Showing 15 results for: April 2011 ×

Reaching Trustwave's WebDefend Minus World

So my inbox lit up today with a Full Disclosure note about a vulnerability in Trustwave's WebDefend. The thing is, while it's an interesting way to get a shell on the box, it's really not "Privilege Escalation" as the poster...

Who's in the Driver's Seat?

Events over the last seven days have dramatically underlined the pitfalls and difficulties of online security to consumers. To kick off, we had the news that both Apple's iPhone and Google's Droid were keeping rather too much data on their...

Latest Web Hacking Incident Database (WHID) Entries

These are the lastest entries added by SpiderLabs to the Web Application Security Consortium (WASC) Web Hacking Incident Database (WHID) Project. WHID 2011-84:Hackers access personal info of Lancaster County students Entry Title: WHID 2011-84:Hackers access personal info of Lancaster County...

ModSecurity Advanced Topic of the Week: Integrating IDS Signatures

Snort Web Attack Rules You may be familiar with the Emerging Threats project. They have a few Snort rules files related to known web application vulnerabilities and attacks: emerging-web_server.rules emerging-web_specific_apps.rules Identifying attacks against known vulnerabilities does have value in the...

Latest Web Hacking Incident Database (WHID) Entries

These are the lastest entries added by SpiderLabs to the Web Application Security Consortium (WASC) Web Hacking Incident Database (WHID) Project. WHID 2011-72: WordPress Hack Could Put Premium Users at Risk WHID ID: 2011-72 Date Occurred: April 13, 2011 Attack...

ModSecurity 2.6.0-rc1 is now available

The ModSecurity Development Team is pleased to announce the availability of ModSecurity 2.6.0-rc1 Release (www.modsecurity.org). This is the first release from the 2.6 branch which improves on the functionality of ModSecurity and introduces some new features. Some highlights: Google Safe-Browsing...

Securing the Fifth Domain

In May 2010, the final disappearance of the line between physical and virtual security became official when Defense Secretary Robert Gates announced the activation of the U.S. Cyber Command, or CYBERCOM. Cyberspace, Gates declared, was the fifth domain of security,...

Latest Web Hacking Incident Database (WHID) Entries

These are the lastest entries added by SpiderLabs to the Web Application Security Consortium (WASC) Web Hacking Incident Database (WHID) Project. WHID 2011-67: Hackers attack iTunes Entry Title: WHID 2011-67: Hackers attack iTunes WHID ID: 2011-67 Date Occurred: April 4,...

CSS and XSS in Melodious Harmony

Web application penetration testers, have you ever run into a situation where you can inject into the attribute of a tag and break out of the attribute, but not the tag? For those who can only <script> //<![CDATA[ alert('XSS') //]]>// </script> this is a...

Analysis of LizaMoon: Stored XSS via SQL Injection

Blended Attacks More and more of today's web application attacks are leveraging multiple weaknesses, vulnerabilities and attack methods in order to achieve a desired exploitation outcome. It is becoming more and more difficult to neatly place an attack into one...

Latest Web Hacking Incident Database (WHID) Entries

These are the lastest entries added by SpiderLabs to the Web Application Security Consortium (WASC) Web Hacking Incident Database (WHID) Project. WHID 2011-61: LizaMoon Mass SQL Injection Attack Points to Rogue AV Site Entry Title: WHID 2011-61: LizaMoon Mass SQL...