Web Application Security Mode:
(Page 2 of 333)  < Prev  1 2 3 4 5 6 7 8 9 10 11  Next >
Re: rating TRACE 2014-11-14
Simon Ward (simon westpoint ltd uk)
On 2014-11-14 13:41, Simon Ward wrote:
> The impact should really be none, since there is none if you can't
> manipulate the browser or plugin to create your dodgy request in the
> first place. If we're treating it as a vulnerability and fudging the
> CVSS scores for it then I might give it a partia

[ more ]  [ reply ]
Re: RES: rating TRACE 2014-11-13
Robin Wood (robin digi ninja) (2 replies)
The general consensus seems to be low, apparently a QualysGuard
scanner (which is ASV approved I've been told) rates it as
informational and some, like Vivir rate it as medium.

Such a simple issue and such a wide discrepancy of reporting levels
all with their own justifications. Makes me feel sorry

[ more ]  [ reply ]
Re: RES: rating TRACE 2014-11-14
Simon Ward (simon westpoint ltd uk)
Re: RES: rating TRACE 2014-11-13
Martino Dell'Ambrogio (tillo tillo ch)
Re: rating TRACE 2014-11-12
Robin Wood (robin digi ninja)
On 12 November 2014 22:24, Andrew van der Stock <vanderaj (at) greebo (dot) net [email concealed]> wrote:
> Once you plug in the rest of CVSS and get past the base score, it turns out
> it's CVSS rating 1.0, which where I believe it to be.
>
> CVSS v2 Vector
> (AV:N/AC:M/Au:N/C:P/I:P/A:N/E:POC/RL:OF/RC:C/CDP:N/TD:L/CR:ND/IR:L/A

[ more ]  [ reply ]
Re: rating TRACE 2014-11-12
Robin Wood (robin digi ninja) (1 replies)
On 12 November 2014 22:20, Ryan Dewhurst <ryandewhurst (at) gmail (dot) com [email concealed]> wrote:
> The Java applet thing is because it can send a cross-domain TRACE request.
> You would need the victim to visit a site you control first, which would
> then send the cross-domain TRACE to the target site, revealing your HTTPO

[ more ]  [ reply ]
RE: rating TRACE 2014-11-12
Kenneth Kron (kenneth kron truvantis com)
Re: rating TRACE 2014-11-12
Robin Wood (robin digi ninja)
On 12 November 2014 22:09, Ryan Dewhurst <ryandewhurst (at) gmail (dot) com [email concealed]> wrote:
> I added this link to that OWASP page a while back which explains the Java
> applet method -
> http://seckb.yehg.net/2012/06/xss-gaining-access-to-httponly-cookie.html

>
> Not sure if it still works though, haven't read that p

[ more ]  [ reply ]
rating TRACE 2014-11-12
Robin Wood (robin digi ninja) (3 replies)
I've always given TRACE enabled a rating of low in my reports and I
know other testers who don't even bother reporting it but a client has
asked for a CVSS score for it and in Googling I found that Rapid 7
rate it as a 6.0, that is high end of medium.

http://www.rapid7.co.uk/db/vulnerabilities/http

[ more ]  [ reply ]
Re: rating TRACE 2014-11-14
Simon Ward (simon westpoint ltd uk)
Re: rating TRACE 2014-11-13
Seth Art (sethsec gmail com) (1 replies)
Re: rating TRACE 2014-11-14
Manolis Mavrofidis (mmavrofides gmail com)
RES: rating TRACE 2014-11-12
Fábio Soto (fabio andradesoto com br)
Re: New tool HTTP Traceroute 2014-11-12
Robin Wood (robin digininja org)
On 12 November 2014 06:32, oxdef <oxdef (at) oxdef (dot) info [email concealed]> wrote:
> Robin, what is the difference between your tool and curl -v/i?

I'd like to think slightly nicer output, checking for invalid SSL/TLS
certs, dumping cert info (will get better when I get time), checking
for long bodies on redirects. Being

[ more ]  [ reply ]
Re: New tool HTTP Traceroute 2014-11-04
Robin Wood (robin digininja org)
On 4 November 2014 23:19, Wayland Morgan <dotwayland (at) gmail (dot) com [email concealed]> wrote:
> How is the tool doing SSL checks? I seem to be getting invalid cert warnings
> while doing queries in the tool on sites that show as valid in a browser.
> operator error?

Using the Ruby gem's built in checking, can you give me

[ more ]  [ reply ]
[Appcheck-NG] Unpatched Vulnerabilities in Magento E-Commerce Platform 2014-11-04
AppCheck_Advisories (advisories appcheck-ng com)
On April 8th 2014, AppCheck reported several Cross Site Scripting Vulnerabilities in the Magento e-commerce platform via the eBay bug bounty program. eBay responded to inform us that the vulnerabilities had already been reported.

However, since more than 6 months have passed and no fix is yet avail

[ more ]  [ reply ]
Secure iFrames 2014-11-03
NightShade (avghacker gmail com) (2 replies)
Was hoping to get some feedback on what everyone feels are best
practices around securing iFrames. I've seen a lot of payment platforms
moving in this direction (ie. Gumroad, Stripe, Memberful) yet with
little documentation around "here is the best way to secure the iFrame
our JavaScript genera

[ more ]  [ reply ]
Re: Secure iFrames 2014-11-05
David Ford (david blue-labs org)
Re: Secure iFrames 2014-11-04
Dave Pyper (davepyper davepyper com) (2 replies)
Re: Secure iFrames 2014-11-05
David Ford (david blue-labs org)
Re: Secure iFrames 2014-11-04
Tim Brown (tmb 65535 com)
CFP: Fourth ICEEE2015 - International Conference on E-Learning and E-Technologies in Education 2014-11-03
Conference Updates (jackie sdiwc info)
The Fourth International Conference on E-Learning and E-Technologies in
Education (ICEEE2015)

Surya University, Indonesia (21 KM from Jakarta Airport)
September 10-12, 2015
http://sdiwc.net/conferences/iceee2015/

The proposed conference on the above theme will be held at Surya
University, Indone

[ more ]  [ reply ]
New tool HTTP Traceroute 2014-11-03
Robin Wood (robin digininja org) (2 replies)
I've just released a new tool, HTTP Traceroute. This tool takes a URL
and follows any redirects from it till it reaches the end of the line.
At each stage it it shows all headers, cookies, warns about long
bodies and bad SSL certificates.

Hopefully it will be useful when you get large redirect chai

[ more ]  [ reply ]
Re: New tool HTTP Traceroute 2014-11-04
Robin Wood (robin digininja org)
Re: New tool HTTP Traceroute 2014-11-03
Jeremiah Cornelius (jeremiah nur net)
Security and Communication Networks - Special Issue on Software Defined Networking Security 2014-10-31
Gregory Blanc (gregory blanc gmail com)
[Apologies if you receive multiple copies of this message]
* Wiley's Security and Communication Networks (SCN) *
** Special Issue on Software Defined Networking Security **

Recent years have witnessed the rapid development of software-defined networking
(SDN), which transfers essential networking f

[ more ]  [ reply ]
[Deadline Extension] CFP COMCOM, Elsevier: SI on Security and Privacy in Unified Communications: Challenges and Solutions, Manuscript Due November 21, 2014 2014-10-31
Georgios Karopoulos (georgios karopoulos gmail com)
[Apologies if you receive multiple copies of this message]

Manuscript submission: extended to November 21, 2014

========================================================================

*Call for Papers*

Computer Communications Journal, Elsevier
(Current Impact Factor: 1.352)

Special Issue on:
S

[ more ]  [ reply ]
Administrivia: Trouble Ticket Systems subscribing to this list and unsubscribe requests 2014-10-23
Andrew van der Stock (vanderaj greebo net)
Hi there,

I have become aware of a number of you subscribing trouble ticketing
systems to this mail list. Robin (@digininja) has managed to find
someone to start helping us.

I will - with some luck - be getting access to the admin panel, and if
that happens, I will be unsubscribing any trouble tic

[ more ]  [ reply ]
(Page 2 of 333)  < Prev  1 2 3 4 5 6 7 8 9 10 11  Next >


 

Privacy Statement
Copyright 2010, SecurityFocus