Blog Posts Tagged with "XSS"
February 17, 2012 Added by:Headlines
ICS-CERT received reports of eighteen vulnerabilities in BroadWin WebAccess. These vulnerabilities include Cross-site scripting (XSS), SQL injection, Cross-site report forgery (CSRF)and Authentication issues. Public exploits are known to target these vulnerabilities...
February 11, 2012 Added by:Brent Huston
Input validation is the single best defense against injection and XSS vulnerabilities. Done right, proper input validation techniques can make web-applications invulnerable to such attacks. Done wrongly, they are little more than a false sense of security...
February 09, 2012 Added by:Headlines
Researchers Billy Rios and Terry McCorkle have identified cross-site scripting (XSS) and write access violation vulnerabilities in the Invensys Wonderware HMI reports product that could result in data leakage, denial of service, or remote code execution...
February 07, 2012 Added by:Gary McCully
In attempts to prevent XSS attacks many organizations block or HTML encode special characters (<, >, "). In order to be fair I will admit that this prevents many successful XSS attacks, but at the end of the day many of these web applications are still vulnerable to XSS...
January 31, 2012 Added by:Gary McCully
Many companies that configure web application firewalls do not truly understand the web application attacks they are trying to prevent. Thus, in many cases, we have poorly coded web applications with poorly configured web application firewalls "protecting" them...
January 25, 2012 Added by:Headlines
A XSS vulnerability exists in the Ocean Data Dream Report application due to the lack of server-side validation of query string parameter values. An attacker with a low skill level can create the XSS exploit. A write access violation vulnerability also exists in the application...
January 18, 2012 Added by:Headlines
A cross-site scripting vulnerability exists in the Cogent DataHub application because it lacks server-side validation of query string parameter values. Attacks require that a user visit a URL which injects client-side scripts into the server’s HTTP response...
January 09, 2012 Added by:Shay Chen
Many CSRF prevention mechanisms protect the user by requiring session-specific tokens or custom headers as additional input for action performing modules, and since "normal" CSRF can't analyze responses, these mechanisms prevent most of these attacks - until now...
January 09, 2012 Added by:Fergal Glynn
Just before the holidays, we detected a cross-site scripting (XSS) vulnerability while running a web application scan for one of our customers. As it turned out, the discussion forum where we found the XSS was a SaaS-based product called Lithium...
December 27, 2011 Added by:Brent Huston
While this service finds a number of issues and potential holes, we caution against using it in place of a full application assessment or penetration test if the web application in question processes critical or highly sensitive information...
December 09, 2011 Added by:Headlines
"HTML 5 applications use DOM extensively and dynamically change content via XHR calls. DOM manipulation is done by several different DOM-based calls and poor implementation allows DOM-based injections. These injections can lead to a set of possible attacks and exploits..."
November 22, 2011 Added by:Alexander Polyakov
This month ERPScan specialists published eight vulnerabilities of different criticality found in SAP products. The vulnerabilities represented almost all risks from the OWASP Top 10, from path traversal and XSS to authorization bypass and code injection...
September 22, 2011 Added by:Headlines
"One of these vulnerabilities is being exploited in the wild in active targeted attacks... This universal cross-site scripting issue could be used to take actions on a user's behalf on any website or webmail provider if the user visits a malicious website..."
June 12, 2011 Added by:Mike Meikle
Development for online banking software is handled offshore, which can be a challenge when it comes to infusing the application with information security best practices from the foundation up. As to what Citigroup could have done better, it depends on how the breach was perpetrated...
June 03, 2011 Added by:Rafal Los
Holding a vendor accountable is understandable, since that is their primary business. There's really no excuse when a vendor of security products gets exploited or has a publicly disclosed exploit... well, sort of right? In the final analysis, what is it really all about?
March 31, 2011 Added by:Rafal Los
Things like Cross Site Scripting (XSS), SQL Injection, buffer overflow, access violation, race conditions and other variations are tested for using static analysis, dynamic analysis and some of the forthcoming hybrid technology. As an industry we're getting better at pattern-based security testing...
Mobile Security Processes Could Be Applied t... Johnnie Nix on 05-21-2013
ATM Security (And Really Learning from the P... Johnnie Nix on 05-21-2013
New Study Published on Mobile Malware... Caitlin Rachel on 05-21-2013