Not logged in | Login

My Security Planet » WebSecurity

Feeds

10000 items (0 unread) in 75 feeds

WebSecurity

Security

SEO

Tools

Opensourcetesting.org News

WebSecurity

Tactical Web Application Security

WAF Virtual Patching Workshop at Blackhat USA 2010

Posted: March 9th, 2010, 10:10am CST

Tags: [edit]

Submitted by Ryan Barnett 03/09/2010

Just wanted to let everyone know that if you are headed to Blackhat USA 2010 this summer in Las Vegas, we have just added a 1-day workshop on the day before the Briefings start -

[www.blackhat.com]

In the workshop, we will be mainly discussing the "Virtual Patching" concept of using a WAF (ModSecurity in this case) and we will use the OWASP WebGoat app as the target. In the workshop, we will talk virtual patching theory and then have hands-on labs where we will show how to use Mod to virtually patch the various WebGoat lessons. As a side note - we will also have a section on the new CRS v2.0 when discussing negative security models. So, if you want to come and dive into the deep-end of the pool and have fun using some of ModSecurity's advanced features (such as Lua and Content Injection) then sign-up now!

Brian Rectanus and I hope to see you all in Vegas!!! :)

funkatron.com

Links for 2010-03-08 [del.icio.us]

Posted: March 9th, 2010, 2:00am CST

Tags: [edit]
- OpenClipart Beta - OpenClipArt

ha.ckers.org web application security lab

RSA Conference Wrapup

Posted: March 8th, 2010, 10:45am CST by RSnake

Tags: General News [edit]

Well another RSA Conference has come and gone. Lots of vendor noise about their product being the only secure one on the market, and other nonsense, as is to be expected. Although I did notice a bit of realism this year. It did seem like everyone had eaten a big helping of humble pie, which was refreshing. Even the sales guys weren’t making as hard as a pitch as I’m accustomed to. So all in all, it was a good time. Lots of drinking, lots of good conversation, and I even managed to sneak in and see Jeremiah’s presentation on the top 10 new webappsec vulns from 2009 (how he managed to fit that all into 50 minutes still boggles the mind). I didn’t make it to as many parties as I would have liked to this year - maybe I’m getting old, or maybe I started drinking too early. Either way…

One notable quote was from Howard Schmidt who said, “There is no cyberwar,” but I don’t think he ever defined what a cyberwar would look like - so I don’t know how we’ve decided we aren’t in the midst of one. Maybe he’s absolutely right and we aren’t in the middle of anything like a war (just the low rumble of espionage), but I’d like to hear his definition one way or another so that I can know when I should start being outraged.

Click to enlarge

But I wanted to do a quick writeup on the RSA Conference registration computers themselves, while I was thinking about it. For some reason, my entire life, I have just assumed programmers think the same way I do. Then I am always annoyed to find out they don’t. Physical security is tough, don’t get me wrong, but kiosks are one of those things you really need to be careful to protect from physical tampering and logical attacks. Anyway, I was sitting there waiting for one of the pages to load, and it was taking forever. Because there was no onscreen indicator that it was waiting, I started wondering if the form was even working at all, or if there was some dumb JS error or something else that would cause the page to never load. So I clicked on one of the links at the top in the navigation and it gave me a “Diagnose Connection Problems” error and worse yet, it popped out of the Kiosk mode. Never a good sign. It looks like they’re protecting the application from most classes of attacks simply by disallowing outbound network access. Let’s assume there were no way around that for a second (and I’m not convinced of that, incidentally).

Most people would probably say that security is good enough. Any attack I could mount would be useless because I couldn’t exfiltrate the data off of that machine. Oh, but it’s not that simple. For that application to work it must be able to contact the site in question (the registration portal). That portal has access to a database. As such, the database itself is essentially dual-homed (on the Internet and on this Kiosk intranet). So all I should need is some JavaScript malware to steal people’s information as it pretends to register them, and instead log the data into my database fields. I can be somewhere else and check the records in the database for my account, and poof - I have access to whatever data I wanted to log. I can get JavaScript execution by simply typing it into the URL bar and just like magic, I have a way to steal conference registrant’s information. And there’s the cookies and any other tampering I might be able to do in the config options in IE. It’s definitely NOT a huge deal, but rather just another example of how it’s incredibly complex to build a truly secure browser based kiosk system that can defend against determined attackers. No identities were stolen in the making of this post. Now, back to work!

Jeremiah Grossman

Best of Application Security (Friday, Mar. 5)

Posted: March 7th, 2010, 9:20am CST by Jeremiah Grossman

Tags: [edit]
Ten of Application Security industry's coolest, most interesting, important, and entertaining links from the past week -- in no particular order.
WhiteHat Security is a leading provider of website security services.

Sunnet Beskerming Security Advisories

Microsoft Security Patch Release March 2010 Advance Notification

Posted: March 6th, 2010, 8:43am CST

Tags: [edit]

In February, Microsoft released a massive thirteen security bulletins, after January's single bulletin. This month, there are only two security bulletins expected, at least according to the Advance Notification that they have released for next week's bulletins.

Both bulletins are rated as Important and are expected to address remote code execution vulnerabilities in Windows XP, Vista, 7, and Microsoft Office Excel and related components. The Office bulletin is also being made available for the OS X versions of Office, so it is important that OS X users also apply the updates when they are released next week.

The publicly disclosed vulnerability with Windows Help files and VBScript remote code execution is not expected to be patched this month, but it is possible that an out-of-cycle patch could be released to address the issue.

CGISecurity.com: Your Web Site and Application Security Resource

Cryptography experts bicker with former NSA director at RSA panel

Posted: March 4th, 2010, 11:31am CST by Robert A.

Tags: Cryptography [edit]

I recently attended RSA and had a chance to see the cryptography panel. Towards the end of the panel an amusing amount of bickering began between the former NSA technical director (Brian snow) and folks such as Whit Diffie (inventor of diffie hellman key exchange), and Adi Shamir (co founder of RSA...

BlueHat Security Briefings

Parser Central: Microsoft .NET as a Security Component

Posted: March 4th, 2010, 9:44am CST by BlueHat

Tags: [edit]

During the past decade or so, a significant portion of the computer industry has set out in a quest for secure software. That this sizable force of smart people with all their resources and market power has not yet brought us a secure and safe computing experience, should be an indication that this task is not something you can just turn around and do.

Securing the huge number of software stacks we are working with on a daily basis is a massive undertaking. It is somewhat similar to attempting to change the way we use natural resources and energy in order to prevent further global warming. Since you could be reading this in Utah, USA[1], let's assume that global warming is an actual problem and is caused by humankind burning pretty much any fossil energy source we can find in order to produce energy.

Slowing down global warming is a tall order, let alone stopping or reversing it. We would need to gradually and globally reduce energy production methods that have carbon dioxide as a byproduct. This is not something you can change overnight. Since people depend on the energy your coal-fed power plant is delivering, you cannot simply turn it off and leave them in the cold. But every time you consider building a new power plant, you should be thinking about its carbon dioxide emissions and you certainly should consider other methods of energy production. The alternative, power generation using renewable sources, will at first appear too expensive and complicated. Primarily, it will seem to provide significantly lower performance, so that you cannot really consider it as an alternative to your coal power plant.

As with the energy problem, the performance argument is constantly pulled out of the bag and waved around when one recommends .NET as the runtime environment for a new software project. Before even the first sketches of a software design and architecture are made (hoping that there actually will be some design and architecture before coding), and a long time before the first line of code is written, someone will argue that whatever it is that's to be developed must be written in C (or some other unmanaged language).

An insidious fact is that the most seasoned programmer in any team will likely be the one to present this performance argument against whoever proposed using .NET for the task at hand. This might be explained by the seasoned programmer being the one who's least likely to implement unmanaged code in a way that it can become a security vulnerability. Maybe it is just the programmer’s old belief that anything not compiled into native platform code doesn't perform well. However, the meritocracy among programmers and their managers causes the senior programmer's statements to have significant more weight that everyone else's, so everyone in the team will "learn" that, for performance reasons, they cannot use .NET.

The sad truth is that such repeated statements will cause software stacks to stay vulnerable to memory corruption and integer overflows for decades to come. Especially experienced people should know that, as Donald Knuth already stated: "premature optimization is the root of all evil." William Allan Wulf took it even further by saying: "More computing sins are committed in the name of efficiency (without necessarily achieving it) than for any other single reason - including blind stupidity." Unfortunately, this is very close to the truth.

If you are an attacker or vulnerability researcher and you are trying to identify an easy attack on a software stack, the first thing you look for is parsers. Any code that handles or interacts with externally provided data that you can influence will be your primary target of interest. If this code is written in an unmanaged language, for example, C/C++, you are very likely to find what you are looking for in the parser before anything else. This is where most software breaks, either through parsing of file formats or protocol messages. In most cases, complex parsing happens before any authentication and authorization could even be performed, so the resulting attack will not only yield arbitrary code execution, but it will also be completely anonymous.

.NET provides almost all the security you need to implement parsers that do not result in security vulnerabilities in your code. Boundary errors do not lead to memory corruptions, so the whole class of buffer overflow vulnerabilities goes away. Even better, boundary errors will throw very distinct exceptions, so your program can react to them specifically. The option to check for arithmetic overflows and underflows in your assemblies is the second mighty weapon that prevents exploitation of signedness issues and data-type conversion problems, although checking for arithmetic overflows and underflows is still not the default for new projects in Visual Studio 2010. By using safe code, written in any of the many .NET front-end languages, you can easily build very solid and robust parsers that ensure your input data is correct and that do not allow attackers to slip overly-large integers past your checks. Let the attacker fuzz your input files until kingdom come.

And what about the performance issues now?

First of all, how about writing secure code in the first place and conducting the performance measurements and optimizations afterwards? It is very likely that this one method, which iterates over your large data set in nested loops a couple of times, is eating most of the CPU time anyway, no matter what language it was written in. Algorithmic mistakes account for a much larger performance impact in almost any sufficiently large application regardless of the programming language used.

Secondly, the security critical parsers are often invoked infrequently during the operation of the application. Review carefully how often your parsers are actually invoked. When you only read files upon user request, it is very unlikely that the user will actually notice any performance difference whether your parser is written in.NET or in unmanaged code, except for the case where a corrupt file is opened, may it be intentionally corrupted or not.

In today's multi-component multi-tier application designs, it is easy to ensure a correct input data set using a strictly written .NET parser and then handing the "normalized" and verified data to other code that performs computationally-expensive processing.

Last but not least, please keep in mind that .NET code is not executed on a virtual CPU but actually compiled into platform-specific code before being executed. This Just-In-Time compilation is where the real performance is gained in any managed languages. And some seriously smart people work on the JIT. When they find an optimization and roll out an updated JIT, all code runs suddenly faster, not just yours. But more importantly, you don't have to do anything, it will happen behind the scenes.

I have made only the best of experiences using .NET code for parsers in security-critical situations. It doesn't relieve you from thinking about acceptable and non-acceptable formatting of your input data, but it massively simplifies the process of validating and checking the input data. If anything goes wrong, the exception will propagate up, and you can safely discard the input from the top-level code. In any other case, the cleaned and sanitized input data set can be used immediately, even in less fortified code.

Returning to the analogy between global warming and securing software stacks, it should be clear that we may not build things the way we did before if we care about changing anything in the future. Even if all parsers from today on will be safe and sound implementations in managed languages without any unsafe code invocations, it will take a long time before the old software is phased out. But if we continue to follow our old habits for dubious reasons, we will never actually get anywhere near our goal of secure and reliable computing.

Consider the capabilities of .NET a vital security component for future software projects.

I appreciate any feedback you may have, and if you happen to attend BlueHat Buenos Aires, I will see you there.

-FX

[1] "Climate Change Joint Resolution", 2010 General Session, State Of Utah, http://le.utah.gov/~2010/bills/hbillamd/hjr012.htm

The Spanner

My RegExp is still leaking

Posted: March 4th, 2010, 5:10am CST by Gareth Heyes

Tags: Security [edit]
The great thing about standards is that sometimes they are blindly followed and it’s not until maybe years down the line that you realise they got it wrong. Personally I think standards should be organically developed in code then defined in a standard once the various flaws have been ironed out. Every standard should use code samples for every single thing they define, this way it is quite easy to spot the intention and how to abuse it.

You could argue this is already done but I disagree, we should have standard prototypes with testing code for each then we can use the code samples and the specification. The W3 decided to release a security list which is a fantastic idea but why did we take so long?

Anyway things are changing and that is cool but onto my RegExp I think. Why the standards rant? Well the RegExp object was defined in the specification as a global object that can access the last result among other things of a regular expression literal. I have no idea why, the same result could be achieved using a reference to the regular expression like so:-
```
a=/a/;
a.test('a');
a.lastMatch;// This doesn't work
//RegExp.lastMatch this does work but shouldn't
```
So as you can see we can access the result of a expression even without reference to the variable. This is bad when we start mixing untrusted javascript in the future as we don’t want to expose other matches to different untrusted code. What new I hear you say? I posted about this before…well don’t you know that some browsers had the crazy idea of supporting regular expressions as a function, yeah true for some crazy reason rather than a regular expression being a regexp object it is a function! I would like for example the following code to return my user agent string please:-
```
javascript:alert(/.+/());
```
I’m not a crazy man honest Lets visit mmm apples and lets use Safari and type the string above in the url bar. What do we get? The user agent! If you look at the source code of the page, you’ll find that they use a external javascript file which runs a regexp match on the user agent because this is the lastMatch and we didn’t provide a string to the regexp in the function arguments it decides to return the lastMatch instead of the input we provide. Nice.

This works on Google Chrome too, you might get different results with Firefox if you have noscript installed because it runs RegExp matches on parts of the page.

SecuriTeam Blogs

Security Seal company sued by FTC

Posted: March 3rd, 2010, 1:00pm CST by Aviram

Tags: Web [edit]

Lets start with the proper disclosure; we provide a Web Site Security Seal service which competes with ControlScan’s. That said, I’m not about to bash ControlScan but rather the poor practices of security seal companies giving out seals to whoever pays them without the proper security checks.

Some background: The FTC sued ControlScan for $750,000 for giving out security seals while not really checking the security of the web sites. This lawsuit and its verdict are good news: It means that services that give out seals need to be responsible for their actions; no more “scanless PCI” badges: if you give out a seal (and I’m looking at all you large domain resellers) that needs to stand for something - when customers see a seal that says “secure site” they need to know the site is secure.

Before you take out the pitchforks, sure - there is no way to verify with 100% certainty that the web site is “secure”. But vulnerability scanning is at a stage today where you can run automated scans and make sure the web site is “secure enough” - meaning it does not have any known vulnerabilities, doesn’t suffer from SQL injections or cross site scripting. If there is a zero day vulnerability in apache, I doubt it will be used against an e-commerce site - it is more likely to be used against a bank or the government. Fact is, over 90% of successful attacks use known vulnerabilities that would have been detected by any competent scanner. If the site is properly scanned and no vulnerabilities are found, this is probably as good as it’s ever going to get; and is definitely better than the chances of your credit card being stolen at a brick-and-mortar store.

What will happen with ControlScan is not really important. What’s important is that security seal providers will now have to stand behind their claims - the fact that the FCC went after a case like this, which is normally way below their threshold, probably means that someone is applying pressure on them; hopefully that will help clean up the act of some online scanning vendors.

Note: Complaint, Exhibits and final judgment here.

-

Make your website safe from SQL Injection attacks. Signup for a daily penetration testing to protect your network!

Tactical Web Application Security

Top 10 Hacks of 2009 and WAF Mitigations

Posted: March 3rd, 2010, 11:58am CST

Tags: [edit]

Submitted by Ryan Barnett 03/03/2010

Jeremiah Grossman gave his “2010: A Web Hacking Odyssey – The Top Ten Hacks of the Year” talk here at RSA this morning where he presented on the Top 10 Hacks list gathered from readers of his blog. In preparation for his talk, he contacted me and ask if/when/how a web application firewall could be used to help mitigate these issues. What a great question! :) So, in case you were not able to attend his RSA talk today, I am going to outline which items can been addressed by WAFs.

HTTP Parameter Pollution (HPP) Luca Carettoni, Stefano diPaola

I actually had a previous HPP post on my blog and in it I present one approach that a WAF can take to identify potential HPP attacks and that is to learn whether or not having multiple parameters with the same name is normal for the specific URL resource and flagging when duplicates are present. This type of behavioral profiling of requests, that identify request construction deviations, is critical for identifying non-injection types of attacks. Most input validation is done on parameter payloads and not the request as a whole. This helps to identify some HPP attack variants but it does not cover all examples attack vectors from the presentation. For the business logic attacks where a new parameter is added which may alter a mid-tier HTTP request, a learning WAF should flag this as an anomalous parameter. Finally, for HPP attacks that aim to split attack payloads across multiple parameters of the same name in order to bypass negative security filters, the only real way to attempt to identify these attacks is to mimic what the back-end web application will do with the request. In the case of ASP/ASP.NET, the app will take all of the payloads of parameters with the same name and then join them together into one payload (separated by commas). A WAF would need to do this as well and then take the new consolidated payload and run it through the standard security checks looking for attack payloads. As a matter of fact, we have added some experimental rules to the OWASP ModSecurity Core Rule Set Project v2.0.6 to do just this.

Slowloris HTTP DoS Robert Hansen, (additional credit for earlier discovery to Adrian Ilarion Ciobanu & Ivan Ristic - “Programming Model Attacks” section of Apache Security for describing the attack, but did not produce a tool)

The DoS concept behind Slowloris is important as many organizations don't truly understand the threat, how effective it can be and how difficult it may be to identify if you are being hit by it. This is not the typical "flooding" type of attack where the network or web app is being saturated by HTTP requests. In these scenarios, there are other network security/infrastructure devices that may be able to identify and respond. In the case of Slowloris, however, the web app is basically in a holding pattern waiting for the layer 7 HTTP request... So, how can a WAF help? In an earlier post I had entitled "Identifying DoS Conditions Through Performance Monitoring" I outlined how a WAF can help to identify a Slowloris type of attack by monitoring and learning the transactional metrics associated with the website content. Specifically, Breach's WebDefend appliance learns the key metric of how long it takes for a client to complete sending the HTTP request data to each resource. This is graphically displayed in the Performance dashboard and it is easy to visually identify when there are request receiving issues.

On a more tactical note for Apache - it is possible to identify a Slowloris type of attack by doing two things -

1) Decrease the default Apache Timeout directive setting. By default it is set to 300 seconds which makes it quite easy for Slowloris to DoS the site. It should be lowered to something much smaller like 10-30 seconds.

2) Use the httpd-guardian perl script from Ivan Ristic's Apache Security tools package with the ModSecurity SecGuardianLog directive. Having this external application monitoring the Apache logs allows it to identify these automated attacks and issue alerts and/or blacklist rules for IPTables.

Microsoft IIS 0-Day Vulnerability Parsing Files (semi‐colon bug) Soroush Dalili

The concept of Impedance Mismatch is a re-occurring theme with these issues. Correctly parsing uploaded file information can be tricky as you must correctly interpret the file meta-data (such as the filename, etc....) in the same way as the web app. In this particular case, the attacker is tricking the application file uploading resource by appending a bogus file extension after a semi-colon however the IIS server will interpret it as an ASP page and execute it. In this case, a WAF must get the filename parsing correct and enforce allowable character-sets. The second part is to do some actual file upload inspection to identify what the uploaded file actually is. ModSecurity has the @inspectFile operator which will temporarily dump the file attachment to disc and allow for AV scanning or some other custom logic. This can help to verify that the file type is actually what you are expecting.

Exploiting unexploitable XSS Stephen Sclafani

For XSS, it is important to try and identify the root cause of the problem which is web apps that fail to properly track user supplied data and apply appropriate output escaping. From a WAF perspective, it is possible to identify reflective XSS attacks by mimicking the Dynamic Taint Propagation concept of tracking user supplied data and seeing where it is misused. In this case, we want to inspect any request data to see if it might have meta-characters that are used in XSS attacks and then capture the full parameter payloads. We then inspect the response body content to see if the same data is present. If it is, then the application is not properly output escaping user supplied data. I outlined this concept and showed some examples using ModSecurity in a previous Blackhat DC presentation.

Our Favorite XSS Filters and how to Attack them Eduardo Vela (sirdarckcat), David Lindsay (thornmaker)

Ahh, the fine art of filter evasions... Let me be clear, it is not possible to have 100% protection from XSS payloads if you are using only a negative security model approach. There are just too many ways that an attacker can have functionally equivalent code and bypass signatures. The only hope that you really have is when your web application should not accept *any* html data. If your app has to allow html data but you want to filter out malicious payloads, then looking at something like Anti-Samy is a good choice. One important note about filter evasions and XSS - most people believe that if an attacker is able to bypass the filter that he/she wins. In practice, that is not always the case. What I have seen is that the XSS payloads have to be munged up so much in order to bypass the filter that it no longer will execute in a target's browser. In an attempt to improve XSS negative signatures, we launched the ModSecurity CRS Demo page which allows the community to send attacks and see if they can evade the rules. This has been a great research tool to help us to improve our signatures in both ModSecurity and WebDefend.

Google Online Security Blog

Federal Support for Federated Login

Posted: March 2nd, 2010, 11:36pm CST by Jay

Tags: [edit]

Posted by Eric Sachs, Senior Product Manager, Google Security

Last November, we discussed the progress that account login systems operating via standards-based identity technologies like OpenID have achieved across the web. As more websites seek to interact with one another to provide a richer experience for users, we're seeing even more interest in finding a secure way to enable that kind of information sharing while avoiding the hassle for users of creating new accounts and passwords.

Excitement for technology like OpenID is not limited to the private sector. President Obama's open government memorandum last year spurred the creation of a pilot initiative in September to enable U.S. citizens to more easily sign in to government-run websites. Google joined a number of other companies to explore ways to answer that call.

Now, several months later, some interesting things are taking shape. The Open Identity Exchange (OIX), a new organization and certification body focused on online identity management, today named Google among the first identity providers to be approved by the U.S. Government as meeting federal standards for identity assurance. This means that Google's identity, security, and privacy specifications have been certified so that a user can register and log in at U.S. government websites using their Google account login credentials. The National Institute of Health (NIH) is the first government website ready to accept such credentials, and we look forward to seeing other websites open up to certified identity providers so that users will have an easier and more secure time interacting with these resources.

Our hope is that the work of the OIX and other groups will continue to grow and help facilitate more open government participation, as well as improve security on the Internet by reducing password use across websites.

Tactical Web Application Security

IP Reputation and WAFs

Posted: March 2nd, 2010, 3:10pm CST

Tags: [edit]

Submitted by Ryan Barnett 03/02/2010

In an earlier post I warned against web application security puffery - and it seems as though I am being hit by a tidal wave of it as I sit here at RSA this week... The puffery usually starts off with the phrase "The Industry's first..." and this is rarely the case. In most instances, the concepts/theories of the new features have actually be around and in use by competitors for some time but have not been highlighted by marketing teams with huge conference fanfare and press releases.

The latest example of this is another WAF vendor announcing their reputation-based capabilities. Again - the issue is not that this feature is not useful but rather that it isn't the first in the industry. Breach products have had the capability to do real-time blacklist lookups for years now and it is actually in use as part of the WASC Distributed Open Proxy Honeypot Project. In the honeypot deployments, we are querying the RBLs at SpamHaus to identify SPAMMER source IPs and factoring this into our anomaly scores.

The other "new" WAF industry feature is IP Forensics capabilities which factors in GeoIP data. Once again, Breach products have had automatic GeoIP resolution for quite some time to help provide geographic context to the source of events. Additionally, WebDefend has the capability to customize a 3rd party interface that allows the user to right-click on an event and query an external IP reputation website such as Dshield which provides a much wider view of attack data. The helps to automate an analyst's initial incident response steps to identify if the source of attacks they are seeing is due to random scanning or if perhaps they are being targeted. If Dshield reports a large number of records against the IP then that means that many other networks are reporting attacks from this source. This would indicate that the local event data the WAF is reporting is most likely part of a larger scanning effort. If, on the other hand, Dshield is not reporting any records for the IP, then this might indicate that the local WAF events are part of a targeted attack against your website.

Sunnet Beskerming Security Advisories

Internet Explorer, Help files, and VBScript - Remote Code Execution Allowed

Posted: March 2nd, 2010, 8:40am CST

Tags: [edit]

Microsoft have recently identified an odd vulnerability that utilises VBScript via Internet Explorer to run arbitrary code, all through seemingly-innocuous help files.

From Microsoft's Advisory, any successful exploit requires user interaction, getting the user to press the F1 key after being prompted by a dialog box, nominally bringing up the help function. A weakness in the interaction of VBScript and Windows Help files when using Internet Explorer is the root cause of the vulnerability.

Vulnerable systems include Windows 2000, XP, and 2003 and with the vulnerability having been disclosed publicly before Microsoft were made aware of it, there is a higher risk of successful exploitation than with Microsoft's normal vulnerability disclosure and patching methods. At this stage, there are not any reported attacks making use of this vulnerability.

Mitigating the risk of compromise is the requirement for user interaction, with successful attack only gaining the rights of the current user.

Microsoft's suggested workarounds include not pressing the F1 key when prompted by a website, restricting access to the Windows Help System (effectively disabling it system-wide), and changing the security and scripting settings within Internet Explorer. Relying on user behaviour not to press a key when prompted, and effectively neutering much of the Internet don't really seem like viable long term workarounds for the vulnerability.

With the Security Bulletins for March only a week away, it is unlikely that a patch will be available in this month's release.

funkatron.com

Links for 2010-03-01 [del.icio.us]

Posted: March 2nd, 2010, 2:00am CST

Tags: [edit]
- bytespider's jsOAuth at master - GitHub
  "jsOAuth is a javascript library implimenting the OAuth protocol. jsOAuth aims to form the basis of custom service objects such as Twitter. Both Yahoo and Twitter OAuth services will be catered for in the first release."
- Phishing Attacks Using Social Networks

Tactical Web Application Security

Weekly Round-Up of Web Hacks, Attacks and Vulns (Monday, Mar 1)

Posted: March 1st, 2010, 2:06pm CST

Tags: [edit]

Submitted by Ryan Barnett 03/01/2010

Hacks
NSW Government alleges transport website hacked - sensitive information leakage.
Argentina Coach Diego Maradona's Website Hacked - defacement
Kosovo’s Presidency Website Hacked - defacement/downtime
National Theatre hack forces password reset - unauthorized access/sensitive data leakage

Attacks
Baidu: Registrar 'incredibly' changed our e-mail for hacker - domain hijacking

CGISecurity.com: Your Web Site and Application Security Resource

Web Security Dojo v1.0 release

Posted: March 1st, 2010, 11:30am CST by Robert A.

Tags: Announcements [edit]

From the announcement "Web Security Dojo is a turnkey web application security lab with tools, targets, and training materials built into a Virtual Machine(VM). It is ideal for both self-instruction and training classes since everything is pre-configured and no external network connection is needed. All tools and targets are configured to use...
Watcher 1.3.0 passive Web-vulnerability testing tool released

Posted: March 1st, 2010, 11:28am CST by Robert A.

Tags: Announcements [edit]

"A new update to the Watcher passive vulnerability detection and security testing tool has been released. Watcher is an open source addon to the Fiddler Web proxy that aids developers, auditors, and penetration testers in finding Web-application security issues as well as hot-spots for deeper review." - Casabasecurity The full announcement can...

ha.ckers.org web application security lab

Facebook Patents Social Feeds and I Patent XSS

Posted: February 26th, 2010, 3:10pm CST by RSnake

Tags: xss [edit]

In honor of the USPO’s decision to allow Facebook’s patent for social feeds I decided to patent XSS. Please pay up. You know who you are. Thank you.

Jeremiah Grossman

Best of Application Security (Friday, Feb. 26)

Posted: February 26th, 2010, 1:46am CST by Jeremiah Grossman

Tags: [edit]
Ten of Application Security industry's coolest, most interesting, important, and entertaining links from the past week -- in no particular order.
WhiteHat Security is a leading provider of website security services.

ha.ckers.org web application security lab

Banks, Businesses, Viruses and the UCC

Posted: February 24th, 2010, 12:19pm CST by RSnake

Tags: General News [edit]

There’s an interesting post over at Krebs On Security talking about some poor company that is going bankrupt because TD Bank allegedly will not give them their money back after it was stolen out of their account. Now, I wish I could say this concept is totally foreign to me, but unfortunately this isn’t the first time I’ve heard this story. I’m under NDAs not to describe the people involved, or the bank involved, but the important details are nearly identical to this story. Why is this happening?

There is a little known code call the UCC (Uniform Commercial Code) that essentially says that if you are a business and you want to do wire transfers you are essentially to be treated as a bank. You are probably wincing right now, because it’s just as stupid as it sounds. Note that this is not true for consumers - but even if your business consists of even one person, you still are treated as a bank. As such, if your company has money wired out of it’s account, the bank isn’t to be held liable - or at least that’s been their argument. This is happening all the time, so why aren’t we hearing about it all the time? Well that leads me to the worst part of this story.

The banks have essentially two options if a company takes them to court. They can win the case, or they can lose the case. If they win, that leaves the company in question free to say and do whatever they want (as is the case with TD Bank above). If they lose the case, it essentially creates precedence and can open the bank to class action lawsuits to overturn the UCC. Either way, it’s a bad day for the bank. So they opt for the third choice which is to delay the inevitable. They make these poor businesses wait for sometimes years before they will begrudgingly settle for somewhere shy of the full amount. Sometimes companies just give up, and sometimes they take the money and sign the NDAs. Either way, that’s a much better outcome than letting something get litigated. So yes, those poor companies are getting the run around, and we don’t get to hear about it because at the end of the day they are all signing NDAs.

So, if you run a company, be prepared for the worst when it comes to how the bank is going to treat you if someone steals your money. There don’t appear to be any safeguards other than individual contracts you might be able to get your bank to sign and agree to. However, if anyone happens to work for a bank, and can guarantee that money held there will be treated just like physical cash (and reimbursed just like if it is stolen out of the vault), I’m sure companies would flock to you - I know a lot of small businesses that would like to know that their money is safe, and right now, it just isn’t with TD Bank and their ilk. In the meantime, I sort of hope some lawyer is salivating at the prospect of a class action suit.

CGISecurity.com: Your Web Site and Application Security Resource

XSS, SQL Injection and Fuzzing Barcode Cheat Sheet

Posted: February 24th, 2010, 11:26am CST by Robert A.

Tags: Funny [edit]

Someone has published an amusing cheat sheet that will allow you to fuzz barcode scanning systems for common input validation issues such as XSS and SQL Injection. They even provide an online barcode generator which allows you to create your own payloads. Not much else to say really :) Link: http://www.irongeek.com/xss-sql-injection-fuzzing-barcode-generator.php

GNUCITIZEN

Hacking Linksys IP Cameras (pt 6)

Posted: February 24th, 2010, 1:18am CST by pagvac

Tags: Blog [edit]
This article is a continuation of the following GNUCITIZEN articles: here, here, here, here and here.

As we know, there are several ways one could go about hunting for IP cameras on the net. The slowest way would be to portscan random IP addresses for certain ports and programmatically detect if the web interface of a given camera was available on the open ports found. This method definitely works, but it can be very time consuming as it consists of scanning random IP addresses hoping that we’ll eventually come across the type of device we’re interested in.

The second method, which would be much faster in finding our target devices, would be to use a search engine and query content that is unique to our target devices (e.g.: URLs, HTML title). This method, popularized by GHDB is simple and effective. The only issue I find with this strategy is that many of these IP cameras found happen to respond very slowly. This is probably due to other curious individuals running the same searches and accessing the same cameras.

The third method which would allow you to find more “hidden” Linksys IP cameras (i.e.: not cached by search engines a.k.a. the hidden web), would consist of bruteforcing subdomains within dynamic domain names (DDNS) used by our target devices (Linksys IP cameras in this case). For instance, the following are some of the dynamic domain names supported by the WVC54GCA and WVC80N Linksys IP camera models:
- linksys-cam.com
- mylinksyscamera.com
- mylinksyshome.com
- mylinksyscam.com
- mylinksysview.com
- linksysremotecam.com
- linksysremoteview.com
- linksyshomemonitor.com
Camera discovery process through subdomain bruteforcing
We first save the aforementioned domains in a file, doms in this case. Then we use dnsmap to bruteforce subdomains for each of the domains included in doms.

Using dnsmap’s built-in wordlist:
```
$ for i in `cat doms`;do dnsmap $i -r ~/ -i 64.14.13.199,216.39.81.84&done;
```
Using a user-supplied wordlist, wordlist_TLAs.txt in this case, which is a three-letter acronym wordlist included with dnsmap v0.30:
```
$ for i in `cat doms`;do dnsmap $i -w wordlist_TLAs.txt -r ~/ -i 64.14.13.199,216.39.81.84&done;
```
Note: dnsmap’s ‘-i’ option allows ignoring user-supplied IP addresses from the results. In this case, 64.14.13.199 and 216.39.81.84 belong to the DDNS service provider, and would therefore be regarded as false positives in this case (we’re only interested in IP cameras setup by their respective owners after all). For more info on how to use dnsmap, checkout the README file.

We then parse the IP addresses of the subdomains discovered by dnsmap:
```
$ grep # dnsmap*.txt | awk '{print $4}' | sort | uniq > ips.txt
```
Next, we scan for ports that could potentially be used by a Linksys IP camera web server. In this case, we choose TCP ports 80, 1024 and 1025 as candidates:
```
$ sudo nmap -v -T4 -n -P0 -sS -p80,1024,1025 -iL ips.txt -oA nmap_http_ports.`date +%Y-%m-%d-%H%M%S`
```
This leaves us with a lot of discovered services, but we don't quite yet know which of them correspond to actual Linksys IP cameras web interfaces. There are many ways to fingreprint the web server of a Linksys IP camera. In this case we chose to create our own amap response signature, and then scan the open ports with amap.

Before amap is capable of identifying our target Linksys IP cams, the following response signature needs to be added to appdefs.resp, and amap then needs to be recompiled. Otherwise amap won't take the new signature into account:
```
http-linksys-cam::tcp::^HTTP/.*nServer: thttpd/.*Accept-Ranges: bytes.*WVC
```
Please note that the previous amap response signature was only tested against the WVC54GCA and WVC80N Linksys IP camera models. So I'm not sure if it will work against other models. You've been warned!

Once recompiled, amap can be used to identify Linksys IP cameras from nmap's open ports results.
```
$ amap -i nmap_http_ports.2010-02-22-102001.gnmap -R -S -o amap_results.`date +%Y-%m-%d-%H%M%S`
```
We finally parse the IP addresses and open ports for all discovered Linksys IP cameras:
```
$ grep http-linksys-cam amap_results.2010-02-22-102253 | awk '{print $3}' | cut -d / -f1
x.x.167.245:1024
x.x.228.231:1025
x.x.228.231:80
x.x.64.22:80
x.x.206.70:1024
x.x.31.4:1024
x.x.164.28:1024
[snip]
```
At this point we have accomplished the task of creating a list of Linksys IP cameras without resorting to search engines or scanning random IP addresses. In order to discover more Linksys cameras, a more comprehensive wordlist would need to be used with dnsmap.

Of course, even further automation would be possible. For instance, an attacker may wish to programmatically identify which Linksys cameras from the previous list allowing video viewing to unauthenticated users:
```
$ amapfile=amap_results.2010-02-22-102253;for i in `grep http-linksys-cam $amapfile | awk '{print $3}' | cut -d / -f1`;do url="http://$i/img/main.cgi?next_file=main.htm";if curl --connect-timeout 2 -s -I --url $url | grep ^"HTTP/1.1 501">/dev/null;then echo $url;fi;done;
x.x.206.70:1024/img/main.cgi?next_file=main.htm
x.x.105.221:1024/img/main.cgi?next_file=main.htm
x.x.105.221:80/img/main.cgi?next_file=main.htm
x.x.181.195:1024/img/main.cgi?next_file=main.htm
x.x.243.154:1024/img/main.cgi?next_file=main.htm
x.x.243.154:1025/img/main.cgi?next_file=main.htm
x.x.30.196:1025/img/main.cgi?next_file=main.htm
[snip]
```
In addition to automatically checking for anonymous video viewing on all cameras found, other tasks such as checking for default credentials (admin/admin) could also be scripted, although this will NOT be included in this post (or any other at GNUCITIZEN).

---
gnucitizen information security gigs part of the cutting-edge network:
- No active items found!
- GNUCITIZEN NETWORK
---
recent posts from the gnucitizen cutting-edge network:

0.5 is up for grabs
Websecurify 0.5RC1 Is Available for Download
What's New in Websecurify 0.5
Hacking Linksys IP Cameras (pt 6)
dnsmap v0.30 is now out!

Sunnet Beskerming Security Advisories

MS10-015 Issues Confirmed to be Caused by Alureon Rootkit

Posted: February 22nd, 2010, 5:03pm CST

Tags: [edit]

When Microsoft released their February Security Bulletins, there were reports that one of the bulletins, MS10-015 was leading to blue screens on rebooting for some Windows XP systems. Advice was quickly pushed out by a number of sources that allowed users to rollback the bulletin and get some functionality back with their system, and Microsoft began taking a closer look at the issue.

It has now been confirmed that the issue encountered was a result of malware infection, as many had suspected. The particular malware family identified is the Alureon rootkit. The blue screen that results after applying MS10-015 is due to the changes the rootkit has made to the Windows kernel, leaving it unstable and eventually broken following the changes MS10-015 makes within the Windows kernel. The referenced MSRC blog post specifically identifies that the Alureon rootkit looks for a specific memory address to access Windows code. When MS10-015 changed the location of that code, it left Alureon without the function it was trying to call and it resulted in system instability and the blue screen crashes.

Further remediation advice has been provided by Microsoft's Malware Protection Center, which points out that recovering from the rolling reboot / blue screen issue caused by Alureon can be as simple as overwriting the corrupted / infected system driver with a known clean copy. The most common system driver affected by this particular rootkit is atapi.sys.

The malware authors have also responded to the issue and have updated their rootkit to no longer point to hardcoded memory locations, meaning new installations of the rootkit will no longer blue screen Windows XP systems.

CGISecurity.com: Your Web Site and Application Security Resource

Multiple Adobe products vulnerable to XML External Entity Injection And XML Injection

Posted: February 22nd, 2010, 4:32pm CST by Robert A.

Tags: IndustryNews [edit]

I haven't really been posting advisories on this website for the past year, however a series of XML Injection/XXe vulnerabilities in Adobe products caught my eye. XML Injection is to web services, what XSS is to web pages (an attacker controllable application response able to perform abuses against the consumer). This advisory...

BlogSecurity

WordPress Thrashing Authorisation Bypass

Posted: February 22nd, 2010, 3:41pm CST by Philipp

Tags: Advisories [edit]

Thomas Mackenzie has reported a vulnerability affecting Wordpress >= 2.9. Versions before 2.9 are not vulnerable. tmacuk quote: Since version 2.9 a new feature was implemented so that users were able to retrieve posts that they may have deleted by accident. This new feature was labelled ‘trash’. Any posts that are placed within the trash are only viewable [...]

Tactical Web Application Security

Weekly Round-Up of Web Hacks, Attacks and Vulns (Monday, Feb 22)

Posted: February 22nd, 2010, 8:50am CST

Tags: [edit]
Submitted by Ryan Barnett 02/22/2010
HacksHackers Manipulate Grader.com of Twitter - compromised Twitter tools in order to send out SPAM tweets.
Falkland Islands website hacked to display pro-Argentinian flag and messages - defacement/hacktivism.
AttacksSecurity Companies Warn Google on Spammers Targeting Google Buzz
VulnsGoogle Buzz Security Flaw - XSS flaw.
SANS @RISK ListWeb Application - Cross Site Scripting
Web Application - SQL Injection
Web Application

GNUCITIZEN

3rd release of dnsmap is now out!

Posted: February 20th, 2010, 3:08pm CST by pagvac

Tags: Blog [edit]
After working on dnsmap for a few months whenever time allowed, I decided there were enough additional goodies to make version 0.30 a new public release.

Let me just say that a lot of the bugs that have been fixed, and features that have been added to this version would not be possible without the feedback from great folks such as Borys Lacki (www.bothunters.pl), Philipp Winter (7c0.org) and meathive (kinqpinz.info).

Thanks guys, your feedback was highly valuable to me.
new features
Anyways, the following are some of the new features included:
- IPv6 support
- Makefile included
- delay option (-d) added. This is useful in cases where dnsmap is killing your bandwidth
- ignore IPs option (-i) added. This allows ignoring user-supplied IPs from the results. Useful for domains which cause dnsmap to produce false positives
- changes made to make dnsmap compatible with OpenDNS
- disclosure of internal IP addresses (RFC 1918) are reported
- updated built-in wordlist
- included a standalone three-letter acronym (TLA) subdomains wordlist
- domains susceptible to “same site” scripting are reported
- completion time is now displayed to the user
- mechanism to attempt to bruteforce wildcard-enabled domains
- unique filename containing timestamp is now created when no specific output filename is supplied by user
- various minor bugs fixed
For those who have never used dnsmap, dnsmap is a command line tool originally released in 2006 which helps discover target subdomains and IP ranges during the initial stages of an infrastructure pentest. dnsmap is a passive(ish) discovery tool meant to be used before an actual active attack. It’s an alternative to other discovery techniques such as whois lookups, scanning large IP ranges, etc … Run dnsmap and you should be able spot netblocks of a target organization in a relatively short period of time.

dnsmap is open source and is known to work on Linux, FreeBSD and Windows using Cygwin, although it has mostly been tested on Linux.

The major drawback is lack of multi-threading support, which I’m hoping will be included in the next public release. Life is busy these days, but I’ll try to spend some time on this project when time allows and inspiration is available!

---
gnucitizen information security gigs part of the cutting-edge network:
- No active items found!
- GNUCITIZEN NETWORK
---
recent posts from the gnucitizen cutting-edge network:

0.5 is up for grabs
Websecurify 0.5RC1 Is Available for Download
What's New in Websecurify 0.5
Hacking Linksys IP Cameras (pt 6)
dnsmap v0.30 is now out!

Jeremiah Grossman

Compliance and Habit holding back Application Security

Posted: February 19th, 2010, 6:08am CST by Jeremiah Grossman

Tags: [edit]

My "Infrastructure vs. Application Security Spending" post must have struck a nerve. I've received a number of comments and emails where it's clear many are grappling with the same organizational budgeting challenges. Sharing these individual experiences help us raise awareness and gain new perspective on things that might work to our advantage. I sought permission to share the content of such insightful email from a Director of Product Security for a large publicly-traded company.

"Good post. It's something I've been preaching at *redacted* since day one. Our business relies on protecting our customers data. Why spend significantly more money on protecting our internal networks then on our product. I've won that battle, but given our security team started from network IT Security guys, that's where the money was spent.

A couple things I thought I'd pass along which you didn't mention, but I'm sure you've though about:

1. Service providers are going to spend money where their customers want them to. If their customer's security teams are all network guys, then the service provider is catering it's "security budget" to those guys. It still befuddles me in this day and age that we get predominantly more nCircle/Qualys/Nessus scans than we do application assessments from our customers. It shows though too in the compliance arena…if the people auditing your company have been baptized by compliance, then the service provider will cater to that. Unfortunately there's way more auditors who look at compliance and network security then application level security.

2. I think the comparison of network/host security vs application security shouldn't equate (right now). Because of the maturity of the market, there are less tools that are practical to rely on. As such, the curve should focus more on people (training, processes, and security staff) then on tools. I'm not saying the tools can't /don't do a good job, I'm just saying that right now they're not sufficient and in general more staffing resources need to be involved. To use an internal example, the fact that all R&D staff at *redacted* go through security training, perform security work every sprint, use secure frameworks, tools, etc, isn't captured by the numbers…and frankly is more valuable than us spending another 100K on a few more licenses of AppScan or WebInspect.

I think it would be really interesting to compare the costs of some of these products vs the benefit they provide. I just find it terribly funny that a Burp license costs ~$200, while running a product like DB Monitoring would costs hundreds of thousands or even millions of dollars in a large data center. That said, customers ask for things like DB Monitoring - because, you know, the five DBAs are more likely to steal their data then the thousands of malicious hackers out there ;-)

I'm not old enough to know…but, I bet the network security guys cracked on how the physical security guys got all the budget way back when. Evolution…"

If you got a story to share, please do!

WhiteHat Security is a leading provider of website security services.

funkatron.com

Links for 2010-02-18 [del.icio.us]

Posted: February 19th, 2010, 2:00am CST

Tags: [edit]
- Sammy
  "Sammy is a tiny javascript framework built on top of jQuery. It’s RESTful Evented JavaScript."

Jeremiah Grossman

Best of Application Security (Friday, Feb. 19)

Posted: February 19th, 2010, 1:13am CST by Jeremiah Grossman

Tags: [edit]
Ten of Application Security industry's coolest, most interesting, important, and entertaining links from the past week -- in no particular order.
WhiteHat Security is a leading provider of website security services.
Hey Massachusetts, where is your application security requirement?

Posted: February 18th, 2010, 10:31am CST by Jeremiah Grossman

Tags: [edit]

This relates to my last post where Boaz Gelbord (Security Scoreboard), cited something very interesting about the Massachusetts data security regulation going into effect March 1. Their listed “Computer System Security Requirements” of their "risk-based approach" is pasted below. While I can’t say any one of these security controls is a bad idea, but can someone please tell me how any of this stuff is going to thwart Web-based attacks!? You know the kind of attack organizations and end-users are really dealing with!

No mention at all of (Web) application security, the thing we desperately need, but sure enough more firewalls, SSL, and anti-malware is legally mandated.

(1) Secure user authentication protocols including:
(a) control of user IDs and other identifiers;
(b) a reasonably secure method of assigning and selecting passwords, or use of unique identifier technologies, such as biometrics or token devices;
(c) control of data security passwords to ensure that such passwords are kept in a location and/or format that does not compromise the security of the data they protect;
(d) restricting access to active users and active user accounts only; and
(e) blocking access to user identification after multiple unsuccessful attempts to gain access or the limitation placed on access for the particular system;
(2) Secure access control measures that:
(a) restrict access to records and files containing personal information to those who need such information to perform their job duties; and
(b) assign unique identifications plus passwords, which are not vendor supplied default passwords, to each person with computer access, that are reasonably designed to maintain the integrity of the security of the access controls;
(3) Encryption of all transmitted records and files containing personal information that will travel across public networks, and encryption of all data containing personal information to be transmitted wirelessly.
(4) Reasonable monitoring of systems, for unauthorized use of or access to personal information;
(5) Encryption of all personal information stored on laptops or other portable devices;
(6) For files containing personal information on a system that is connected to the Internet, there must be reasonably up-to-date firewall protection and operating system security patches, reasonably designed to maintain the integrity of the personal information.
(7) Reasonably up-to-date versions of system security agent software which must include malware protection and reasonably up-to-date patches and virus definitions, or a version of such software that can still be supported with up-to-date patches and virus definitions, and is set to receive the most current security updates on a regular basis.
(8) Education and training of employees on the proper use of the computer security system and the importance of personal information security.

WhiteHat Security is a leading provider of website security services.
Infrastructure vs. Application Security Spending

Posted: February 18th, 2010, 7:32am CST by Jeremiah Grossman

Tags: [edit]
A recent study published by 7Safe, UK Security Breach Investigations Report, analyzed 62 cybercrime breach investigation and states that in “86% of all attacks, a weakness in a web interface was exploited” (vs 14% infrastructure) and the attackers were predominately external (80%). These results are largely consistent with the US-based Verizon Data Breach Incident Report (2008) which tracks over 500 cases. Combine this knowledge with the targeted Web-related attacks against Google, Adobe, Yahoo, the US House of Representatives, TechCrunch, Twitter, Heartland Payment Systems, bank after bank, university after university, country after country -- the story is the same. It’s a Web security world.

It has been said before and it’s worth repeating, adding more firewalls, SSL, and the same ol’ anti-malware products is not going to help solve this problem!

The reason that Web security problems persist is not a lack of knowledgeable people (though we could use more), perfected security tools (they could be much better), or effective software development processes (still maturing). A fundamental reason is something myself and others have been harping on for a long while now. Organizations spend their IT security dollars protecting themselves from yesterday’s attacks, at the network/infrastructure layer, while overlooking today’s real threats. Furthermore, these dollars are typically spent counter to how businesses invest their resources in technology. To illustrate this point I’m going to borrow inspiration from Gunnar Peterson (Software Security Architect & CTO at Arctec Group).

Let’s look at the approximate 2009 revenue from the largest corporations supplying a significant (most?) portion of IT infrastructure. Cisco $36B, Juniper $3.3B, Microsoft $58.5B, and F5 $653M. Total: $98.5B (USD). To protect this infrastructure from attacks security products are purchased. The approximate 2009 revenue of largest security vendors is Symantec $6B, Kaspersky $100M, McAfee $1.6B, Checkpoint $800M, SourceFire $75M, and IBM/ISS $500M (we think).

We’re spending $9.1B (USD) to protect $98.5B (USD) in infrastructure. Perhaps a ~%10 security tax on infrastructure is acceptable.

Now, let’s take a look at five of the top Web-based companies, which make all their money online, and by extension whose core technology value is rooted in Web code. In 2009 their revenues were: Google $23.6B, Yahoo $6.5B, eBay $8.7B, Amazon $24.5B, Salesforce.com $1.1B. $64.4B in total. Keep in mind that the 2009 eCommerce market is said to be about $130B. To protect these Web-enabled systems let’s use Gary McGraw’s (CTO of Cigital) 2007 software security revenue numbers of $500 million. He takes into account the bulk of white and black box testing tools, professional services consultancies, and web application firewall vendors. Since Gary hasn’t updated his numbers yet, lets adjust up to $750M to reflect market growth between then and 2009.

So in effect ~$750M is being spent to protect $64.4B in eCommerce revenue.

This is further supported by analyst findings. According to Gartner, 90 percent of IT security spending is on perimeter security such as firewalls. Plus to my mind that 1.20% figure is way aggressive. It is likely the percentage is much lower because the $750M is actually being spread out among financial, healthcare, insurance, education, energy, transportation, and government verticals. Perhaps this is also the reason why so many application security professionals wage holy wars over what solution is the best, worst, most important, or should be purchased first.

For the last ten years, I’ve directly experienced application security professionals fighting amongst themselves for scraps off the Big-Security-Vendor’s table. Vulnerability scanners vs WAFs, black vs white box, pen-test vs source code review, certifications vs real world experience, developer training vs secure frameworks, and so on. FAIL! All these solutions are necessary and more! The only way I see to truly improve application security is for organizations to do one (or both) of the following:
1. Reallocate a portion of current infrastructure security spend to application security.
2. Grow overall IT security spending and increase application security to more than a rounding error.
But, lets say you are unconvinced by the numbers above. They might be too shaky, that’s fair. Lets try another Gunnar-inspired exercise:

Break the IT budget into the following categories:

- Network: all the resources invested in Cisco, network admins, etc.
- Host: all the resources invested in Unix, Windows, sys admins, etc.
- Applications: all the resources invested in developers, CRM, ERP, etc.
- Data: all the resources invested in databases, DBAs, etc.

Tally up each layer. If you are like most business you will probably find that you spend most on Applications, then Data, then Host, then Network.

Then do the same exercise for the Information Security budget:

- Network: all the resources invested in network firewalls, firewall admins, etc.
- Host: all the resources invested in Vulnerability management, patching, etc.
- Applications: all the resources invested in static analysis, black box scanning etc.
- Data: all the resources invested in database encryption, database monitoring, etc.

Again, tally each up layer. If you are like most business you will find that you spend most on Network, then Host, then Applications, then Data. Congratulations, Information Security, you are diametrically opposed to the business!

If security spending can be justified on areas where attacks no longer occur, then perhaps we can justify more time, money, and effort on application security in the areas where the attacks are being waged.

WhiteHat Security is a leading provider of website security services.

CGISecurity.com: Your Web Site and Application Security Resource

Post on Abusing Windows Communication Foundation to Perform Remote Port Scans

Posted: February 17th, 2010, 12:10pm CST by Robert A.

Tags: IndustryNews [edit]

Brian Holyfield has published an entry on using Windows WCF to perform backend port scanning. This is possible due to the callback functionality WCF provides. From his article "Last weekend at Shmoocon, I demonstrated how an attacker can trick certain WCF web services into performing an unauthorized port scan of machines behind...

ha.ckers.org web application security lab

Google Buzz Security Flaw

Posted: February 16th, 2010, 1:17pm CST by RSnake

Tags: xss [edit]

… Speaking of Google, I got an email from TrainReq (the same fellow who allegedly hacked Miley Cyrus for those who don’t keep up to date on your tween idols). The email was regarding an exploit against Google Buzz. It’s yet another example of bad input validation/output encoding by your favorite advertising overlords at Google. As you can see, nothing up my sleeves:

Click here to enlarge.

There’s four things of note here. Firstly it’s on Google’s domain, not some other domain like Google Gadgets or something. So yes, it’s bad for phishing and for cookies. Secondly, it’s over SSL/TLS (so no one should be able to see what’s going on, right?). Third, it could be used to hijack Google Buzz - as if anyone is using that product (or at least you shouldn’t be). And lastly isn’t it ironic that Google is asking to know where I am on the very same page that’s being compromised? Why on earth does Google think its systems are secure enough to trust them with that kind of sensitive information? Yes, bad guys can figure out where you’re located if you allow that function. Chinese dissidents beware! But if you have something to hide, you must be a bad guy, right, Eric?

CGISecurity.com: Your Web Site and Application Security Resource

2010 SANS Top 25 Most Dangerous Programming Errors Released

Posted: February 16th, 2010, 1:05pm CST by Robert A.

Tags: Announcements [edit]

I was luck enough to assist in this project and I must say that a lot of great discussions took place. Unlike many other top x security lists, SANS/MITRE's methodology is fairly extensive and well documented giving you insight into how decisions were made. I do want to point out that top...

Tactical Web Application Security

CWE/SANS Top 25 Most Dangerous Programming Errors 2010 - WebApp Focus Profile

Posted: February 16th, 2010, 12:40pm CST

Tags: [edit]
Submitted by Ryan Barnett 2/16/2010

Mitre and the SANS Institute have once again teamed up to create the new 2010 CWE/SANS Top 25 Most Dangerous Programming Errors list. As opposed to the OWASP Top 10 Web App Security Risks list, the CWE/SANS list includes all software so many of the issues raised are not applicable to web apps. One of the cool features of the new list, however, is the inclusion of "focus profiles" which provides a more focused, contextual view of the issues. I was able to work on a web application-specific focus profile of the list and I will present it below. Keep in mind that this is not an official list yet however I will continue to work with Steve Christey in order to complete the development.

Web Application Emphasis
This profile ranks weaknesses that are important from a web application perspective. The list maps its base CWE components from the Insecure Interaction Between Components Category-base view as these items are all directly related to web application isues. This data was then correlated with the OWASP Top Ten Project, the Web Application Security Consortium (WASC) Threat Classification and takes a priority ranking focus based on real-world web application compromise data as gathered by the WASC Web Hacking Incident Database (WHID). The inclusion of WHID data allows for this focus profile to factor not only Prevalence and Importance but also Attack Frequency data. This accounts for the adjustments to the ranking order and the discrepancies between the individual lists. Each entry includes relevant mappings/references to the OWASP Top 10, WASC Threat Classification and WASC WHID Entries.
Combined Top 10 List (CWE/SANS, OWASP Top 10, WASC Threat Classification, WASC WHID)
1. CWE-89: Improper Sanitization of Special Elements used in an SQL Command ('SQL Injection')
  OWASP A1: Injection
  WASC-19: SQL Injection
  WHID: SQL Injection
2. CWE-79: Failure to Preserve Web Page Structure ('Cross-site Scripting')
  OWASP A2: Cross-site Scripting (XSS)
  WASC-8: Cross-site Scripting (XSS)
  WHID: XSS
3. CWE-307: Missing Authentication for Critical Function
  OWASP A3: Broken Authentication and Session Management
  WASC-01: Insufficient Authentication
  WHID: Insufficient Authentication
4. CWE-307: Improper Restriction of Excessive Authentication Attempts
  OWASP A7: Failure to Restrict URL Access
  WASC-11: Brute Force
  WHID: Brute Force
5. CWE-352: Cross-Site Request Forgery (CSRF)
  OWASP A5: Cross-site Request Forgery (CSRF)
  WASC-9: Cross-site Request Forgery (CSRF)
  WHID: CSRF
6. CWE-209: Information Exposure Through an Error Message
  OWASP A6: Security Misconfiguration
  WASC-13: Information Leakage
  WHID: SQL Injection -> Information Leakage
7. CWE-327: Use of a Broken or Risky Cryptographic Algorithm
  OWASP A3: Broken Authentication or Session Management
  WASC-18: Credential/Session Prediction
  WHID: Credential/Session Prediction
8. CWE-285: Improper Access Control (Authorization)
  OWASP A7 – Failure to Restrict URL Access
  WASC-02: Insufficient Authorization
  WHID: Insufficient Authorization
9. CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
  OWASP A4: Insecure Direct Object Reference
  WASC-33: Path Traversal
  WHID: Path Traversal
10. CWE-78: Improper Sanitization of Special Elements used in an OS Command ('OS Command Injection')
  OWASP A1: Injection
  WASC-31: OS Commanding
  WHID: OS Commanding

BlueHat Security Briefings

Do you believe in ghosts?

Posted: February 16th, 2010, 12:04pm CST by BlueHat

Tags: [edit]

When I was a kid, I had nightmares every week. I still remember some of them vividly, particularly the ones where ghosts were involved. Not the typical ghosts from the movies, but ones that could not be seen, only heard and felt. Why would I be so frightened and still remember them “vividly” today? Because during those nightmares, I had the illusion of having control but still was not able to run away from those “entities”. I felt hopelessness even hours after waking up.

I started working with Web browsers for an online floating ad company a long time ago and my job was to make the floating ads cross-browser compatible (making sure that they worked on Netscape and IE/Win/Mac with and without Flash). During that time, Opera was just music and Firefox was not even in the wildest nightmares of anybody. To be fair, Opera existed but was only used to click on the red door at Fravia+. And by the way, Opera was not freeware during that time.

It was a very hot day in summer and I was trying to fix the position of the Artificial Intelligence Flash movie over the sites where the ad was shown. I don’t know if the music of that floating ad was the same as the movie's music, but it was scary for me. You know, the terror-music type, suspense, whatever. It was simply “not nice” for me. It was the type of music I would not like to hear alone at home, in the dark.

The designers did not finish the final animation until 10:00 PM that day, so I left the office with homework: I had to finish the positioning, make it cross-browser compatible, package the files, and deliver it.

Back at home, while testing, the music of the animation really bothered me. Besides being very scary (it was 2:00 AM and I was home alone), I had to listen to the same music over and over again! Every reload meant hearing that music again. So I simply muted my speakers and continued working for two more hours until everything was correctly positioned, the click-though was correct, and the animation worked flawlessly on all browsers. So I relaxed, moved away from my PC, and lit up my classic relaxing cigarette. No more work for today.

Half an hour later I went back to my PC to start Winamp, but when I watched the screen I saw the floating ad that was loaded on my browser from my last test, so I simply clicked on my home button, going effectively to about:blank and leaving the page clean. I loaded Winamp to hear a few tunes before going to sleep, and when I unmuted the speakers by dragging the volume-up, the scary music from Artificial Intelligence banged out of my speakers! I was expecting to hear “Twisting the Night Away” (Innerspace version) but the floating-ad-music had continued playing!

What was happening? The floating ad was not in the browser anymore! How was this possible? Yeah, the browser was open, but there were no tabs (tabs were only available on Opera) so the only loaded page was about:blank. I started killing every task until I was left with nothing more than the browser. The music was coming from my browser which had nothing more than a blank page loaded! How was that possible?

And the music was scary for me. It reminded me of my childhood nightmares: nothing to see, but you could hear it and feel it. My nightmare had become true. The browser (which was part of my life) had a real ghost inside!

Should I kill the task? Will that stop the music? Feeling a bit anxious, I simply clicked the End Task button and sure enough, Task Manager destroyed my nightmare. Mark Russinovich preaches about Process Explorer, but if I have to pray, I will always do it to Task Manager. I felt so good when the music stopped.

Anyway, it was that scary music that started my interest in “tricky code”. If the music could continue playing even after leaving the Web page, was it possible to run a script the same way?

Probably because of that story, my presentation at the 7^th BlueHat started with the phrase “Do you believe in ghosts?” It was a presentation that showed how to run scripts in the browser after navigating away from a page. In other words, keep controlling part of the browser behavior from behind the scenes no matter where the user went. It was like “having a ghost in the browser”.

Not only did I believe in ghosts, I had evidence that they existed -- at least inside browsers -- and I wanted to show it to the folks at Microsoft. The nice thing is that the ghost-busters at Microsoft patched the code, destroying my nightmares, hopefully forever.

Last night I woke up in the middle of the night. I was thirsty. I grabbed the glass of water that I always have on my nightstand, and the second I placed it on my lips I remembered what I was dreaming about. I was part of a discussion panel, talking about what it means to be a hacker. We were exploring the value of hackers to the ecosystem, hacker skills, motivations, and incentives. Trying to understand the difference between a hacker and a criminal. Andrew Cushman and Damian Hasse from Microsoft were there! And so were colleagues of the ecosystem like Ivan Arce, Luiz Eduardo, Nico Waisman, Rodrigo Rubira Branco and Felix 'FX' Lindner!

But when did I fly to Redmond? It was strange to me to be at the BlueHat conference without remembering the flight (I hate to fly). Buenos Aires is far away from Redmond, how could I forget? When did I plan this? The instant I thought that, I read the small letters at the bottom of the BlueHat flag which said, “BlueHat Buenos Aires”. But it wasn’t a dream after all. The BlueHat organizers were in fact organizing a BlueHat in Buenos Aires for the local researcher, enterprise and government communities across Latin America and the reality was that I was going to be able to be a part of it—and all in my (near) backyard in March!

With my glass of water and having slept enough, I grabbed my notebook to see that I had received a new e-mail from Celene and Dana. The body of the message said, “Will you participate in the BlueHat Buenos Aires?” I could not believe my eyes. Still today I feel flabbergasted when I think about it. A nightmare vanished and a dream came true.

This BlueHat security conference in Argentina–for me–is the most important one. It has something for everyone. We will hear from the creator of OWASP, the minds behind PHNeutral, ysts and Hacker2Hacker, iDefense, CORE, and the ghost busters of the MSRC. I never believed that saying, "you learn something new every day;" however, this day you will certainly learn something and leave the BlueHat conference with new ideas, homework to do, and the motivation to get started.

Hope to see you there.

Manuel Caballero.

Sunnet Beskerming Security Advisories

Anonymous to take Protesting Into Physical World

Posted: February 15th, 2010, 7:21pm CST

Tags: [edit]

When Anonymous first targeted the Australian Government over proposed Internet censorship, there wasn't much of a result, but the second round of attacks had more effect recently, successfully using dDoS attacks to target and temporarily disable several federal government websites. This weekend, the protests will enter the physical world, with various protests being planned for February 20 around Australia, and with calls for similar protests at Australian embassies across the globe.

With the generally apathetic viewpoint that many Australians take to the issues being protested, the protests may not attract many people, and are bound to attract only minor press attention, if only for the name of the protest (Operation Titstorm). With a federal election due this year it is unlikely that any real progress will be seen on loosening the noose that is being slowly applied to Australian internet access. Both major parties were supporters of the idea of Internet filtering before the last election, and both continue to support the idea in the lead up to this election.

There is some hope for people opposed to the current forms of media classification and censorship in Australia, with South Australia also set to hold an election this year. The South Australian Attorney General is seen as the reason why games do not have an R or equivalent rating, instead being capped at MA15+. This has meant some games are either refused classification (RC) or not even offered for sale in Australia, limiting the opportunity for a maturing population of Australian gamers to access these titles legally.

Game retailers have begun an awareness campaign, alongside a number of community based drives, to make the public aware of this situation and there are a growing number of people who find this situation unwanted.

On and offline protests by Anonymous and a growing number of publicly dissatisfied Australian gamers may not be enough to see any real changes enacted with the coming state and federal elections in Australia, but they are a starting point for greater future awareness. If recent history in Europe is any indicator, there may be a couple of surprises from political groups focussed on keeping as much freedom in the Internet as possible. It probably won't directly affect the major parties strength in parliament, but their presence on the ballots will at least force the major parties to consider the arguments being made by the new groups.

funkatron.com

We’re the Stupid Ones: Facebook, Google, and Our Failure as Developers

Posted: February 15th, 2010, 6:43pm CST by funkatron

Tags: Development [edit]
Photo by michiel
Normally I try to chew on an idea for a post for a few days; it lets me sort out my thoughts and form some kind of thesis. I’m totally not doing this here, though, so I should preface this with a note that I could be completely off-base. But I don’t think so.

Discussion about how we interact with computers heated up recently with the introduction of the iPad. Lots of nerdy types (myself included) were frustrated that Apple had introduced not a tablet “computer,” but a big iPod Touch. They’re both computers, of course, but the way we interact with them is different: the modern computer interface uses a multitasking windowing motif, and the iPod/iPad interface is fullscreen and single-task focused.

As a Nerdy Power User, I am well-versed in how to navigate a multitasking interface, and for the most part I understand how and why it works the way it does. I, in fact, enjoy learning about the intricacies of these kinds of systems. So when I use a single-task interface like that of the iPod Touch, I frequently bash my noggin against the barriers it imposes. Copying a URL from the web browser to my Twitter client takes orders of magnitude longer than it would on OS X or Windows, for example.

What I’ve learned from interacting with most computer users, though, is that they do not give a rat’s ass about how computers work. They want to accomplish certain tasks, and will do this in the way that is most sensible and direct for them. And the way they end up accomplishing these tasks within the multitasking window motif is typically not the way I would do it.

The recent fiasco on ReadWriteWeb, where a RWW article became the first Google result for “facebook login,” is a classic example of this. And, unfortunately, so is the reaction of most Learned Computer Fellows: one of mockery and derision, admonishing the confused users for being stupid, incompetent, or lazy.

I’ll admit that I took some glee when I first saw the numerous comments on the article; I love a humorous clusterfuck as much as the next guy. But seeing some of the reactions by the Very Smart Computer People, I began to realize that We Are Not Getting It. Consider:
- Isn’t this really a failure of Google? How did it become so easy to game search engine results that an article about Facebook and AOL became the first result for ‘facebook login,’ instead of the obvious thing people are actually looking for?
- How is it the fault of the users when we present them with multiple, barely-differentiated text fields within the same window. Is it really surprising that they don’t understand the differences between each? And is it surprising that they choose to use the one which works with more natural language, rather than entering syntactically-unnatural domain names?
- There is LOADS of anecdotal evidence that most users simply use search engines as a sort of natural language CLI. Shouldn’t we be designing interfaces that work in the way most natural for the majority of users?
These people have better things to do with their days than tweaking out the spacing in their browser toolbars. A computer for them is a utility. One that is increasingly complex, and one that is used because it’s the only option for accomplishing certain things – not because it’s a good option.

It’s kind of like the Photoshop Problem: when people want to crop a picture, we give them Photoshop. Photoshop is a behemoth application with nearly every image editing and touchup function imaginable, and it is terribly complex. Now Photoshop is an impressive tool, but only a very tiny percentage people need the power it offers. The vast majority just want to crop their ex-husband from the photo and let their friends look at it. But even iPhoto, the poster child for Apps So Easy Your Grandparents Can Use Them, continues to pile on features and complexity.

When folks need an elevator, we should give them an elevator, not an airplane. We’ve been giving them airplanes for 30 years, and then laughing at them for being too stupid to fly them right.

I think we’re the stupid ones.
Update
As I said at the start, I wrote this piece a bit off the cuff, so upon further review I think I could have made it a bit clearer. First, a couple great rebuttals I read:
- Reply to Funkatron’s Analysis of the RWW/Facebook Debacle of 2010
- No, We’re Not The Stupid Ones
I posted a comment on Phil Crissman’s blog, which I think explains a bit further what I’m thinking, and addresses the notion that some learning may still be required. To copy and paste myself:

I certainly don’t think that the computer can become (anytime soon) a magic box that determines our whims, nor do I think that people shouldn’t have to learn some things.

What I do think is that the current interface modern OSes on computers provide is simply overwhelming for most users, to the point that it’s very challenging to learn how to accomplish tasks without a very significant investment of time. Driving would be a good example of a task that does require investment of time, but is not so overwhelming that the vast majority of people fundamentally get it wrong: you don’t see people steering with their feet, or accelerating and braking with the radio. I’d argue that modern computer interfaces, in a rush to offer flexibility and capability, make it possible to steer with your hands, feet, teeth, and knees — and don’t make it particularly clear which one is best.
Update 2
Some more responses:
- Really? Are we the idiots?
- Some People Can’t Read URLs
Feel free to forward me others; I think I’ve given up trying to track them down for now.

ha.ckers.org web application security lab

Nevermind, I Was Wrong, Google Is Evil

Posted: February 15th, 2010, 4:07pm CST by RSnake

Tags: Webappsec [edit]

I’ve been waiting a while to do this post - several weeks actually since my original post. In that post, I applauded Google’s apparent interest in reigning censorship as “the first really truly non-evil thing I have seen Google do in years”. Since then, I thought it appropriate to give them some time to sift through the nuances of their blog post - you know, to give them the benefit of the doubt - of which I had many. I’m sure you remember just one month ago when Google was waxing on about how they were going to stop censoring:

We have decided we are no longer willing to continue censoring our results on Google.cn, and so over the next few weeks we will be discussing with the Chinese government the basis on which we could operate an unfiltered search engine within the law, if at all.

Well, according to The Register:

Google Chief Legal Officer David Drummond never said his company would stop censoring hot-button issues such as the Tiananmen Square massacre of 1989.

If that theory is true Google is essentially saying, “You were too stupid to read our post properly because clearly, our post means that we aren’t able to do so legally, so we’re still going to censor.” If that’s true why would Google wait to clarify such an extremely well publicized fauxpas in their own wording? Maybe they missed all those flowers at the Chinese office. No, I don’t believe that The Register’s theory is true - I think Google sincerely intended to pull out or get more support from the Chinese. However, I believe that Google is being stonewalled by the Chinese government - and for good reason. Google’s demands are impossible to comply with. But we all know that Google and China have been talking for weeks and we haven’t seen any movement other than China’s response to Hillary Clinton saying that they don’t censor (and if anyone still needs proof, email me and I’ll give you instructions on how to see it in action).

Google hasn’t stopped censoring anything, and they haven’t pulled out of China. They asked for a “few weeks” to have those talks, and it has been a few. So now we have to ask the question - does Google actually care about the Chinese people, or is it all about making money for the shareholders. We know that Google censors elsewhere in the world, it’s not just China, yet they’ve not even made mention of those citizens of the other nations. So we have to make the logical connection that Google is just acting in their own self interest and this whole China thing is a distraction from several other major issues, and has nothing to do with the best interest of people who are being censored. So now the real question is did Google do what it sent out to do?

And, so yes bravo, Google. Well done. You snowballed everyone as you stall for time trying to figure out what you want to do with your failing Chinese division. You spanked the Chinese government for hacking into your systems while you drew fire away from your crappy security around your warrant-less wiretapping system that you built into Gmail. So yes, I would have to assess Google’s incredibly calculated decision as a success, but not for the people of China or other censored peoples around the world. It’s back to business as usual at the Googleplex. And so yes, Google, you can keep slinging your ads well into the future. But I have to ask - at what cost?

Tactical Web Application Security

Weekly Round-Up of Hacked Websites (Monday, Feb. 15)

Posted: February 15th, 2010, 3:21pm CST

Tags: [edit]

Submitted by Ryan Barnett 02/15/2010

- 'Jersey Shore' star's website 'hacked' - Most likely compromised passwords on Facebook/Yahoo accounts.

- Federal government website hacked - Seems to be some hacktivism protesting proposed Internet filtering. Not sure of any details of the exact attack vector.

- Prominent Blog hacked - site is [www.blogosin.org] and based on the 500 level error and "Error establishing a database connection" message it looks like the attackers messed up the back-end DB connection.

- Armenian Agos Newspaper's Website Hacked - defacement/hacktivism.

- Orange Regional Website Hacked, Sixty thousand accounts compromised - sql injection.

- TCS website hacked - most likely DNS poisoning/Domain Hijacking.

SecuriTeam Blogs

Google and security. Oil and Water. (Or: How to DoS google groups)

Posted: February 14th, 2010, 10:10pm CST by Aviram

Tags: Web [edit]
The buzz was on about google buzz sharing your list of contacts (which they then quickly fixed in their casual we-did-nothing-wrong-these-are-not-the-droids-you’re-looking-for mind trick).

Readers of this blog remember when google calendar let you see the full name behind every gmail address. At that time, google ignored, then decided there’s nothing wrong with that feature, then fixed it. Only it still works, on other google services. Of course, these aren’t the droids I’m looking for.

Well, here’s a method to DoS a google group user; it was discovered by Shachar Shemesh of lingnu about 18 months ago, who told google and was answered with a strong silence. With google the only disclosure seems to be full-disclosure, so with apologies to you google-group users out there, here is the outline of the attack below.

DoS’ing google groups
Domain-Key is a good method to prevent spam from coming in, as well as preventing unwanted emails from being handled if they are sent through “the wrong” SMTP server.

Google has taken domain-key a step further, with their Domain-Key and Google Groups combo. In this combination, if an email is sent to a Google Groups from an SMTP server who is not listed in the Domain-key record, that email will be banned from writing or accessing the Google Group in question.

The banned user will no longer be able to write or read from that group, will not be able to “undo” this change as emails to Google’s technical support regarding this appear to go unanswered.

From this background, the attack seems clear. A malicious attacker can get pretty much anyone banned from a certain Google Group.

Steps to reproduce:
- Subscribe to a Google group.
- Look for a victim (Anyone posting to the group from a gmail.com account is fair game).
- Configure your email client to send emails with a “From” field that matches this email address, and use an SMTP that is not one of those authorized by the domain key. Your ISP’s SMTP servers will probably suffice.
- Use this configurations to send an email to the group. It doesn’t really matter what the email content is, but I recommend making it look like a genuine email to make is harder to filter (and raise ‘plausible deniability’ in case someone comes asking questions).
As a result:
The victim will be automatically banned from the group.

He or She will receive no notification of that fact: not to the fact he or she was banned, and not even to the fact that the email he or she supposedly sent failed Domain key verification.

The victim will cease to receive emails from the group. They will only find out about it if they try to send an email, at which point they will receive a brief and unhelpful message saying they were banned, with no explanation why and no means to appeal.

Trying to access the group from the web site will result in a “you are banned” message, again, with no helpful information on why the ban was instated nor how to appeal. It is a curious point that even information that is publicly available without registration, such as the group’s archive or description, will be blocked. They will have to sign out of Google to be able to see it(!).

The best means to appeal she is likely to find is “Google Help”, which points to an email address where past experience shows the request email will be unceremoniously ignored, just like Shachar’s email notifying google of this vulnerability.

-

Expose the security holes in your products during development. Black Box Testing makes it safer!

Chris Shiflett

Webstock

Posted: February 12th, 2010, 6:58pm CST

Tags: [edit]

I've been speaking at conferences since 2003, but I've never been as excited about a conference as I am about Webstock. I remember discussing it at the first Kiwi Foo Camp with Natasha Lampard and a few others. I liked the name — I love wordplay — and her enthusiasm was infectious; she wanted to make Webstock extraordinary.

The first Webstock took place just a year prior to that impromptu discussion, and it has quickly become the top web conference around. I first began to realize what a big deal Webstock was when Nat Torkington had this to say about it:

Back home safe, utterly exhausted after Webstock. Best. Conference. Evar.

For those who don't know Nat, he ran OSCON — usually my favorite conference each year — for a decade. He has also been heavily involved in lots of other O'Reilly conferences, including unconferences like Foo Camp and Kiwi Foo Camp. For him to call Webstock the best conference ever is really saying something.

Fast forward to today. I'm sitting in a Starbucks in Los Angeles. The new Vampire Weekend album is playing. 16 hours ago, I began my journey to Wellington, New Zealand, and in another 20 hours, I will land there. (This journey will take a full day and a half.) I've been busy with a really exciting Analog project lately, so I haven't blogged about Webstock yet. If you haven't registered, you should hurry. They were almost sold out a few days ago, so it might already be too late. If you're lucky enough to be going, I hope you'll say hello.

I'm giving a workshop called Evolution of Web Security that combines some of my previous talks with some new material, covering the security spectrum from old to new, technical to social:

This is a multi-faceted workshop that explores new concepts in web security. After a solid grounding in well-known exploits like cross-site scripting (XSS) and cross-site request forgeries (CSRF), I'll demonstrate how traditional exploits are being used together and with other technologies like Ajax to launch sophisticated attacks that penetrate firewalls, target users, and spread like worms. I'll then discuss some ideas for the future, such as evaluating trends to identify suspicious activity and understanding human tendencies and behavior to help provide a better, more secure user experience.

I'm also giving a talk called Security-Centered Design that focuses and expands on some of the material from the workshop:

Security is more than filtering input and escaping output (FIEO), and it's more than cross-site scripting (XSS) and cross-site request forgeries (CSRF). Security isn't even always black and white. In order to create a more secure user experience, we need to understand how people think. Perception is as important as reality, and meeting user expectations is a fundamental of good security. In this multifarious talk, I'll explore topics such as change blindness and ambient signifiers, and I'll show some real-world examples that demonstrate the profound impact human behavior can have on security.

I gave this talk a few times in 2009, and I have updated it for 2010. Although the technical-to-social shift of web security isn't a topic that's being talked about that much yet, the transition is evident in a lot of recent activity, including solutions like OAuth and Facebook Connect. We need more people thinking about how to solve evolving technical and social problems. I don't pretend to have all the answers, but I hope this talk can be a catalyst for more awareness and discussion.

Webstock, here I come!

Sat, 13 Feb 2010 00:58 GMT — Chris Shiflett’s Blog

Tactical Web Application Security

Beware of Web App Sec Puffery

Posted: February 12th, 2010, 8:44am CST

Tags: [edit]
Submitted by Ryan Barnett 02/12/2010
Have you seen that new Dominos pizza commercial about "Puffery?"
Dominos was referencing an appeals court ruling on Papa John’s slogan "better ingredients, better pizza" where it concluded that statement was "puffery." Unfortunately, Puffery is a marketing tactic that is not relegated to the pizza industry. In the web application security market, Puffery abounds... Just read some of the marketing claims on company's websites or the collateral they pass out at vendor expos. How is a consumer supposed to cut through the puffery and get a more accurate assessment of the web application security product at hand?
Application Security Consultant Larry Suto recently published another Dynamic Application Security Testing (DAST) tool evaluation report entitled, “Analyzing the Accuracy and Time Costs of Web Application Security Scanners.” In the report, he compared the vulnerability detection rates of many commercial black-box vulnerability scanners including: Acunetix, IBM AppScan, BurpSuitePro, Cenzic Hailstorm, HP WebInspect, NTOSpider, and Qualys WAS (Software-as-a-Service).
While no evaluation report of this nature will ever obtain 100% consensus on its merits, especially by those reviewees that didn't fair well, the methodology used in this report is pretty good. Using each vendor's public "buggy" web app as targets was interesting as you would think that each vendor would score the best on their own site (they did scan their demo site to verify accuracy, right?) and slightly less on their competitor's. While comparatively speaking, this may have been true, what was really enlightening was the high false negative rates even after the scanners were provided full URL listings and tuned by vendors. Fully understanding the state-of-the-art scanning challenges is critical for users.
So, how does this type of DAST evaluation impact the WAF market? Ofer Shezaf has some great points in his WAFs aren't perfect, but is any security perfect? post where he states the following:
- No single security solution is sufficient. Only combining multiple defense mechanism would provide adequate security, which still does not imply 100%
This is why it is a shame that PCI pits SAST/DAST vs. WAFs in requirement 6.6. It really isn't an "either" situation and most users don't read the 6.6 Supplemental guide which states that PCI recommends "both" options for increased security coverage.
- Security products do differ in the security functionality they provide. Many times customers select security products according to every other feature but security assuming that the security aspect of the product are performed adequately by all. However Suto's paper shows that this may not be the case.
I have seen many of these issues first hand when working with WAF prospects during RFI/evaluation phases where vendor puffery abounds and prospects assume that the security coverage of each product is equal and this is not the case. Put simply - not all WAF learning systems are created equal. Most end users equate learning with achieving a positive security model for parameter input validation of payloads (size and character class). This is the most basic component that all commercial WAFs should have (WASC WAFEC v2 will tackle these must-have requirements) but a top tier WAF leaning system (such as the Adaption engine in Breach Security's WebDefend product) goes beyond input validation into behavioral profiling which tracks much more meta-data about the proper format and construction of the transactional data. This allows it to identify when request methods and parameter locations change due to CSRF attacks or when there are suddenly multiple parameters with the same name (HTTP Parameter Pollution attacks). Input validation alone will not catch these types of cutting-edge attacks.
- The lack of scrutiny of the security features drive security vendors to neglect security and focus on other areas such as GUI, reporting or manageability. This is shown in its extreme by the inability of some scanners to find existing vulnerabilities in sites provides for testing by the vendor itself.
As the Director of Application Security Research for Breach Security, my main focus is obviously security. Other features are nice and do influence many prospects, but in in my view a WAFs main purpose to to identify and block attacks. It is for this reason that we deployed the ModSecurity/Core Rule Set (CRS) demonstration testing page. Breach is in a unique position in the web application firewall industry. Having an open source product such as ModSecurity in our portfolio allows us to expose our security rules to the public for quality assurance and testing purposes in ways that other WAF vendors cannot. Our goal for this demo page is to leverage the global pool of outstanding web application security experts to help test ModSecurity to make it, and our WebDefend product, better tools for the community at large. Benefits of providing the demonstration testing page include:
- The Core Rule Set is being tested by pen-testing specialists who are experts in breaking into web applications and evading security filtering devices.
- Signature improvements are leveraged back into the entire Breach Security product line including WebDefend. I can tell that having these pentesting consultants bang on the CRS has allowed us to identify a number of evasion issues and update our rules appropriately.
I wouldn't want for these statements to fall into the Puffery category :) so you can check this yourself by reviewing our JIRA ticketing system to get an idea of the types of issues identified and their resolutions. Are there any other WAF vendors that are providing this type of access to their rules development process?
Similar to the conclusions made with vuln scanners, in order to get an accurate testing of a WAF you must deploy it in your environment to verify how it does analyzing your web application traffic. This is the only true way that you will be able to confirm how it does.
Bottom line - don't rely on Puffery claims by a vendor. Test the solution yourself.
Beware of Web App Sec Puffery

Posted: February 12th, 2010, 8:44am CST

Tags: [edit]
Submitted by Ryan Barnett 02/12/2010
Have you seen that new Dominos pizza commercial about "Puffery?"
Dominos was referencing an appeals court ruling on Papa John’s slogan "better ingredients, better pizza" where it concluded that statement was "puffery." Unfortunately, Puffery is a marketing tactic that is not relegated to the pizza industry. In the web application security market, Puffery abounds... Just read some of the marketing claims on company's websites or the collateral they pass out at vendor expos. How is a consumer supposed to cut through the puffery and get a more accurate assessment of the web application security product at hand?
Application Security Consultant Larry Suto recently published another Dynamic Application Security Testing (DAST) tool evaluation report entitled, “Analyzing the Accuracy and Time Costs of Web Application Security Scanners.” In the report, he compared the vulnerability detection rates of many commercial black-box vulnerability scanners including: Acunetix, IBM AppScan, BurpSuitePro, Cenzic Hailstorm, HP WebInspect, NTOSpider, and Qualys WAS (Software-as-a-Service).
While no evaluation report of this nature will ever obtain 100% consensus on its merits, especially by those reviewees that didn't fair well, the methodology used in this report is pretty good. Using each vendor's public "buggy" web app as targets was interesting as you would think that each vendor would score the best on their own site (they did scan their demo site to verify accuracy, right?) and slightly less on their competitor's. While comparatively speaking, this may have been true, what was really enlightening was the high false negative rates even after the scanners were provided full URL listings and tuned by vendors. Fully understanding the state-of-the-art scanning challenges is critical for users.
So, how does this type of DAST evaluation impact the WAF market? Ofer Shezaf has some great points in his WAFs aren't perfect, but is any security perfect? post where he states the following:
- No single security solution is sufficient. Only combining multiple defense mechanism would provide adequate security, which still does not imply 100%
This is why it is a shame that PCI pits SAST/DAST vs. WAFs in requirement 6.6. It really isn't an "either" situation and most users don't read the 6.6 Supplemental guide which states that PCI recommends "both" options for increased security coverage.
- Security products do differ in the security functionality they provide. Many times customers select security products according to every other feature but security assuming that the security aspect of the product are performed adequately by all. However Suto's paper shows that this may not be the case.
I have seen many of these issues first hand when working with WAF prospects during RFI/evaluation phases where vendor puffery abounds and prospects assume that the security coverage of each product is equal and this is not the case. Put simply - not all WAF learning systems are created equal. Most end users equate learning with achieving a positive security model for parameter input validation of payloads (size and character class). This is the most basic component that all commercial WAFs should have (WASC WAFEC v2 will tackle these must-have requirements) but a top tier WAF leaning system (such as the Adaption engine in Breach Security's WebDefend product) goes beyond input validation into behavioral profiling which tracks much more meta-data about the proper format and construction of the transactional data. This allows it to identify when request methods and parameter locations change due to CSRF attacks or when there are suddenly multiple parameters with the same name (HTTP Parameter Pollution attacks). Input validation alone will not catch these types of cutting-edge attacks.
- The lack of scrutiny of the security features drive security vendors to neglect security and focus on other areas such as GUI, reporting or manageability. This is shown in its extreme by the inability of some scanners to find existing vulnerabilities in sites provides for testing by the vendor itself.
As the Director of Application Security Research for Breach Security, my main focus is obviously security. Other features are nice and do influence many prospects, but in in my view a WAFs main purpose to to identify and block attacks. It is for this reason that we deployed the ModSecurity/Core Rule Set (CRS) demonstration testing page. Breach is in a unique position in the web application firewall industry. Having an open source product such as ModSecurity in our portfolio allows us to expose our security rules to the public for quality assurance and testing purposes in ways that other WAF vendors cannot. Our goal for this demo page is to leverage the global pool of outstanding web application security experts to help test ModSecurity to make it, and our WebDefend product, better tools for the community at large. Benefits of providing the demonstration testing page include:
- The Core Rule Set is being tested by pen-testing specialists who are experts in breaking into web applications and evading security filtering devices.
- Signature improvements are leveraged back into the entire Breach Security product line including WebDefend. I can tell that having these pentesting consultants bang on the CRS has allowed us to identify a number of evasion issues and update our rules appropriately.
I wouldn't want for these statements to fall into the Puffery category :) so you can check this yourself by reviewing our JIRA ticketing system to get an idea of the types of issues identified and their resolutions. Are there any other WAF vendors that are providing this type of access to their rules development process?
Similar to the conclusions made with vuln scanners, in order to get an accurate testing of a WAF you must deploy it in your environment to verify how it does analyzing your web application traffic. This is the only true way that you will be able to confirm how it does.
Bottom line - don't rely on Puffery claims by a vendor. Test the solution yourself.
Beware of Web App Sec Puffery

Posted: February 12th, 2010, 8:44am CST

Tags: [edit]
Submitted by Ryan Barnett 02/12/2010
Have you seen that new Dominos pizza commercial about "Puffery?"
Dominos was referencing an appeals court ruling on Papa John’s slogan "better ingredients, better pizza" where it concluded that statement was "puffery." Unfortunately, Puffery is a marketing tactic that is not relegated to the pizza industry. In the web application security market, Puffery abounds... Just read some of the marketing claims on company's websites or the collateral they pass out at vendor expos. How is a consumer supposed to cut through the puffery and get a more accurate assessment of the web application security product at hand?
Application Security Consultant Larry Suto recently published another Dynamic Application Security Testing (DAST) tool evaluation report entitled, “Analyzing the Accuracy and Time Costs of Web Application Security Scanners.” In the report, he compared the vulnerability detection rates of many commercial black-box vulnerability scanners including: Acunetix, IBM AppScan, BurpSuitePro, Cenzic Hailstorm, HP WebInspect, NTOSpider, and Qualys WAS (Software-as-a-Service).
While no evaluation report of this nature will ever obtain 100% consensus on its merits, especially by those reviewees that didn't fair well, the methodology used in this report is pretty good. Using each vendor's public "buggy" web app as targets was interesting as you would think that each vendor would score the best on their own site (they did scan their demo site to verify accuracy, right?) and slightly less on their competitor's. While comparatively speaking, this may have been true, what was really enlightening was the high false negative rates even after the scanners were provided full URL listings and tuned by vendors. Fully understanding the state-of-the-art scanning challenges is critical for users.
So, how does this type of DAST evaluation impact the WAF market? Ofer Shezaf has some great points in his WAFs aren't perfect, but is any security perfect? post where he states the following:
- No single security solution is sufficient. Only combining multiple defense mechanism would provide adequate security, which still does not imply 100%
This is why it is a shame that PCI pits SAST/DAST vs. WAFs in requirement 6.6. It really isn't an "either" situation and most users don't read the 6.6 Supplemental guide which states that PCI recommends "both" options for increased security coverage.
- Security products do differ in the security functionality they provide. Many times customers select security products according to every other feature but security assuming that the security aspect of the product are performed adequately by all. However Suto's paper shows that this may not be the case.
I have seen many of these issues first hand when working with WAF prospects during RFI/evaluation phases where vendor puffery abounds and prospects assume that the security coverage of each product is equal and this is not the case. Put simply - not all WAF learning systems are created equal. Most end users equate learning with achieving a positive security model for parameter input validation of payloads (size and character class). This is the most basic component that all commercial WAFs should have (WASC WAFEC v2 will tackle these must-have requirements) but a top tier WAF leaning system (such as the Adaption engine in Breach Security's WebDefend product) goes beyond input validation into behavioral profiling which tracks much more meta-data about the proper format and construction of the transactional data. This allows it to identify when request methods and parameter locations change due to CSRF attacks or when there are suddenly multiple parameters with the same name (HTTP Parameter Pollution attacks). Input validation alone will not catch these types of cutting-edge attacks.
- The lack of scrutiny of the security features drive security vendors to neglect security and focus on other areas such as GUI, reporting or manageability. This is shown in its extreme by the inability of some scanners to find existing vulnerabilities in sites provides for testing by the vendor itself.
As the Director of Application Security Research for Breach Security, my main focus is obviously security. Other features are nice and do influence many prospects, but in in my view a WAFs main purpose to to identify and block attacks. It is for this reason that we deployed the ModSecurity/Core Rule Set (CRS) demonstration testing page. Breach is in a unique position in the web application firewall industry. Having an open source product such as ModSecurity in our portfolio allows us to expose our security rules to the public for quality assurance and testing purposes in ways that other WAF vendors cannot. Our goal for this demo page is to leverage the global pool of outstanding web application security experts to help test ModSecurity to make it, and our WebDefend product, better tools for the community at large. Benefits of providing the demonstration testing page include:
- The Core Rule Set is being tested by pen-testing specialists who are experts in breaking into web applications and evading security filtering devices.
- Signature improvements are leveraged back into the entire Breach Security product line including WebDefend. I can tell that having these pentesting consultants bang on the CRS has allowed us to identify a number of evasion issues and update our rules appropriately.
I wouldn't want for these statements to fall into the Puffery category :) so you can check this yourself by reviewing our JIRA ticketing system to get an idea of the types of issues identified and their resolutions. Are there any other WAF vendors that are providing this type of access to their rules development process?
Similar to the conclusions made with vuln scanners, in order to get an accurate testing of a WAF you must deploy it in your environment to verify how it does analyzing your web application traffic. This is the only true way that you will be able to confirm how it does.
Bottom line - don't rely on Puffery claims by a vendor. Test the solution yourself.
Beware of Web App Sec Puffery

Posted: February 12th, 2010, 8:44am CST

Tags: [edit]
Submitted by Ryan Barnett 02/12/2010
Have you seen that new Dominos pizza commercial about "Puffery?"
Dominos was referencing an appeals court ruling on Papa John’s slogan "better ingredients, better pizza" where it concluded that statement was "puffery." Unfortunately, Puffery is a marketing tactic that is not relegated to the pizza industry. In the web application security market, Puffery abounds... Just read some of the marketing claims on company's websites or the collateral they pass out at vendor expos. How is a consumer supposed to cut through the puffery and get a more accurate assessment of the web application security product at hand?
Application Security Consultant Larry Suto recently published another Dynamic Application Security Testing (DAST) tool evaluation report entitled, “Analyzing the Accuracy and Time Costs of Web Application Security Scanners.” In the report, he compared the vulnerability detection rates of many commercial black-box vulnerability scanners including: Acunetix, IBM AppScan, BurpSuitePro, Cenzic Hailstorm, HP WebInspect, NTOSpider, and Qualys WAS (Software-as-a-Service).
While no evaluation report of this nature will ever obtain 100% consensus on its merits, especially by those reviewees that didn't fair well, the methodology used in this report is pretty good. Using each vendor's public "buggy" web app as targets was interesting as you would think that each vendor would score the best on their own site (they did scan their demo site to verify accuracy, right?) and slightly less on their competitor's. While comparatively speaking, this may have been true, what was really enlightening was the high false negative rates even after the scanners were provided full URL listings and tuned by vendors. Fully understanding the state-of-the-art scanning challenges is critical for users.
So, how does this type of DAST evaluation impact the WAF market? Ofer Shezaf has some great points in his WAFs aren't perfect, but is any security perfect? post where he states the following:
- No single security solution is sufficient. Only combining multiple defense mechanism would provide adequate security, which still does not imply 100%
This is why it is a shame that PCI pits SAST/DAST vs. WAFs in requirement 6.6. It really isn't an "either" situation and most users don't read the 6.6 Supplemental guide which states that PCI recommends "both" options for increased security coverage.
- Security products do differ in the security functionality they provide. Many times customers select security products according to every other feature but security assuming that the security aspect of the product are performed adequately by all. However Suto's paper shows that this may not be the case.
I have seen many of these issues first hand when working with WAF prospects during RFI/evaluation phases where vendor puffery abounds and prospects assume that the security coverage of each product is equal and this is not the case. Put simply - not all WAF learning systems are created equal. Most end users equate learning with achieving a positive security model for parameter input validation of payloads (size and character class). This is the most basic component that all commercial WAFs should have (WASC WAFEC v2 will tackle these must-have requirements) but a top tier WAF leaning system (such as the Adaption engine in Breach Security's WebDefend product) goes beyond input validation into behavioral profiling which tracks much more meta-data about the proper format and construction of the transactional data. This allows it to identify when request methods and parameter locations change due to CSRF attacks or when there are suddenly multiple parameters with the same name (HTTP Parameter Pollution attacks). Input validation alone will not catch these types of cutting-edge attacks.
- The lack of scrutiny of the security features drive security vendors to neglect security and focus on other areas such as GUI, reporting or manageability. This is shown in its extreme by the inability of some scanners to find existing vulnerabilities in sites provides for testing by the vendor itself.
As the Director of Application Security Research for Breach Security, my main focus is obviously security. Other features are nice and do influence many prospects, but in in my view a WAFs main purpose to to identify and block attacks. It is for this reason that we deployed the ModSecurity/Core Rule Set (CRS) demonstration testing page. Breach is in a unique position in the web application firewall industry. Having an open source product such as ModSecurity in our portfolio allows us to expose our security rules to the public for quality assurance and testing purposes in ways that other WAF vendors cannot. Our goal for this demo page is to leverage the global pool of outstanding web application security experts to help test ModSecurity to make it, and our WebDefend product, better tools for the community at large. Benefits of providing the demonstration testing page include:
- The Core Rule Set is being tested by pen-testing specialists who are experts in breaking into web applications and evading security filtering devices.
- Signature improvements are leveraged back into the entire Breach Security product line including WebDefend. I can tell that having these pentesting consultants bang on the CRS has allowed us to identify a number of evasion issues and update our rules appropriately.
I wouldn't want for these statements to fall into the Puffery category :) so you can check this yourself by reviewing our JIRA ticketing system to get an idea of the types of issues identified and their resolutions. Are there any other WAF vendors that are providing this type of access to their rules development process?
Similar to the conclusions made with vuln scanners, in order to get an accurate testing of a WAF you must deploy it in your environment to verify how it does analyzing your web application traffic. This is the only true way that you will be able to confirm how it does.
Bottom line - don't rely on Puffery claims by a vendor. Test the solution yourself.

funkatron.com

Links for 2010-02-11 [del.icio.us]

Posted: February 12th, 2010, 2:00am CST

Tags: [edit]
- wattz.net :: programming, design, and wtf ever
  "a simple library I created to generate html forms using pure javascript. Modeled closely after Django forms, jsforms allows you to create forms using only js syntax."
- js-forms - Project Hosting on Google Code
  "A JavaScript port of Django's awesome form display and validation library"
- Iconic Icon Set – 103 icons in raster and vector format — Some Random Dude
  "Iconic is a minimal set of icons consisting of 103 marks in raster and vector formats — free for public use."

Jeremiah Grossman

Best of Application Security (Friday, Feb. 12)

Posted: February 12th, 2010, 1:41am CST by Jeremiah Grossman

Tags: [edit]
Ten of Application Security industry's coolest, most interesting, important, and entertaining links from the past week -- in no particular order.
WhiteHat Security is a leading provider of website security services.
Best of Application Security (Friday, Feb. 12)

Posted: February 12th, 2010, 1:41am CST by Jeremiah Grossman

Tags: [edit]
Ten of Application Security industry's coolest, most interesting, important, and entertaining links from the past week -- in no particular order.
WhiteHat Security is a leading provider of website security services.

← General Security →

My Security Planet » WebSecurity

Feeds

WebSecurity

Posted: March 9th, 2010, 10:10am CST

Tags: [edit]

Posted: March 9th, 2010, 2:00am CST

Tags: [edit]

Posted: March 8th, 2010, 10:45am CST by RSnake

Tags: General News [edit]

Posted: March 7th, 2010, 9:20am CST by Jeremiah Grossman

Tags: [edit]

Posted: March 6th, 2010, 8:43am CST

Tags: [edit]

Posted: March 4th, 2010, 11:31am CST by Robert A.

Tags: Cryptography [edit]

Posted: March 4th, 2010, 9:44am CST by BlueHat

Tags: [edit]

Posted: March 4th, 2010, 5:10am CST by Gareth Heyes

Tags: Security [edit]

Posted: March 3rd, 2010, 1:00pm CST by Aviram

Tags: Web [edit]

Posted: March 3rd, 2010, 11:58am CST

Tags: [edit]

Posted: March 2nd, 2010, 11:36pm CST by Jay

Tags: [edit]

Posted: March 2nd, 2010, 3:10pm CST

Tags: [edit]

Posted: March 2nd, 2010, 8:40am CST

Tags: [edit]

Posted: March 2nd, 2010, 2:00am CST

Tags: [edit]

Posted: March 1st, 2010, 2:06pm CST

Tags: [edit]

Posted: March 1st, 2010, 11:30am CST by Robert A.

Tags: Announcements [edit]

Posted: March 1st, 2010, 11:28am CST by Robert A.

Tags: Announcements [edit]

Posted: February 26th, 2010, 3:10pm CST by RSnake

Tags: xss [edit]

Posted: February 26th, 2010, 1:46am CST by Jeremiah Grossman

Tags: [edit]

Posted: February 24th, 2010, 12:19pm CST by RSnake

Tags: General News [edit]

Posted: February 24th, 2010, 11:26am CST by Robert A.

Tags: Funny [edit]

Posted: February 24th, 2010, 1:18am CST by pagvac

Tags: Blog [edit]

Posted: February 22nd, 2010, 5:03pm CST

Tags: [edit]

Posted: February 22nd, 2010, 4:32pm CST by Robert A.

Tags: IndustryNews [edit]

Posted: February 22nd, 2010, 3:41pm CST by Philipp

Tags: Advisories [edit]

Posted: February 22nd, 2010, 8:50am CST

Tags: [edit]

Posted: February 20th, 2010, 3:08pm CST by pagvac

Tags: Blog [edit]

Posted: February 19th, 2010, 6:08am CST by Jeremiah Grossman

Tags: [edit]

Posted: February 19th, 2010, 2:00am CST

Tags: [edit]

Posted: February 19th, 2010, 1:13am CST by Jeremiah Grossman

Tags: [edit]

Posted: February 18th, 2010, 10:31am CST by Jeremiah Grossman

Tags: [edit]

Posted: February 18th, 2010, 7:32am CST by Jeremiah Grossman

Tags: [edit]

Posted: February 17th, 2010, 12:10pm CST by Robert A.

Tags: IndustryNews [edit]

Posted: February 16th, 2010, 1:17pm CST by RSnake

Tags: xss [edit]

Posted: February 16th, 2010, 1:05pm CST by Robert A.

Tags: Announcements [edit]

Posted: February 16th, 2010, 12:40pm CST

Tags: [edit]

Posted: February 16th, 2010, 12:04pm CST by BlueHat

Tags: [edit]