Web Application Security Mode:
(Page 2 of 333)  < Prev  1 2 3 4 5 6 7 8 9 10 11  Next >
RE: concurrent logins 2014-11-19
Martin O'Neal (martin oneal corsaire com) (1 replies)
For us, this is mostly about context. For all sites, some mechanism to report multiple logins back to the user is important for transparency, as is an audit trail entry.

But actually enforcing a single login is only really relevant to applications containing sensitive data.

Martin...

[ more ]  [ reply ]
Re: concurrent logins 2014-11-19
Robin Wood (robin digi ninja)
concurrent logins 2014-11-19
Robin Wood (robin digi ninja) (2 replies)
What are peoples opinions on allowing concurrent logins to web apps? I
suppose it depends on what the app is used for - forum, admin suite
etc - but do the protections from it add more problems that allowing
it?

Solutions I can see are:

1. Allow concurrent logins
2. Allow concurrent logins but rep

[ more ]  [ reply ]
Re: concurrent logins 2014-11-19
DavidMeans833 (at) air-watch (dot) com [email concealed] (DavidMeans833 air-watch com)
Re: concurrent logins 2014-11-19
Irene Abezgauz (irene abezgauz gmail com)
Re: RES: rating TRACE 2014-11-14
Robin Wood (robin digi ninja)
On 14 November 2014 11:38, Mike Antcliffe
<mikeantcliffe (at) logicallysecure (dot) com [email concealed]> wrote:
> I completely agree. And one of the biggest problems is that disparity
> between ratings on tests performed by different companies can cause trust
> issues.
>
> Until the entire industry is singing from the same hy

[ more ]  [ reply ]
Re: rating TRACE 2014-11-14
Simon Ward (simon westpoint ltd uk)
On 2014-11-14 13:41, Simon Ward wrote:
> The impact should really be none, since there is none if you can't
> manipulate the browser or plugin to create your dodgy request in the
> first place. If we're treating it as a vulnerability and fudging the
> CVSS scores for it then I might give it a partia

[ more ]  [ reply ]
Re: RES: rating TRACE 2014-11-13
Robin Wood (robin digi ninja) (2 replies)
The general consensus seems to be low, apparently a QualysGuard
scanner (which is ASV approved I've been told) rates it as
informational and some, like Vivir rate it as medium.

Such a simple issue and such a wide discrepancy of reporting levels
all with their own justifications. Makes me feel sorry

[ more ]  [ reply ]
Re: RES: rating TRACE 2014-11-14
Simon Ward (simon westpoint ltd uk)
Re: RES: rating TRACE 2014-11-13
Martino Dell'Ambrogio (tillo tillo ch)
Re: rating TRACE 2014-11-12
Robin Wood (robin digi ninja)
On 12 November 2014 22:24, Andrew van der Stock <vanderaj (at) greebo (dot) net [email concealed]> wrote:
> Once you plug in the rest of CVSS and get past the base score, it turns out
> it's CVSS rating 1.0, which where I believe it to be.
>
> CVSS v2 Vector
> (AV:N/AC:M/Au:N/C:P/I:P/A:N/E:POC/RL:OF/RC:C/CDP:N/TD:L/CR:ND/IR:L/A

[ more ]  [ reply ]
Re: rating TRACE 2014-11-12
Robin Wood (robin digi ninja) (1 replies)
On 12 November 2014 22:20, Ryan Dewhurst <ryandewhurst (at) gmail (dot) com [email concealed]> wrote:
> The Java applet thing is because it can send a cross-domain TRACE request.
> You would need the victim to visit a site you control first, which would
> then send the cross-domain TRACE to the target site, revealing your HTTPO

[ more ]  [ reply ]
RE: rating TRACE 2014-11-12
Kenneth Kron (kenneth kron truvantis com)
Re: rating TRACE 2014-11-12
Robin Wood (robin digi ninja)
On 12 November 2014 22:09, Ryan Dewhurst <ryandewhurst (at) gmail (dot) com [email concealed]> wrote:
> I added this link to that OWASP page a while back which explains the Java
> applet method -
> http://seckb.yehg.net/2012/06/xss-gaining-access-to-httponly-cookie.html

>
> Not sure if it still works though, haven't read that p

[ more ]  [ reply ]
rating TRACE 2014-11-12
Robin Wood (robin digi ninja) (3 replies)
I've always given TRACE enabled a rating of low in my reports and I
know other testers who don't even bother reporting it but a client has
asked for a CVSS score for it and in Googling I found that Rapid 7
rate it as a 6.0, that is high end of medium.

http://www.rapid7.co.uk/db/vulnerabilities/http

[ more ]  [ reply ]
Re: rating TRACE 2014-11-14
Simon Ward (simon westpoint ltd uk)
Re: rating TRACE 2014-11-13
Seth Art (sethsec gmail com) (3 replies)
Re: rating TRACE 2014-11-14
Robin Wood (robin digi ninja)
Re: rating TRACE 2014-11-14
Simon Ward (simon westpoint ltd uk)
Re: rating TRACE 2014-11-14
Manolis Mavrofidis (mmavrofides gmail com)
RES: rating TRACE 2014-11-12
Fábio Soto (fabio andradesoto com br)
Re: New tool HTTP Traceroute 2014-11-12
Robin Wood (robin digininja org)
On 12 November 2014 06:32, oxdef <oxdef (at) oxdef (dot) info [email concealed]> wrote:
> Robin, what is the difference between your tool and curl -v/i?

I'd like to think slightly nicer output, checking for invalid SSL/TLS
certs, dumping cert info (will get better when I get time), checking
for long bodies on redirects. Being

[ more ]  [ reply ]
Re: New tool HTTP Traceroute 2014-11-04
Robin Wood (robin digininja org)
On 4 November 2014 23:19, Wayland Morgan <dotwayland (at) gmail (dot) com [email concealed]> wrote:
> How is the tool doing SSL checks? I seem to be getting invalid cert warnings
> while doing queries in the tool on sites that show as valid in a browser.
> operator error?

Using the Ruby gem's built in checking, can you give me

[ more ]  [ reply ]
[Appcheck-NG] Unpatched Vulnerabilities in Magento E-Commerce Platform 2014-11-04
AppCheck_Advisories (advisories appcheck-ng com)
On April 8th 2014, AppCheck reported several Cross Site Scripting Vulnerabilities in the Magento e-commerce platform via the eBay bug bounty program. eBay responded to inform us that the vulnerabilities had already been reported.

However, since more than 6 months have passed and no fix is yet avail

[ more ]  [ reply ]
(Page 2 of 333)  < Prev  1 2 3 4 5 6 7 8 9 10 11  Next >


 

Privacy Statement
Copyright 2010, SecurityFocus