Web Application Security Mode:
(Page 2 of 333)  < Prev  1 2 3 4 5 6 7 8 9 10 11  Next >
Re: concurrent logins 2014-11-21
Robin Wood (robin digi ninja)
On 19 November 2014 16:41, Seth Art <sethsec (at) gmail (dot) com [email concealed]> wrote:
> As a user, I love how gmail does it, and I would love to see that more.
>
> As a tester, I personally treat this one as more of a recommendation than a
> finding in most cases. I find this one is difficult to defend in findings
> revi

[ more ]  [ reply ]
Re: concurrent logins 2014-11-21
Robin Wood (robin digi ninja)
On 19 November 2014 18:22, Rogan Dawes <rogan (at) dawes.za (dot) net [email concealed]> wrote:
> You have been logged out, because someone has just logged in using your
> username and password. If this was you, please ignore this message.
>
> Otherwise, please change your password immediately, and contact our security
> depart

[ more ]  [ reply ]
Re: concurrent logins 2014-11-19
Robin Wood (robin digi ninja)
That is my number 3 but giving a warning when logging them out. Could
still result in a DoS and you'd have to either write very good copy on
the warning or train users what to do when that happens as I reckon
most would just click OK and then log back in again.

Robin

On 19 November 2014 14:14, Rog

[ more ]  [ reply ]
RE: concurrent logins 2014-11-19
Martin O'Neal (martin oneal corsaire com) (1 replies)
For us, this is mostly about context. For all sites, some mechanism to report multiple logins back to the user is important for transparency, as is an audit trail entry.

But actually enforcing a single login is only really relevant to applications containing sensitive data.

Martin...

[ more ]  [ reply ]
Re: concurrent logins 2014-11-19
Robin Wood (robin digi ninja)
concurrent logins 2014-11-19
Robin Wood (robin digi ninja) (6 replies)
What are peoples opinions on allowing concurrent logins to web apps? I
suppose it depends on what the app is used for - forum, admin suite
etc - but do the protections from it add more problems that allowing
it?

Solutions I can see are:

1. Allow concurrent logins
2. Allow concurrent logins but rep

[ more ]  [ reply ]
Re: concurrent logins 2014-11-19
Seth Art (sethsec gmail com)
Re: concurrent logins 2014-11-19
James Wright (jamfwright gmail com) (1 replies)
RE: concurrent logins 2014-11-19
Zaakiy Siddiqui (zaakiy nticon com au)
Re: concurrent logins 2014-11-19
Matt Konda (mkonda jemurai com)
Re: concurrent logins 2014-11-19
Arvind (arvind doraiswamy gmail com)
Re: concurrent logins 2014-11-19
DavidMeans833 (at) air-watch (dot) com [email concealed] (DavidMeans833 air-watch com)
Re: concurrent logins 2014-11-19
Irene Abezgauz (irene abezgauz gmail com) (1 replies)
RE: concurrent logins 2014-11-21
Nigel Ball (Nigel K Ball dsl pipex com) (1 replies)
AW: concurrent logins 2014-11-21
Wolfgang Abbas (wolfgang abbas de)
Re: RES: rating TRACE 2014-11-14
Robin Wood (robin digi ninja)
On 14 November 2014 11:38, Mike Antcliffe
<mikeantcliffe (at) logicallysecure (dot) com [email concealed]> wrote:
> I completely agree. And one of the biggest problems is that disparity
> between ratings on tests performed by different companies can cause trust
> issues.
>
> Until the entire industry is singing from the same hy

[ more ]  [ reply ]
Re: rating TRACE 2014-11-14
Simon Ward (simon westpoint ltd uk)
On 2014-11-14 13:41, Simon Ward wrote:
> The impact should really be none, since there is none if you can't
> manipulate the browser or plugin to create your dodgy request in the
> first place. If we're treating it as a vulnerability and fudging the
> CVSS scores for it then I might give it a partia

[ more ]  [ reply ]
Re: RES: rating TRACE 2014-11-13
Robin Wood (robin digi ninja) (2 replies)
The general consensus seems to be low, apparently a QualysGuard
scanner (which is ASV approved I've been told) rates it as
informational and some, like Vivir rate it as medium.

Such a simple issue and such a wide discrepancy of reporting levels
all with their own justifications. Makes me feel sorry

[ more ]  [ reply ]
Re: RES: rating TRACE 2014-11-14
Simon Ward (simon westpoint ltd uk)
Re: RES: rating TRACE 2014-11-13
Martino Dell'Ambrogio (tillo tillo ch)
Re: rating TRACE 2014-11-12
Robin Wood (robin digi ninja)
On 12 November 2014 22:24, Andrew van der Stock <vanderaj (at) greebo (dot) net [email concealed]> wrote:
> Once you plug in the rest of CVSS and get past the base score, it turns out
> it's CVSS rating 1.0, which where I believe it to be.
>
> CVSS v2 Vector
> (AV:N/AC:M/Au:N/C:P/I:P/A:N/E:POC/RL:OF/RC:C/CDP:N/TD:L/CR:ND/IR:L/A

[ more ]  [ reply ]
Re: rating TRACE 2014-11-12
Robin Wood (robin digi ninja) (1 replies)
On 12 November 2014 22:20, Ryan Dewhurst <ryandewhurst (at) gmail (dot) com [email concealed]> wrote:
> The Java applet thing is because it can send a cross-domain TRACE request.
> You would need the victim to visit a site you control first, which would
> then send the cross-domain TRACE to the target site, revealing your HTTPO

[ more ]  [ reply ]
RE: rating TRACE 2014-11-12
Kenneth Kron (kenneth kron truvantis com)
Re: rating TRACE 2014-11-12
Robin Wood (robin digi ninja)
On 12 November 2014 22:09, Ryan Dewhurst <ryandewhurst (at) gmail (dot) com [email concealed]> wrote:
> I added this link to that OWASP page a while back which explains the Java
> applet method -
> http://seckb.yehg.net/2012/06/xss-gaining-access-to-httponly-cookie.html

>
> Not sure if it still works though, haven't read that p

[ more ]  [ reply ]
(Page 2 of 333)  < Prev  1 2 3 4 5 6 7 8 9 10 11  Next >


 

Privacy Statement
Copyright 2010, SecurityFocus