Blog Posts Tagged with "XSS"
ICS-CERT: Advantech Webaccess Multiple Vulnerabilities
February 17, 2012 Added by:Headlines
ICS-CERT received reports of eighteen vulnerabilities in BroadWin WebAccess. These vulnerabilities include Cross-site scripting (XSS), SQL injection, Cross-site report forgery (CSRF)and Authentication issues. Public exploits are known to target these vulnerabilities...
Comments (0)
Focusing on Input Validation
February 11, 2012 Added by:Brent Huston
Input validation is the single best defense against injection and XSS vulnerabilities. Done right, proper input validation techniques can make web-applications invulnerable to such attacks. Done wrongly, they are little more than a false sense of security...
Comments (0)
ICS-CERT: Invensys Wonderware HMI XSS Vulnerabilities
February 09, 2012 Added by:Headlines
Researchers Billy Rios and Terry McCorkle have identified cross-site scripting (XSS) and write access violation vulnerabilities in the Invensys Wonderware HMI reports product that could result in data leakage, denial of service, or remote code execution...
Comments (0)
What’s Wrong with WAFs and How to Hack Them - Part 2
February 07, 2012 Added by:Gary McCully
In attempts to prevent XSS attacks many organizations block or HTML encode special characters (<, >, "). In order to be fair I will admit that this prevents many successful XSS attacks, but at the end of the day many of these web applications are still vulnerable to XSS...
Comments (0)
What’s Wrong with WAFs and How to Hack Them - Part 1
January 31, 2012 Added by:Gary McCully
Many companies that configure web application firewalls do not truly understand the web application attacks they are trying to prevent. Thus, in many cases, we have poorly coded web applications with poorly configured web application firewalls "protecting" them...
Comments (3)
ICS-CERT: Ocean Data Systems Dream Report Vulnerabilities
January 25, 2012 Added by:Headlines
A XSS vulnerability exists in the Ocean Data Dream Report application due to the lack of server-side validation of query string parameter values. An attacker with a low skill level can create the XSS exploit. A write access violation vulnerability also exists in the application...
Comments (0)
ICS-CERT: Cogent DataHub Application Vulnerability
January 18, 2012 Added by:Headlines
A cross-site scripting vulnerability exists in the Cogent DataHub application because it lacks server-side validation of query string parameter values. Attacks require that a user visit a URL which injects client-side scripts into the server’s HTTP response...
Comments (0)
Dynamic AJAX CSRF Attack Vector Vulnerability
January 09, 2012 Added by:Shay Chen
Many CSRF prevention mechanisms protect the user by requiring session-specific tokens or custom headers as additional input for action performing modules, and since "normal" CSRF can't analyze responses, these mechanisms prevent most of these attacks - until now...
Comments (0)
Vulnerability Response Done Right
January 09, 2012 Added by:Fergal Glynn
Just before the holidays, we detected a cross-site scripting (XSS) vulnerability while running a web application scan for one of our customers. As it turned out, the discussion forum where we found the XSS was a SaaS-based product called Lithium...
Comments (0)
Want Rapid Feedback? Try a Web Application Security Scan
December 27, 2011 Added by:Brent Huston
While this service finds a number of issues and potential holes, we caution against using it in place of a full application assessment or penetration test if the web application in question processes critical or highly sensitive information...
Comments (0)
Top Ten HTML5 Attack Vectors
December 09, 2011 Added by:Headlines
"HTML 5 applications use DOM extensively and dynamically change content via XHR calls. DOM manipulation is done by several different DOM-based calls and poor implementation allows DOM-based injections. These injections can lead to a set of possible attacks and exploits..."
Comments (0)
Mass Disclosure of Vulnerabilities in SAP
November 22, 2011 Added by:Alexander Polyakov
This month ERPScan specialists published eight vulnerabilities of different criticality found in SAP products. The vulnerabilities represented almost all risks from the OWASP Top 10, from path traversal and XSS to authorization bypass and code injection...
Comments (0)
Adobe Issues Patch for Flash Zero Day Vulnerability
September 22, 2011 Added by:Headlines
"One of these vulnerabilities is being exploited in the wild in active targeted attacks... This universal cross-site scripting issue could be used to take actions on a user's behalf on any website or webmail provider if the user visits a malicious website..."
Comments (0)
Citigroup: Housekeeping Isn’t Glamorous - Only Critical
June 12, 2011 Added by:Mike Meikle
Development for online banking software is handled offshore, which can be a challenge when it comes to infusing the application with information security best practices from the foundation up. As to what Citigroup could have done better, it depends on how the breach was perpetrated...
Comments (2)
Security Vendor Vulnerabilities: It's All About Reaction Time
June 03, 2011 Added by:Rafal Los
Holding a vendor accountable is understandable, since that is their primary business. There's really no excuse when a vendor of security products gets exploited or has a publicly disclosed exploit... well, sort of right? In the final analysis, what is it really all about?
Comments (0)
Software Security - Just Over the Horizon
March 31, 2011 Added by:Rafal Los
Things like Cross Site Scripting (XSS), SQL Injection, buffer overflow, access violation, race conditions and other variations are tested for using static analysis, dynamic analysis and some of the forthcoming hybrid technology. As an industry we're getting better at pattern-based security testing...
Comments (0)
- Improving Security by Failing Faster
- BYOD: Should It Be the Wave of the Future?
- Trend Micro Discovers "SafeNet" - a New Targeted Espionage Operation Online
- Managing My Company’s Security is a Nightmare
- Bridging the Cybersecurity Divide, Why Security Innovation Must Lead the Way
- The Evolution of Industrial Control System Information Sharing
- ATM Security (And Really Learning from the Past)
- Complimentary IT Security Resources [May 13, 2013]
- Steps Toward Weaponizing the Android Platform
- Mobile Security Processes Could Be Applied to Medical Devices: Bluebox