day conference will be free and open for anyone to
attend. Please do note that our primary audience will be academics and
se

[ more ]  [ reply ]
winAUTOPWN v3.0 Released 2012-04-17
QUAKER DOOMER (quakerdoomer inbox lv)
Dear all,

This is to announce release of winAUTOPWN version 3.0

The improved GUI extension - WINAUTOPWN ACTIVE SYSTEMS TRANSGRESSOR GUI [ C4 - WAST ] is a
Systems and Network Exploitation Framework built on the famous winAUTOPWN as a backend.
C4 - WAST gives users the freedom to select individ

[ more ]  [ reply ]
SEC Consult whitepaper :: The Source Is A Lie 2012-04-17
SEC Consult Vulnerability Lab (research sec-consult com)
SEC Consult Vulnerability Lab released a new whitepaper titled:
"The Source Is A Lie"

Abstract:
---------
Backdoors have always been a concern of the security community. In
recent years the idea of not trusting the developer has gained momentum
and manifested itself in various forms of source code

[ more ]  [ reply ]
OWASP ZAP 1.4.0 released 2012-04-08
psiinon (psiinon gmail com)
Hi folks,

I'm very pleased to announce that version 1.4.0 of the OWASP Zed
Attack Proxy (ZAP) has now been released.

This release adds the following main features:
* Syntax highlighting
* fuzzdb integration
* Parameter analysis
* Enhanced XSS scanner
* A port of some of the Watcher checks
* Plugab

[ more ]  [ reply ]
Re: Time based Blind SQL injection 2012-03-30
martin mngoma gmail com
Hi guys

Just off the topic, can any of you help me.

I need a vulnerability scanner that can scan WCF web services (silver light technologies )as acunetix does not support wcf yet.

All help will be appreciated

Thanks

Martin

Sent from my BlackBerry® wireless device

-----Original Mess

[ more ]  [ reply ]
Re: Time based Blind SQL injection 2012-03-29
Yiannis Koukouras (ikoukouras gmail com)
So, the only difference, from other tools out there, is the support of TAB(%09)?

Am I missing something?

Thanks for sharing! :)

Cheers,
Ioannis (Yiannis) Koukouras
CISSP, CISA, CISM, OSCP
MSc in Computer Systems Security
BEng in Electronic Engineering
http://www.linkedin.com/in/ikoukouras
---

On

[ more ]  [ reply ]
Re: Time based Blind SQL injection 2012-03-29
Yiannis Koukouras (ikoukouras gmail com)
Cool, I just wanted to be sure I didn't miss anything else...

Again thanx for sharing! :)

Ioannis (Yiannis) Koukouras
CISSP, CISA, CISM, OSCP
MSc in Computer Systems Security
BEng in Electronic Engineering
http://www.linkedin.com/in/ikoukouras

On Thu, Mar 29, 2012 at 4:50 PM, Danux <danuxx@gmail.

[ more ]  [ reply ]
winAUTOPWN v2.9 - As [ C4 - WAST ] 2012-03-21
QUAKER DOOMER (quakerdoomer inbox lv)
Dear all,

It has been more than 3 YEARS since the first version of winAUTOPWN.
This is to announce release of winAUTOPWN version 2.9

This version introduces an improved GUI extension - WINAUTOPWN ACTIVE SYSTEMS
TRANSGRESSOR GUI [ C4 - WAST ]
C4 - WAST gives the user the freedom to select individ

[ more ]  [ reply ]
FBController - (Facebook Control Utility) version 4.0 { With 0-DAY Features } 2012-03-15
QUAKER DOOMER (quakerdoomer inbox lv) (1 replies)
FBConTroller v4.0 - (Facebook Control Utility) version 4.0 - With 0-DAY Features

After an exile of almost 2 years and 3 months, FBController is back !
FBController - The Ultimate Utility to Control Facebook accounts without the Password is
now version 4.0

Let me clear this again like every time

[ more ]  [ reply ]
[HITB-Announce] HITB2012AMS SIGINT - Call for Submissions 2012-03-08
Hafez Kamal (aphesz hackinthebox org)
This is a call for submissions for the HITB SIGINT sessions at
HITB2012AMS - The third annual HITB conference in Amsterdam taking place
at the Okura from the 21st - 25th of May.

The HITB SIGINT (Signal Intelligence/Interrupt) sessions are designed to
provide a quick 15 - 30 minute overview for mate

[ more ]  [ reply ]
Re: Help with referer issues in XSS 2012-03-07
Yuping Li (lyp20062392 gmail com) (2 replies)
Hi,

Thanks for all your response. The premise of my situation is that
there is a XSS bug in the site, and I want to utilize this vul to do
something more, for example, forge some post requests in my js code,
you may recall the glorious "Samy" story here. But the server is now
checking the referer f

[ more ]  [ reply ]
Re: Help with referer issues in XSS 2012-03-07
Benedetto Nespoli (benedetto nespoli gmail com)
RE: Help with referer issues in XSS 2012-03-07
Alan Tatourian (alan tatourian com)
Help with referer issues in XSS 2012-03-02
Yuping Li (lyp20062392 gmail com) (1 replies)
Hi, all

Suppose there is a reflect XSS vulnerability in a pop SNS, but this
site is "concerned" about security, so they check the referer field of
certain POST request to make sure that they are normal and correct. Is
it possible for me to bypass this check within javascript? It seems
that I can't

[ more ]  [ reply ]
Re: Help with referer issues in XSS 2012-03-06
gorka - (ray bradbury9 gmail com)
Re: [WEB SECURITY] Help with referer issues in XSS 2012-03-05
Stefano Di Paola (stefano dipaola wisec it)
Also check for:

5. www.example.com.attacker.com/.. as the referrer

just in case the referrer checking regexp is broken.

Cheers
Stefano

Il giorno ven, 02/03/2012 alle 18.30 -0800, super evr ha scritto:
> Here's a couple things to try that I've learned in my experience.
>
> First you can find o

[ more ]  [ reply ]
RE: Directory Scanner 2012-02-14
Calderon, Juan Carlos \(GE, Corporate, consultant\) (juan calderon ge com)
Oops one last comment,

If you implement option 2, do not show different error messages when
file exist or when user cannot access it, show a generic "document is
not available for you" or similar message. Otherwise, enumeration is
still possible although you cannot have immediate access to the do

[ more ]  [ reply ]
RE: Directory Scanner 2012-02-14
Calderon, Juan Carlos \(GE, Corporate, consultant\) (juan calderon ge com)
Darn, you are correct Henry, I guess I just read too fast.

Refocusing the answer, There are 2 alternatives I would suggest

1. You can implement HTTP Digest/Challenge authentication (no BASIC
authentication please, unless you have SSL) on the files directory
2. If you have forms authentication, Imp

[ more ]  [ reply ]
Re: Directory Scanner 2012-02-14
Taras (oxdef oxdef info)
IMHO, the topic starter need to answer on the one question: what risk do
I want to reduce? Risk of unathorized access to these *private* PDF
documents? Ok, you need to implement authorization to access these pages.

09.02.2012 16:36, Vedantam Sekhar пиÑ?еÑ?:
> Hi,
>
> Probably you can implemen

[ more ]  [ reply ]
RE: Directory Scanner 2012-02-13
Calderon, Juan Carlos \(GE, Corporate, consultant\) (juan calderon ge com)
I understand authentication to these documents is not an issue what is
an issue is directory listing. IIS prevents this by default so I assume
you are using Apache, Tomcat or another server. So the best way to
prevent this issue is to modify your .htaccess file to avoid listing
files:

Here is an ex

[ more ]  [ reply ]
Re: Directory Scanner 2012-02-08
Alexander Pick (acpi mac com)
Another idea is to proxy your download URLs through a script and hide the real files outside the web root.

If you do it in PHP it's pretty simple (header + read file + bit security). Just make sure to make the script secure in terms of directory transversal etc., many people hide their downloads f

[ more ]  [ reply ]
SECURITY TOOLS TREE 2012-02-08
mc (mccansecure gmail com)
Hi All
I want to create a Security Tools Tree since it is very difficult to keep
track of all tools.
Please see this blog and help to generate the tree. Your suggestions are
valuable for the security professionals in the whole world.
Best Regards and thanks in advance.
Monika
http://securityontop.b

[ more ]  [ reply ]
Re: SECURITY TOOLS TREE 2012-02-08
synja synfulvisions com
sectools.org
packetstormsecurity.org

On 2/8/12 10:30 AM, "mc" <mccansecure (at) gmail (dot) com [email concealed]> wrote:

>Hi All
>I want to create a Security Tools Tree since it is very difficult to keep
>track of all tools.
>Please see this blog and help to generate the tree. Your suggestions are
>valuable for the securit

[ more ]  [ reply ]
Re: Directory Scanner 2012-02-09
Vedantam Sekhar (vedantamsekhar gmail com)
Hi,

Probably you can implement authentication to these pages, if you want
specific users can access these pages.
or probably, you can block the IP for specific time period after un
successfull requests to non-eisting files.

Thanks,

Sekhar

On Tue, Feb 7, 2012 at 11:19 PM, Thugzclub Thugzclub
<thu

[ more ]  [ reply ]
Re: SECURITY TOOLS TREE 2012-02-09
Vedantam Sekhar (vedantamsekhar gmail com)
I was working on this some time back. probably you can see the mind
map version of my work here

https://docs.google.com/leaf?id=0Byob_Y-G0OZxYTQ2N2Q2YzgtMzRlOC00MzA3LWE
zZTQtNmZkYjNhMDA3N2Y3&hl=en_US

Thanks,

Sekhar

On Thu, Feb 9, 2012 at 1:47 PM, gold flake <ptinstructor (at) gmail (dot) com [email concealed]> wrote:
>  A b

[ more ]  [ reply ]
Re: SECURITY TOOLS TREE 2012-02-09
Christopher Siedlecki (christopher sied gmail com)
I think everybody in a security community tried at least once in their
lifetime to put all their favorite tools into a nice organized
fashion. It is a daunting experience, but worthwhile. There is a quite
a good book which might be of your interest "Digital Forensics with
Open Source Tools" ISBN-10:

[ more ]  [ reply ]
Mapping an application - Access control testing - Helper tool 2012-02-11
arvind doraiswamy (arvind doraiswamy gmail com)
Hi All,
Here is a very small tool that I recently wrote. This helps you when
you're mapping an application out and want a list of all the
combinations of access control that you want to check. So for example:
There are 5 menus that are accessible only to an Admin level user and
4 other types of user

[ more ]  [ reply ]
Re: Apache Killer - take 2? 2012-01-23
Damiano Bolzoni (damiano bolzoni utwente nl)
On 1/23/12 2:40 PM, Anestis Bechtsoudis wrote:

> Apache byte-range killer use many small byte-range chunks in a single
> request. So no, your attached request is not related to such an attack.

You are right, I didn't write it down properly...what I meant is
"doesn't it look like a clumsy way to ex

[ more ]  [ reply ]
(Page 10 of 332)  < Prev  5 6 7 8 9 10 11 12 13 14 15  Next >


 

Privacy Statement
Copyright 2010, SecurityFocus