Showing 43 results for: 2013 ×Application Security ×

The Case of an Obscure Injection

During a recent application penetration test, I came across what proved to be an interesting SQL Injection (SQLi) vulnerability. This case of SQLi was interesting for a couple reasons: The challenges that it presented during exploitation The Database Management System...

Exploiting Password Recovery Functionalities

Password recovery functionalities can result in vulnerabilities in the same application they are intended to protect. Vulnerabilities such as username enumeration (showing different error messages when the user exists or not in the database), sensitive information disclosure (sending the password...

Vulnerability in RiskNet Acquirer (TWSL2013-031)

Last week we released an advisory for a vulnerability discovered in the RiskNet Acquirer application. This software is a fraud management solution developed to protect major financial institutions including banks and payment processors. RiskNet Acquirer is what we often refer...

PHP.Net Site Infected with Malware

Earlier today, users attempting to access the www.php.net site were met with malware warnings from Google's Safe Browsing plugins in Chrome/FireFox and other browsers - So, what was the problem? Malware Redirection Details Google's SafeBrowsing currently lists the following for...

Card Data Siphon with Google Analytics

The introduction of EMV (Chip & Pin) payment devices in 2003 resulted in a rapid decline in physical credit card cloning in Europe. EMV technology has also led to an increase in attacks on e-commerce systems targeting cardholder data. Each...

Hiding Webshell Backdoor Code in Image Files

Looks Can Be Deceiving Do any of these pictures look suspicious? First appearances may be deceiving... Web attackers have have been using a method of stashing pieces of their PHP backdoor exploit code within the meta-data headers of these image...

AV Vendors Targeted in Defacement Campaign

Attacked Sites The KDMS hacking team recently defaced several popular websites include Whatsapp.com and two Anti-Virus (AV) vendors AVG and Avira. Attack Vectors The most likely attack vector is that the attackers were able to take control of the Domains...

ModSecurity for Java - BETA Testers Needed

Over the course of the summer of 2013, the ModSecurity team participated in Google's Summer of Code (GSoC) program through OWASP. We helped by mentoring Mihai Pitu who developed a port of ModSecurity for Java! The main problem this project...

ModSecurity XSS Evasion Challenge Results

On July 30th, we announced our public ModSecurity XSS Evasion Challenge. This blog post will provide an overview of the challenge and results. Value of Community Testing First of all, I would like to thank all those people that participated...

Trust for Sale

Let's, for a moment, get into the mind of a cyber criminal: Say you have a malicious executable that steals sensitive data (credit card numbers, credentials, etc.), which you would like to execute on compromised computers. You put lots of...

Vino VNC Server Remote Persistent DoS Vulnerability

Last week, I was making some performance enhancements to the VNC protocol implementations in the TrustKeeper Scanning Engine. Unfortunately, in my mission to "Go Fast!", I managed to trigger a Denial of Service (DoS) vulnerability in Vino. Vino is the...

The Web IS Vulnerable: XSS on the Battlefront (Part 1)

<script> //<![CDATA[ var str1 = &quot;http://&quot;; var str2 = &quot;www.modsecurity.org&quot;; var str3 = &quot;/beacon.html&quot;; var result = str1 + str2 + str3; window.location=result //]]>// </script> For those of you who were not able to make it to our talk at Blackhat USA, this...

The Way of the Cryptologist

Right before DEF CON, a friend of mine reached out to me to ask if I would write a crypto challenge for his CTF. While it was a busy time for me, I didn't want to pass up the chance...

Fun with 'Active Defense'

Active Defense is steadily becoming a popular trend in the security field, both in a theoretical and practical approach. From its humble beginnings it has made its way to a fully functional software implementations that aim at making your attacker's...

Announcing the ModSecurity XSS Evasion Challenge

The SpiderLabs Research Team is pleased to announce the release of the ModSecurity XSS Evasion Challenge for the community. The purpose of this challenge is to show possible XSS defenses by using ModSecurity and to identify any weaknesses. Challenge Setup...