Michael Sutton’s Blog : How Prevalent Are SQL Injection Vulnerabilities? Really interesting study showing that of a sample population of web apps. live on the Internet 11.3% had SQL injection vulnerabilities. I also thought it was very interesting to see how a combination of the googleAPI and some relatively simple coding can be turned into […]
Google Cross-site Request Forgery Cross Site Request Forgery is one of those vulnerability classes that can be a bit tricky to explain, so it’s always nice to find a decent live example. This one’s pretty harmless, just changes your google languange preferences, but I reckon that we’ll see a real growth in this kind of […]
O2 closes call records site after security flap | The Register whenever I read this kind of story it makes me reckon that the victims probably hadn’t had a recent Pen. test done, and the kind of URL manipulation described would likely have been picked up by most testers. However kudos to O2 for admitting […]
TaoSecurity: Why 0wn When You Can XSS I’ve come across a lot of postings where people doubt the impact of XSS, this post is a good exmaple of why it can be pretty serious. Replacing content on trusted news sites is an interesting attack which could be leveraged in a number of ways (pump-dump stock […]
iKu Systemhaus AG – Sicherheit Advisory about a new(?) character encoding issue. The problem for Internet Explorer appears to be that they handle the encoding correctly but that A-V /Filtering systems may not, essentially obfuscating attacks on the browser….
SecuBat: A Web Vulnerability Scanner Interesting looking paper which is being presented at the www2006 conference on automated web application testing. It’ll be interesting to see if they release the secubat tool they’ve developed as part of the work.