Hi webappsec subscribers,

I am researching the domain consensus regarding the effectiveness of different web application firewalls (WAF)s and would be glad if you could spare a few minutes of your time to answer a survey on the topic.

By completing this survey you will:

* Help build valuable d

[ more ]  [ reply ]

New post on abusing password managers through xss.
http://labs.neohapsis.com/2012/04/25/abusing-password-managers-with-xss/

--
-mastahyeti

This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthChe

[ more ]  [ reply ]

The 8th issue of the HITB Quarterly Magazine is now available for download!

http://magazine.hitb.org/

This edition is a little bit 'lighter' than previous issues as the
editorial team is busy working on an extra special release for our 10th
year anniversary conference in October, HITBSecConf2012 -

[ more ]  [ reply ]

Ruxcon 2012 Call For Papers

The Ruxcon team is pleased to announce the call for papers for the 2012 annual Ruxcon conference.

This year the conference will take place over the weekend of 20th and 21st of October at the CQ Function Centre, Melbourne, Australia.

The deadline for submissions is the

[ more ]  [ reply ]

For the third time I am happy to announce a Call for Presentations for
Passwords^12.

Passwords^12 will be held at the University of Oslo (Norway) on December
3-4, 2012. The 2-day conference will be free and open for anyone to
attend. Please do note that our primary audience will be academics and
se

[ more ]  [ reply ]

Dear all,

This is to announce release of winAUTOPWN version 3.0

The improved GUI extension - WINAUTOPWN ACTIVE SYSTEMS TRANSGRESSOR GUI [ C4 - WAST ] is a
Systems and Network Exploitation Framework built on the famous winAUTOPWN as a backend.
C4 - WAST gives users the freedom to select individ

[ more ]  [ reply ]

SEC Consult Vulnerability Lab released a new whitepaper titled:
"The Source Is A Lie"

Abstract:
---------
Backdoors have always been a concern of the security community. In
recent years the idea of not trusting the developer has gained momentum
and manifested itself in various forms of source code

[ more ]  [ reply ]

Hi folks,

I'm very pleased to announce that version 1.4.0 of the OWASP Zed
Attack Proxy (ZAP) has now been released.

This release adds the following main features:
* Syntax highlighting
* fuzzdb integration
* Parameter analysis
* Enhanced XSS scanner
* A port of some of the Watcher checks
* Plugab

[ more ]  [ reply ]

Hi guys

Just off the topic, can any of you help me.

I need a vulnerability scanner that can scan WCF web services (silver light technologies )as acunetix does not support wcf yet.

All help will be appreciated

Thanks

Martin

Sent from my BlackBerry® wireless device

-----Original Mess

[ more ]  [ reply ]

So, the only difference, from other tools out there, is the support of TAB(%09)?

Am I missing something?

Thanks for sharing! :)

Cheers,
Ioannis (Yiannis) Koukouras
CISSP, CISA, CISM, OSCP
MSc in Computer Systems Security
BEng in Electronic Engineering
http://www.linkedin.com/in/ikoukouras
---

On

[ more ]  [ reply ]

Cool, I just wanted to be sure I didn't miss anything else...

Again thanx for sharing! :)

Ioannis (Yiannis) Koukouras
CISSP, CISA, CISM, OSCP
MSc in Computer Systems Security
BEng in Electronic Engineering
http://www.linkedin.com/in/ikoukouras

On Thu, Mar 29, 2012 at 4:50 PM, Danux <danuxx@gmail.

[ more ]  [ reply ]

Dear all,

It has been more than 3 YEARS since the first version of winAUTOPWN.
This is to announce release of winAUTOPWN version 2.9

This version introduces an improved GUI extension - WINAUTOPWN ACTIVE SYSTEMS
TRANSGRESSOR GUI [ C4 - WAST ]
C4 - WAST gives the user the freedom to select individ

[ more ]  [ reply ]

FBConTroller v4.0 - (Facebook Control Utility) version 4.0 - With 0-DAY Features

After an exile of almost 2 years and 3 months, FBController is back !
FBController - The Ultimate Utility to Control Facebook accounts without the Password is
now version 4.0

Let me clear this again like every time

[ more ]  [ reply ]

This is a call for submissions for the HITB SIGINT sessions at
HITB2012AMS - The third annual HITB conference in Amsterdam taking place
at the Okura from the 21st - 25th of May.

The HITB SIGINT (Signal Intelligence/Interrupt) sessions are designed to
provide a quick 15 - 30 minute overview for mate

[ more ]  [ reply ]

Hi,

Thanks for all your response. The premise of my situation is that
there is a XSS bug in the site, and I want to utilize this vul to do
something more, for example, forge some post requests in my js code,
you may recall the glorious "Samy" story here. But the server is now
checking the referer f

[ more ]  [ reply ]

Hi, all

Suppose there is a reflect XSS vulnerability in a pop SNS, but this
site is "concerned" about security, so they check the referer field of
certain POST request to make sure that they are normal and correct. Is
it possible for me to bypass this check within javascript? It seems
that I can't

[ more ]  [ reply ]

Also check for:

5. www.example.com.attacker.com/.. as the referrer

just in case the referrer checking regexp is broken.

Cheers
Stefano

Il giorno ven, 02/03/2012 alle 18.30 -0800, super evr ha scritto:
> Here's a couple things to try that I've learned in my experience.
>
> First you can find o

[ more ]  [ reply ]

Oops one last comment,

If you implement option 2, do not show different error messages when
file exist or when user cannot access it, show a generic "document is
not available for you" or similar message. Otherwise, enumeration is
still possible although you cannot have immediate access to the do

[ more ]  [ reply ]

Darn, you are correct Henry, I guess I just read too fast.

Refocusing the answer, There are 2 alternatives I would suggest

1. You can implement HTTP Digest/Challenge authentication (no BASIC
authentication please, unless you have SSL) on the files directory
2. If you have forms authentication, Imp

[ more ]  [ reply ]

IMHO, the topic starter need to answer on the one question: what risk do
I want to reduce? Risk of unathorized access to these *private* PDF
documents? Ok, you need to implement authorization to access these pages.

09.02.2012 16:36, Vedantam Sekhar пиÑ?еÑ?:
> Hi,
>
> Probably you can implemen

[ more ]  [ reply ]

I understand authentication to these documents is not an issue what is
an issue is directory listing. IIS prevents this by default so I assume
you are using Apache, Tomcat or another server. So the best way to
prevent this issue is to modify your .htaccess file to avoid listing
files:

Here is an ex

[ more ]  [ reply ]

Another idea is to proxy your download URLs through a script and hide the real files outside the web root.

If you do it in PHP it's pretty simple (header + read file + bit security). Just make sure to make the script secure in terms of directory transversal etc., many people hide their downloads f

[ more ]  [ reply ]

Hi All
I want to create a Security Tools Tree since it is very difficult to keep
track of all tools.
Please see this blog and help to generate the tree. Your suggestions are
valuable for the security professionals in the whole world.
Best Regards and thanks in advance.
Monika
http://securityontop.b

[ more ]  [ reply ]

sectools.org
packetstormsecurity.org

On 2/8/12 10:30 AM, "mc" <mccansecure (at) gmail (dot) com [email concealed]> wrote:

>Hi All
>I want to create a Security Tools Tree since it is very difficult to keep
>track of all tools.
>Please see this blog and help to generate the tree. Your suggestions are
>valuable for the securit

[ more ]  [ reply ]

Hi,

Probably you can implement authentication to these pages, if you want
specific users can access these pages.
or probably, you can block the IP for specific time period after un
successfull requests to non-eisting files.

Thanks,

Sekhar

On Tue, Feb 7, 2012 at 11:19 PM, Thugzclub Thugzclub
<thu

[ more ]  [ reply ]

I was working on this some time back. probably you can see the mind
map version of my work here

https://docs.google.com/leaf?id=0Byob_Y-G0OZxYTQ2N2Q2YzgtMzRlOC00MzA3LWE
zZTQtNmZkYjNhMDA3N2Y3&hl=en_US

Thanks,

Sekhar

On Thu, Feb 9, 2012 at 1:47 PM, gold flake <ptinstructor (at) gmail (dot) com [email concealed]> wrote:
>  A b

[ more ]  [ reply ]