tag:typepad.com,2003:weblog-1694854 2012-01-07T23:11:50-08:00 All things related to website, database, SDL, and application security since 2000. CGISecurity tag:typepad.com,2003:post-6a00e553aa1a288833015437d07740970c 2012-01-07T23:11:50-08:00 2012-01-08T21:36:59-08:00

I was taught in grade school that if you plan on writing something, never plagiarize. If you want to republish portions of existing content ensure you properly quote/reference them, and never represent this content as your own original work. Unfortunately it seems that this wasn't taught to at least 3 people who...

Robert A. http://www.cgisecurity.com/2012/01/detecting-plagiarism-with-google-and-book-search.html tag:typepad.com,2003:post-6a00e553aa1a288833015434107d2b970c 2011-07-28T13:25:19-07:00 2011-07-28T14:32:48-07:00

A couple of people had asked me what are some things that you can do prior to attending hacker cons such as Blackhat and Defcon. Kurt Cobain said it best "Just because you're paranoid, doesn't mean they're not after you'. Here's a short list (albeit not complete as I don't plan to...

Robert A. http://www.cgisecurity.com/2011/07/quick-defconblackhat-preperation-list.html tag:typepad.com,2003:post-6a00e553aa1a28883301543409c1d8970c 2011-07-27T10:03:26-07:00 2011-07-27T10:03:26-07:00

Ray "Vanhalen" Kelly has written a post describing the security mechanisms used by Google+, as well as compares them to facebook. In particular he reviews each HTTP protection header and provides a good explanation of the purpose of each protection. Link: http://www.barracudalabs.com/wordpress/index.php/2011/07/21/google-gets-a-1-for-browser-security-3/

Robert A. http://www.cgisecurity.com/2011/07/summary-of-google-browser-security-protections.html tag:typepad.com,2003:post-6a00e553aa1a2888330153901404c9970b 2011-07-21T13:51:40-07:00 2011-07-21T13:51:40-07:00

Anant Shrivastava has posted a whitepaper providing a rundown of application fingerprinting methodologies, as well as comparisons of various tools such as W3af, BlindElephant, and Wapplyzer. "This Paper discusses about a relatively nascent field of Web Application finger printing, how automated web application fingerprinting is performed in the current scenarios, what are...

Robert A. http://www.cgisecurity.com/2011/07/paper-web-application-finger-printing-methodstechniques-and-prevention.html tag:typepad.com,2003:post-6a00e553aa1a288833014e899fad3a970d 2011-07-05T15:21:44-07:00 2011-07-05T15:21:44-07:00

Someone has published a SQL Injection in labs.oracle.com at http://www.thehackernews.com/2011/07/oracle-website-vulnerable-to-sql.html . That is all.

Robert A. http://www.cgisecurity.com/2011/07/oracle-website-vulnerable-to-sql-injection.html tag:typepad.com,2003:post-6a00e553aa1a288833014e896db9c3970d 2011-06-27T12:26:08-07:00 2011-06-27T12:42:14-07:00

I sent the following out to The Web Security Mailing List (which I moderate) announcing a new WASC Project. "The Web Application Security Consortium is pleased to announce a new project "Static Analysis Tool Evaluation Criteria (SATEC)". Currently WASC is seeking volunteers from various sections of the community including security researchers, academics,...

Robert A. http://www.cgisecurity.com/2011/06/wasc-announcement-static-analysis-tool-evaluation-criteria-call-for-participants.html tag:typepad.com,2003:post-6a00e553aa1a28883301538eb65af4970b 2011-05-25T09:53:19-07:00 2011-06-22T16:45:32-07:00

Ivan Ristic (of modsecurity fame) has published the results of an evaluation against over 900,000 websites supporting SSL. The goal of this evaluation was to see how people really use/misuse ssl in the wild, as well as report on the usage of browser protections such as the Secure cookie flag, and Strict-Transport-Security....

Robert A. http://www.cgisecurity.com/2011/05/results-of-internet-ssl-usage-published-by-ssl-labs.html tag:typepad.com,2003:post-6a00e553aa1a28883301543289377f970c 2011-05-25T09:37:38-07:00 2011-05-25T09:38:17-07:00

Rosario Valotta has published an interesting attack against IE that takes advantage of clickjacking. In a nutshell it combines origin flaws within IE with clickjacking to trick a user into copying/pasting their own cookies from any site! Demonstration below The technical details can be found at https://sites.google.com/site/tentacoloviola/cookiejacking and his slides at https://docs.google.com/viewer?a=v&pid=sites&srcid=ZGVmYXVsdGRvbWFpbnx0ZW50YWNvbG92aW9sYXxneDoxMWJlZTI5ZjVhYjdiODQx

Robert A. http://www.cgisecurity.com/2011/05/another-use-of-clickjacking-cookiejacking.html tag:typepad.com,2003:post-6a00e553aa1a2888330147e3a522f6970b 2011-03-31T10:17:06-07:00 2011-03-31T10:17:14-07:00

NIST has published a fantastic project (its been out since late December, but I only just became aware of it) where they've created vulnerable code test cases for much of MITRE's CWE project in Java and c/c++. From the README "This archive contains test cases intended for use by organizations and individuals...

Robert A. http://www.cgisecurity.com/2011/03/nist-publishes-50kish-vulnerable-code-samples-in-javacc-is-officially-krad.html tag:typepad.com,2003:post-6a00e553aa1a288833014e6009a5d5970c 2011-03-22T12:23:50-07:00 2011-03-22T12:31:34-07:00

"Luigi Auriemma" has posted an interesting series of SCADA vulnerabilities to the bugtraq security list this morning. From his email "The following are almost all the vulnerabilities I found for a quick experiment some months ago in certain well known server-side SCADA softwares still vulnerable in this moment. In case someone doesn't...

Robert A. http://www.cgisecurity.com/2011/03/how-not-to-publish-a-security-advisory.html