Web Application Security Mode:
(Page 3 of 332)  < Prev  1 2 3 4 5 6 7 8 9 10 11  Next >
Ruxcon 2014 Final Call For Presentations 2014-07-15
cfp ruxcon org au
Ruxcon 2014 Call For Presentations
Melbourne, Australia, October 11th-12th
CQ Function Centre

http://www.ruxcon.org.au

The Ruxcon team is pleased to announce the Final Call For Presentations for Ruxcon 2014.

This year the conference will take place over the weekend of the 11th and 12th of October

[ more ]  [ reply ]
IJDSN SI on Research Advances in Security and Privacy for Smart Cities 2014-07-12
Georgios Kambourakis (gkamb aegean gr)
*Deadline is approaching*

International Journal of Distributed Sensor Networks (Impact factor: 0.727)
*Special Issue on Research Advances in Security and Privacy for Smart
Cities*
Online version of CFP: http://www.hindawi.com/journals/ijdsn/si/239803/cfp/

Security for smart cities is considered to

[ more ]  [ reply ]
t2'14: Call for Papers 2014 (Helsinki / Finland) 2014-05-19
Tomi Tuominen (tomi tuominen t2 fi)
#
# t2'14 - Call For Papers (Helsinki, Finland) - October 23 - 24, 2014
#

Do you feel like Las Vegas is too hot, Berlin too bohème, Miami too humid, Singapore too clean and Pattaya just totally confusing ? No worries! Helsinki will be the perfect match for you â?? guaranteed low temperature, high

[ more ]  [ reply ]
Re: Worst news story I have ever read 2014-05-16
Mark Litchfield (mark securatary com)
Update - SCMagazine (Steve Gold) has kindly removed the story. Thank you.

Also thanks to everyone that responded directly to me.

All the best

Mark

This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website

[ more ]  [ reply ]
Worst news story I have ever read 2014-05-15
Mark Litchfield (mark securatary com)
Worst article I have ever read, would expect a lot better from SC
Magazine. At least understand what you are writing about !!

http://www.scmagazineuk.com/make-money-from-paypal--but-not-legally/arti
cle/347142/

"Mark Litchfield, a researcher with Securatary, meanwhile, says he has
spotted a simil

[ more ]  [ reply ]
PayPal Manager Admin Account Hijack 2014-05-15
Mark Litchfield (mark securatary com) (1 replies)
Hi All,

I have just released a new vulnerability at
http://www.securatary.com/vulnerabilities outlining a hack on
http://manager.paypal.com that in the end allowed full admin access.

PayPal were very quick to fix this issue, so nice job PayPal Security /
Engineering team

--
All the best

Mark

[ more ]  [ reply ]
Re: PayPal Manager Admin Account Hijack 2014-05-15
Daniel Kester (dekester usgs gov)
Breakpoint 2014 Call For Presentations 2014-05-07
cfp ruxcon org au
Breakpoint 2014 Call For Papers
Melbourne, Australia, October 8th-9th
Intercontinental Rialto
http://www.ruxconbreakpoint.com

.[x]. Introduction .[x].

The Ruxcon team is pleased to announce Call For Papers for Breakpoint 2014.

Breakpoint showcases the work of expert security researchers from a

[ more ]  [ reply ]
Ruxcon 2014 Call For Papers 2014-05-05
cfp ruxcon org au
Ruxcon 2014 Call For Presentations
Melbourne, Australia, October 11th-12th
http://www.ruxcon.org.au

The Ruxcon team is pleased to announce the Call For Presentations for Ruxcon 2014.

This year the conference will take place over the weekend of the 11th and 12th
of October at the CQ Function Cent

[ more ]  [ reply ]
SpiderFoot 2.1.4 released 2014-04-28
Steve Micallef (steve binarypool com)
Hi all,

SpiderFoot 2.1.4 is now available, and will be the last enhancement
release on the 2.1 branch as I focus on 2.2. SpiderFoot is an open
source footprinting and intelligence gathering tool, written in Python
and runs on Linux, *BSD and Windows.

Since 2.1.0 was announced here in January, t

[ more ]  [ reply ]
OWASP ZAP 2.3.0 2014-04-10
psiinon (psiinon gmail com)
Hi folks,

OWASP ZAP 2.3.0 is now available :
http://code.google.com/p/zaproxy/wiki/Downloads?tm=2

Quick summary of the main changes:

* A ZAP 'lite' version in addition to the existing 'full' version
* View, intercept, manipulate, resend and fuzz client-side (browser) events
* Enhanced authenticat

[ more ]  [ reply ]
Re: Web Application Vulnerability Categorization 2014-04-02
m@d m0nk (th3madm0nk gmail com)
Thank you guys - got the idea.

On Wed, Apr 2, 2014 at 7:10 PM, Eric Schultz <fire0088 (at) gmail (dot) com [email concealed]> wrote:
> Its important to note that you described two different findings.
>
> 1. Password recovery is brute forcable. If you stuck with owasp, the broken
> auth catagory is the best fit. Check if your

[ more ]  [ reply ]
Re: Web Application Vulnerability Categorization 2014-04-01
Seth Art (sethsec gmail com) (1 replies)
m0nk,

This CWE fits pretty closely: CWE-640: Weak Password Recovery
Mechanism for Forgotten Password -
http://cwe.mitre.org/data/definitions/640.html

-Seth

On Tue, Apr 1, 2014 at 2:24 PM, Seth Art <sethsec (at) gmail (dot) com [email concealed]> wrote:
> m0nk,
>
> This CWE fits pretty closely: CWE-640: Weak Password Recovery

[ more ]  [ reply ]
Re: Web Application Vulnerability Categorization 2014-04-02
Dave Ferguson (gmdavef gmail com)
Web Application Vulnerability Categorization 2014-04-01
m@d m0nk (th3madm0nk gmail com)
Hello Team,

Greetings!!!.

I have a web app with a password recovery option. There is a secret
question and if the user enters the correct answer to the secret
question, the username and password is provided to the user.

If the password recover page / module allows multiple tries
(brute-force and

[ more ]  [ reply ]
Administrivia: Excessive CC's 2014-03-15
Andrew van der Stock (vanderaj greebo net)
Hi there,

There's a really useful question that I've rejected (along with a
great answer) as the question has about one bazillion security lists
in the To list.

I'd love to publish more discussions here and revitalise the list, but
not by by accepting a massive DDoS mail loop in the making, or
req

[ more ]  [ reply ]
Hacking in Schools 2014-02-25
Pete Herzog (lists isecom org)
How to teach hacking in school and open up education:

https://opensource.com/education/14/2/teach-hacking-schools-open-educati
on

Sincerely,
-pete.

--
Pete Herzog - Managing Director - pete (at) isecom (dot) org [email concealed]
ISECOM - Institute for Security and Open Methodologies

Need impartial, expert advice? Request a

[ more ]  [ reply ]
Google XXE Vulnerability 2014-02-21
Mark Litchfield (mark securatary com)
Hi All,

There was an XML external entity vulnerability within Googles Public
data explorer. This was submitted to Google as part of their Bug Bounty
Program.

For the full write up with screen shots -
http://www.securatary.com/vulnerabilities

--
All the best

Mark Litchfield
http://www.secura

[ more ]  [ reply ]
44CON 2014 September 11th - 12th CFP Open 2014-02-21
Steve (steve 44con com)
44CON is the UK's largest combined annual Security Conference and
Training event. Taking place on the 11th and 12th of September at the
ILEC Conference Centre near Earls Court, London, we will have a fully
dedicated conference facility, including catering, private bar and daily
Gin O?Clock break

[ more ]  [ reply ]
PHP wrapper question 2014-02-18
Mark Litchfield (mark securatary com)
Reaching out for some help / ideas.

I have an XXE that works but when processing large files it fails

For example, the below attack will work sending to my instance of Netcat
the base64 encoded string of win.ini. A nice POC, but not exactly what
I am looking. (We are using base64 to ensure any

[ more ]  [ reply ]
Shopify (Bug Bounty) - XML External Entity Vulnerability 2014-02-17
Mark Litchfield (mark securatary com)
Shopify suffered from an XXE attack within their online stores domain -
*.myshopify.com

They were extremely quick in confirming and fixing the issue (even
though it was a Sunday).

Full details with the usual screen shots can be found at
http://www.securatary.com

--
All the best

Mark Litchfie

[ more ]  [ reply ]
OWASP Xenotix XSS Exploit Framework V5 Released 2014-02-13
Ajin Abraham (ajin25 gmail com)
Hello,
Happy Valentines day wishes. I am glad to inform that, OWASP
Xenotix XSS Exploit Framework V5 is Released.

OWASP Xenotix XSS Exploit Framework is an advanced Cross Site
Scripting (XSS) vulnerability detection and exploitation framework. It
provides Zero False Positive scan results wit

[ more ]  [ reply ]
Ebay, Inc Bug Bounty - GoStoreGo Administrative Authentication Bypass to all online stores 2014-02-12
Mark Litchfield (mark securatary com)
This attack allowed for a cross store (so essentially unauthenticated,
as we have not authenticated to our target store) privilege escalation
attack creating an administrative user on any *.gostorego.com store.

As indicated by their own website, there are over 200,000 active
stores.This attack a

[ more ]  [ reply ]
International Journal of Distributed Sensor Networks (IF 0.727): Special Issue on Research Advances in Security and Privacy for Smart Cities 2014-02-09
Georgios Kambourakis (gkamb aegean gr)
[My apologies if you receive multiple copies of this message.]

Call for articles for International Journal of Distributed Sensor
Networks (IF 0.727)

Special Issue on
Research Advances in Security and Privacy for Smart Cities

http://www.hindawi.com/journals/ijdsn/si/239803/cfp/

Security for smar

[ more ]  [ reply ]
Damn Vulnerable IOS App v1.0 launched 2014-02-04
Prateek Gianchandani (prateek searchingeye gmail com)
Hi All,

It gives me great pleasure to announce v1.0 of Damn Vulnerable IOS =

Application http://damnvulnerableiosapp.com

Damn Vulnerable IOS App (DVIA) is an IOS application that is damn =

vulnerable. Its main goal is to provide a platform to mobile security =

enthusiasts/professionals or stu

[ more ]  [ reply ]
SmarterMail All Versions - Stealing other Users Emails 2014-02-03
Mark Litchfield (mark securatary com)
This attack allows an authenticated SmarterMail user to read other users
emails.

I tried to contact Smartmail with the usual security email aliases,
apparently they do not have any. I posted to their forum for a contact
and all I got was an email stating check you are running the latest
versio

[ more ]  [ reply ]
RE: Smarter Mail All Versions - Privilege Escalation 2014-02-04
Martin O'Neal (martin oneal corsaire com)

> Maybe they should consider a more different
> approach to people trying to report security issues

Hi Mark,

These probably don't need to be cross posted to all the lists. How about jut keeping it to bugtraq where most people drop their vulns?

Martin...

This list is sponsored by Cenzic
--

[ more ]  [ reply ]
Smarter Mail All Versions - Privilege Escalation 2014-02-03
Mark Litchfield (mark securatary com)
This attack will allow a regular SmarterMail user to elevate their
privileges to Domain Administrator.

I tried to contact Smartmail with the usual security email aliases,
apparently they do not have any. I posted to their forum for a contact
and all I got was an email stating check you are runn

[ more ]  [ reply ]
Ektron CMS TakeOver Part (2) - PaylPal-Forward.com demonstration 2014-02-03
Mark Litchfield (mark securatary com)
As previously stated, I would post an update for Ektron CMS bypassing
the security fix.

A full step by step with the usual screen shots can be found at -
http://www.securatary.com/vulnerabilities

In this example, we use www.paypal-forward.com as a demonstration site.
I would like to say that P

[ more ]  [ reply ]
Ektron CMS Take Over - Hijacking Accounts 2014-01-30
Mark Litchfield (mark securatary com)
I have detailed a vulnerability within Ektron CMS that allows an
unauthenticated user to hijack any account. The clear targets of choice
for this CMS would be the builtin or admin account.

Whilst I found this issue back in 2012, it appears that around 65% are
still vulnerable and should be patc

[ more ]  [ reply ]
(Page 3 of 332)  < Prev  1 2 3 4 5 6 7 8 9 10 11  Next >


 

Privacy Statement
Copyright 2010, SecurityFocus