Web Application Security Mode:
(Page 11 of 333)  < Prev  6 7 8 9 10 11 12 13 14 15 16  Next >
Re: Help with referer issues in XSS 2012-03-07
Yuping Li (lyp20062392 gmail com) (1 replies)
Hi,

Thanks for all your response. The premise of my situation is that
there is a XSS bug in the site, and I want to utilize this vul to do
something more, for example, forge some post requests in my js code,
you may recall the glorious "Samy" story here. But the server is now
checking the referer f

[ more ]  [ reply ]
RE: Help with referer issues in XSS 2012-03-07
Alan Tatourian (alan tatourian com)
Help with referer issues in XSS 2012-03-02
Yuping Li (lyp20062392 gmail com) (1 replies)
Hi, all

Suppose there is a reflect XSS vulnerability in a pop SNS, but this
site is "concerned" about security, so they check the referer field of
certain POST request to make sure that they are normal and correct. Is
it possible for me to bypass this check within javascript? It seems
that I can't

[ more ]  [ reply ]
Re: Help with referer issues in XSS 2012-03-06
gorka - (ray bradbury9 gmail com)
Re: [WEB SECURITY] Help with referer issues in XSS 2012-03-05
Stefano Di Paola (stefano dipaola wisec it)
Also check for:

5. www.example.com.attacker.com/.. as the referrer

just in case the referrer checking regexp is broken.

Cheers
Stefano

Il giorno ven, 02/03/2012 alle 18.30 -0800, super evr ha scritto:
> Here's a couple things to try that I've learned in my experience.
>
> First you can find o

[ more ]  [ reply ]
RE: Directory Scanner 2012-02-14
Calderon, Juan Carlos \(GE, Corporate, consultant\) (juan calderon ge com)
Oops one last comment,

If you implement option 2, do not show different error messages when
file exist or when user cannot access it, show a generic "document is
not available for you" or similar message. Otherwise, enumeration is
still possible although you cannot have immediate access to the do

[ more ]  [ reply ]
RE: Directory Scanner 2012-02-14
Calderon, Juan Carlos \(GE, Corporate, consultant\) (juan calderon ge com)
Darn, you are correct Henry, I guess I just read too fast.

Refocusing the answer, There are 2 alternatives I would suggest

1. You can implement HTTP Digest/Challenge authentication (no BASIC
authentication please, unless you have SSL) on the files directory
2. If you have forms authentication, Imp

[ more ]  [ reply ]
Re: Directory Scanner 2012-02-14
Taras (oxdef oxdef info)
IMHO, the topic starter need to answer on the one question: what risk do
I want to reduce? Risk of unathorized access to these *private* PDF
documents? Ok, you need to implement authorization to access these pages.

09.02.2012 16:36, Vedantam Sekhar пиÑ?еÑ?:
> Hi,
>
> Probably you can implemen

[ more ]  [ reply ]
RE: Directory Scanner 2012-02-13
Calderon, Juan Carlos \(GE, Corporate, consultant\) (juan calderon ge com)
I understand authentication to these documents is not an issue what is
an issue is directory listing. IIS prevents this by default so I assume
you are using Apache, Tomcat or another server. So the best way to
prevent this issue is to modify your .htaccess file to avoid listing
files:

Here is an ex

[ more ]  [ reply ]
Re: Directory Scanner 2012-02-08
Alexander Pick (acpi mac com)
Another idea is to proxy your download URLs through a script and hide the real files outside the web root.

If you do it in PHP it's pretty simple (header + read file + bit security). Just make sure to make the script secure in terms of directory transversal etc., many people hide their downloads f

[ more ]  [ reply ]
SECURITY TOOLS TREE 2012-02-08
mc (mccansecure gmail com)
Hi All
I want to create a Security Tools Tree since it is very difficult to keep
track of all tools.
Please see this blog and help to generate the tree. Your suggestions are
valuable for the security professionals in the whole world.
Best Regards and thanks in advance.
Monika
http://securityontop.b

[ more ]  [ reply ]
Re: SECURITY TOOLS TREE 2012-02-08
synja synfulvisions com
sectools.org
packetstormsecurity.org

On 2/8/12 10:30 AM, "mc" <mccansecure (at) gmail (dot) com [email concealed]> wrote:

>Hi All
>I want to create a Security Tools Tree since it is very difficult to keep
>track of all tools.
>Please see this blog and help to generate the tree. Your suggestions are
>valuable for the securit

[ more ]  [ reply ]
Re: Directory Scanner 2012-02-09
Vedantam Sekhar (vedantamsekhar gmail com)
Hi,

Probably you can implement authentication to these pages, if you want
specific users can access these pages.
or probably, you can block the IP for specific time period after un
successfull requests to non-eisting files.

Thanks,

Sekhar

On Tue, Feb 7, 2012 at 11:19 PM, Thugzclub Thugzclub
<thu

[ more ]  [ reply ]
Re: SECURITY TOOLS TREE 2012-02-09
Vedantam Sekhar (vedantamsekhar gmail com)
I was working on this some time back. probably you can see the mind
map version of my work here

https://docs.google.com/leaf?id=0Byob_Y-G0OZxYTQ2N2Q2YzgtMzRlOC00MzA3LWE
zZTQtNmZkYjNhMDA3N2Y3&hl=en_US

Thanks,

Sekhar

On Thu, Feb 9, 2012 at 1:47 PM, gold flake <ptinstructor (at) gmail (dot) com [email concealed]> wrote:
>  A b

[ more ]  [ reply ]
Re: SECURITY TOOLS TREE 2012-02-09
Christopher Siedlecki (christopher sied gmail com)
I think everybody in a security community tried at least once in their
lifetime to put all their favorite tools into a nice organized
fashion. It is a daunting experience, but worthwhile. There is a quite
a good book which might be of your interest "Digital Forensics with
Open Source Tools" ISBN-10:

[ more ]  [ reply ]
Mapping an application - Access control testing - Helper tool 2012-02-11
arvind doraiswamy (arvind doraiswamy gmail com)
Hi All,
Here is a very small tool that I recently wrote. This helps you when
you're mapping an application out and want a list of all the
combinations of access control that you want to check. So for example:
There are 5 menus that are accessible only to an Admin level user and
4 other types of user

[ more ]  [ reply ]
Re: Apache Killer - take 2? 2012-01-23
Damiano Bolzoni (damiano bolzoni utwente nl)
On 1/23/12 2:40 PM, Anestis Bechtsoudis wrote:

> Apache byte-range killer use many small byte-range chunks in a single
> request. So no, your attached request is not related to such an attack.

You are right, I didn't write it down properly...what I meant is
"doesn't it look like a clumsy way to ex

[ more ]  [ reply ]
Apache Killer - take 2? 2012-01-19
Damiano Bolzoni (damiano bolzoni utwente nl) (1 replies)
Hi all,
today we saw a weird HTTP header in a request that came to a web server
we are monitoring:

HEAD /contact HTTP/1.1
Content-Range: bytes 1-1024/-1
User-Agent: Opera/9.80 (Windows NT 5.1; U; pl) Presto/2.5.22 Version/10.51
Host: www.xyz.nl
Accept: */*

The offending IP is not in any blacklist

[ more ]  [ reply ]
Re: Apache Killer - take 2? 2012-01-23
Anestis Bechtsoudis (bechtsoudis a gmail com)
CarolinaCon-8/2012 - Final Announcement/Call for Papers/Presenters/Speakers 2012-01-12
Vic Vandal (vvandal well com)
h4x0rs, InfoSec professionals, international spies, script kidz, and posers,

CarolinaCon-8 will occur on May 11th-13th 2012 in Raleigh NC (USA). We are now officially accepting speaker/paper/demo submissions for the event.

If you are somewhat knowledgeable in any interesting field of hacking,

[ more ]  [ reply ]
OWASP AsiaPac 2012 - Sydney Australia CFP and CFT 2012-01-12
Andrew van der Stock (vanderaj greebo net)
Colleagues,

In 2012, OWASP is holding Global AppSec AsiaPac Conference in Sydney Australia! OWASP Asia Pacific is the foremost Application Security conference for the region, and brings together the community in a central meeting for 4 days to discuss and present on recent and current Application S

[ more ]  [ reply ]
RE: Application Security 2012-01-12
Milind Nanal (Milind Nanal eclerx com)
Reference on the subject. Members view on these points how they are managing similar
Requirement. Information on tools etc.

Regards,
 
Milind Nanal

-----Original Message-----
From: Yiannis Koukouras [mailto:ikoukouras (at) gmail (dot) com [email concealed]]
Sent: Wednesday, January 11, 2012 6:33 PM
To: Milind Nanal
Cc: sec

[ more ]  [ reply ]
Re: Application Security 2012-01-11
Yiannis Koukouras (ikoukouras gmail com)
Hi,

Not sure what you are actually looking for...

Are you looking for references on those subjects or are you looking to
recruit people to perform this tasks?

BR,
Ioannis (Yiannis) Koukouras
CISSP, CISA, CISM, OSCP
MSc in Computer Systems Security
BEng in Electronic Engineering
http://www.linkedi

[ more ]  [ reply ]
Application Security 2012-01-04
Milind Nanal (Milind Nanal eclerx com)
Hi Mailing list,

Seeking help below scenario :

1) The organization software development life cycle where in application security needs to be plugged in as focused approach.
2) Deployment & planning on roles & responsibilities of dedicated 4-5 members as apps tester & an apps test manager from in

[ more ]  [ reply ]
Re: stacking proxies 2012-01-04
Robin Wood (robin digininja org)
On Jan 4, 2012 8:46 AM, "David Hardy" <davehardy20 (at) gmail (dot) com [email concealed]> wrote:
>
> Hi Robin,
>
> I was at the talk that Jason did at Brucon, I think there is a little confusion, what he meant was chaining proxy based scanners, ie burp thro Acunetix thro Webinspect etc.
>
> It sounded a strange thing to do and

[ more ]  [ reply ]
AppSec DC 2012 CFP EXTENDED! 2012-01-06
AppSec DC (cfp appsecdc org)
All,

Many of you have written to us asking about the requirement for a
paper in our CFP hosted on EasyChair.  Due to an unforseen change in
the way EasyChair works, you are no longer able to configure a
submission to require only an abstract as we thought we had done, and
done in the past.  To be c

[ more ]  [ reply ]
Re: stacking proxies 2012-01-02
Robert Hajime Lanning (robert lanning gmail com)
I am putting together: (in this order)Nginx (ssl)Varnish
(caching)Haproxy (load balancing/fail over)
On Dec 31, 2011 10:29 PM, "Robin Wood" <robin (at) digininja (dot) org [email concealed]> wrote:
>
> I watched Jason Haddix talk at BruCon and he talked about stacking
> proxy servers when doing web app tests so that you could g

[ more ]  [ reply ]
Re: stacking proxies 2012-01-01
Robin Wood (robin digininja org)
On 1 January 2012 11:24, BookBag <asaad2 (at) gmail (dot) com [email concealed]> wrote:
> I tunnel everything thru tor. But be careful as DNS requests sometimes are
> done thru your IP. So its best to get your ip's thru any proxy and do the
> tests thru tor after you've got your ip's

Most of my clients like to know where the a

[ more ]  [ reply ]
(Page 11 of 333)  < Prev  6 7 8 9 10 11 12 13 14 15 16  Next >


 

Privacy Statement
Copyright 2010, SecurityFocus