Latest Posts
From the Web
Clickjacking 2017
June 23, 2009 from: Jeremiah Grossman's Blog
The future: Long standing Web application security scourges such SQL Injection (SQLi), Cross-Site Scripting (XSS), and Cross-Site Request Forgery (CSRF) are finally under control. Remaining buffer overflow issues are considered fossilized evidence of a prior era. Cyber criminals out of necessity have evolved their attack portfolios to include Cli...
Comments (1)
From the Web
Real-World website vulnerability disclosure & patch timeline
June 23, 2009 from: Jeremiah Grossman's Blog
Protecting large trafficked and high valued websites can be an interesting InfoSec job to say the least. One thing you quickly learn is that you are under constant attack by essentially everyone with every technique they got and all the time.
Comments (1)
From the Web
8 reasons why website vulnerabilities are not fixed
June 23, 2009 from: Jeremiah Grossman's Blog
I list from Jeremiah Grossman about potentially why so many web application vulnerabilities never get fixed...
Comments (1)
From the Web
Software Security grew to nearly 500M in 2008
June 23, 2009 from: Jeremiah Grossman's Blog
Gary McGraw (Cigital) published his Software Security annual revenue numbers for 2008. By combining software security tools, Software-as-a-Service providers, and professional services it comes really close to a half billion dollars.
Comments (0)
From the Web
Website threats and their capabilities
June 23, 2009 from: Jeremiah Grossman's Blog
Vulnerabilities don’t exploit themselves. Someone or something (“threat”) uses an attack vector ( to exploit a vulnerability in an asset, bypassing a control, and causes a technical or business impact.
Comments (1)
From the Web
Disagree with the Concept or Implementation?
June 23, 2009 from: Jeremiah Grossman's Blog
Web Application Firewalls, Professional Certifications, Website Trust Logos, and Compliance Regulations are contentious topics that spark spirited debates by those for and against their existence.
Comments (1)
From the Web
Slowloris HTTP DoS
June 19, 2009 from: Rsnake's blog at ha.ckers.org
Robert "RSnake" Hansen discusses a denial of service (DoS) attack against some popular web servers (Apache specifically). His proof of concept code (a working exploit against Apache web servers) takes advantage of connection delays requested by the client
Comments (1)
From the Web
CWE Top 25 Breakdown - Part 1 of 4
June 11, 2009 from: hackyourself.net
This week, we’ll take a look at the recently published CWE Top 25 Most Dangerous Programming Errors. Since the Top 25 are broken into three main categories, it makes sense to address the list in three separate segments. But first, let’s review what the CWE Top 25 is and its importance.
Comments (1)
From the Web
Some Free Web App Security Testing Tools & Resources
June 11, 2009 from: hackyourself.net
We went over some of these tools at the latest North Carolina OWASP Meeting, so I thought I’d make this list available here. Enjoy!
Comments (1)
From the Web
CWE Top 25 Breakdown - Part 3 of 4
June 07, 2009 from: hackyourself.net
Last week we discussed the first 9 (top 9) in the CWE Top 25 Most Dangerous Programming Errors. This week, we’ll discuss the second 8 on the list, which have been grouped into a category called “Risky Resource Management”.
Comments (1)
From the Web
CWE Top 25 Breakdown - Part 2 of 4
June 07, 2009 from: hackyourself.net
Last week we introduced the CWE Top 25 Most Dangerous Programming Errors in Part 1 of a 4 part series. This week we will discuss the first nine, which have been categorized in a group called “Insecure Interaction Between Components”. Being the first nine, they are also the top 9, or the top most prevalent errors on the list. As me...
Comments (1)
From the Web
Using Denial of Service for Hacking
June 04, 2009 from: Rsnake's blog at ha.ckers.org
In his web application security blog (http://ha.ckers.org) Robert Hansen (Rsnake) discusses using Denial of Service attacks in new ways against web applications
Comments (1)
From the Web
Internet Explorer 8 and NoScript View Source Bugs
June 04, 2009 from: Rsnake's blog at ha.ckers.org
Robert "RSnake" Hansen discusses some bugs he discovered in IE8's Anti-XSS (Cross-Site Scripting) module, as well as NoSCRIPT.
Comments (1)
From the Web
Should I be worried about my web applications?
June 01, 2009 from: hackyourself.net
An interesting article published earlier this week on Information Week’s website here called “Web Applications: Achilles’ Heel Of Corporate Security” discusses the tremendous rise in web-application breaches and attacks th...
Comments (1)
From the Web
Does PCI Compliance Work?
June 01, 2009 from: hackyourself.net
Given the presence of yet another very high-profile data breach from a supposedly PCI-compliant organization, many have begun to question the purpose and usefulness of PCI DSS and other similar regulations. There is a valid argument here, but let’s consider the purpose for these regulations. PCI and all others are meant to be a baseline set of due diligence operations taken by or...
Comments (2)
From the Web
Top 10 Issues Observed During Pen Tests in 2008
June 01, 2009 from: hackyourself.net
There has been a lot of press, effort and money focused on Web Application Security over the past year–and rightly so. The attack footprint for many publicly-facing web applications has been growing as new web and browser-based vulnerabilities are being discovered at a scary pace. The PCI DSS push has helped primarily with the escalation of the press given, but we really haven’t cro...
Comments (1)
From the Web
OSI is Dead
June 01, 2009 from: hackyourself.net
Note: this post is a rambling with no solutions at all–I’m just bitching/rambling, whatever you want to call it–hell, it’s my blog, I’ll write what I please :) There’s an interesting trend in the formerly “Gospel” OSI virtual model for the way computers talk… It used to be that the application layer was sacred and di...
Comments (1)
From the Web
Largest Attack Vector Still Poor Configuration…
June 01, 2009 from: hackyourself.net
So after 12 years of analyzing security risks (and with a specialty on web app security) I’m surprised to find that a large percentage of webappsec risks we find still revolve around the configuration of the web server itself.
Comments (1)
From the Web
“Perfect” security
June 01, 2009 from: hackyourself.net
There’s been an interesting theme of late on many of the infosec mailing lists (including WASC) which carry a tune that mimics my own experience in this field — that of “perfect” security vs. acceptable risk mitigation or “operational” security.
Comments (1)
From the Web
HTTP Cache Poisoning and Host Header Injection
June 01, 2009 from: hackyourself.net
A recent post came through the WASC mailing list today from Carlos Bueno regarding this topic. The basic gist is in the impact of utilizing the browser-supplied Host headers as a means for link consistency in programming your web code