June 2006 - Posts

Common Misconceptions in Web Application Security, Part 2
28 June 06 03:03 PM | Erik | 2 Comments   
In Part 1 of this thread, I mentioned how there were a number of people that had misconceptions about Web Application Security, especially Cross-site scripting (XSS). Last week, a blog called Neosmart posted an article on why XSS is not a vulnerability. Read More...
How Poor Code Leads to Possible Identity Theft
19 June 06 04:49 PM | LabsMan | 0 Comments   
Recently, while assessing a web application through an assessment services engagement, SPI Labs discovered a vulnerability that would allow attackers to guess the social security number of individuals if the attacker had basic information about someone. Read More...
XSS+Ajax worm attacking Yahoo mail users
13 June 06 04:58 PM | Billy | 0 Comments   
At the beginning of the week, Yahoo was attacked by a worm that propagates using nothing but JavaScript and Ajax. I've been giving interviews to the press all day and talked with the FBI about the worm, so let me take a moment to fill you all in. Read More...
Filed under: , ,
Attachment(s): Yamanner.js - ROT13.txt
Mastercard abandon's PCI security standard
09 June 06 04:52 PM | Billy | 0 Comments   
The two largest credit card companies in the world, Visa and MasterCard, created a standard to enforce security on all merchants that allow for payments via visa or MasterCard. In March of this year, MasterCard removed almost all of the requirements for Read More...
Massive defacing of GoDaddy sites
01 June 06 02:01 PM | Billy | 1 Comments   
Last week saw the largest single attack in history against web applications. A Turkish defacer named Iskorpitx defaced over 21,000 websites only a few hours. How did he accomplish this? All of the sites that were defaced were hosted by a single provider, Read More...