Archived Application Security News - Revision history

KirstenS: /* Stories */

2008-09-18T14:19:57Z

‎Stories

KirstenS: /* Stories */

2008-09-18T14:18:31Z

‎Stories

KirstenS: /* Stories */

2008-09-18T14:17:44Z

‎Stories

KirstenS: /* Stories */

2008-09-18T14:16:30Z

‎Stories

KirstenS: /* Stories */

2008-09-06T15:53:20Z

‎Stories

KirstenS: /* Stories */

2008-09-06T15:52:23Z

‎Stories

KirstenS: /* Stories */

2008-09-06T15:51:17Z

‎Stories

KirstenS: /* Stories */

2008-09-06T15:50:42Z

‎Stories

KirstenS: /* Stories */

2008-09-06T15:27:31Z

‎Stories

KirstenS: /* Stories */

2008-09-06T15:25:15Z

‎Stories

@@ Line 327: / Line 327: @@
 ; '''Jun 16 - [http://news.netcraft.com/archives/2006/06/16/paypal_security_flaw_allows_identity_theft.html For goodness sakes, don't click on links in email]'''
-: A pretty complete writeup about the exploit of an [[Cross-site scripting|XSS]] flaw in PayPal - "The scam works quite convincingly, by tricking users into accessing a URL hosted on the genuine PayPal web site. The URL uses SSL to encrypt information transmitted to and from the site, and a valid 256-bit SSL certificate is presented to confirm that the site does indeed belong to PayPal; however, some of the content on the page has been modified by the fraudsters via a cross-site scripting technique ([[Cross-site scripting |XSS]]). When the victim visits the page, they are presented with a message that has been 'injected' onto the genuine PayPal site that says, "Your account is currently disabled because we think it has been accessed by a third party. You will now be redirected to Resolution Center." After a short pause, the victim is then redirected to an external server, which presents a fake PayPal Member log-In page."
+: A pretty complete writeup about the exploit of an [[Cross-site Scripting (XSS)|XSS]] flaw in PayPal - "The scam works quite convincingly, by tricking users into accessing a URL hosted on the genuine PayPal web site. The URL uses SSL to encrypt information transmitted to and from the site, and a valid 256-bit SSL certificate is presented to confirm that the site does indeed belong to PayPal; however, some of the content on the page has been modified by the fraudsters via a cross-site scripting technique ([[Cross-site Scripting (XSS)|XSS]]). When the victim visits the page, they are presented with a message that has been 'injected' onto the genuine PayPal site that says, "Your account is currently disabled because we think it has been accessed by a third party. You will now be redirected to Resolution Center." After a short pause, the victim is then redirected to an external server, which presents a fake PayPal Member log-In page."
 ; '''Jun 16 - [http://www.informationweek.com/news/showArticle.jhtml?articleID=189500138 When developers go bad...]'''

@@ Line 258: / Line 258: @@
 ; '''Jul 28 - [http://www.f-secure.com/weblog/archives/archive-072006.html#00000930 Web application worms]'''
-: "We picked two among the top social networking sites with a reported combined user base of 80 million. Within half an hour we had discovered over half a dozen potentially "wormable" [[Cross-site scripting |XSS]] vulnerabilities in each site! We stopped looking after finding half a dozen, but we are sure there are a lot more holes in there. With about a day's work a malicious attacker with a half-decent knowledge of javascript could create a worm using just one of these vulnerabilities."
+: "We picked two among the top social networking sites with a reported combined user base of 80 million. Within half an hour we had discovered over half a dozen potentially "wormable" [[Cross-site Scripting (XSS) |XSS]] vulnerabilities in each site! We stopped looking after finding half a dozen, but we are sure there are a lot more holes in there. With about a day's work a malicious attacker with a half-decent knowledge of javascript could create a worm using just one of these vulnerabilities."
 ; '''Jul 26 - [http://www.gcn.com/print/25_21/41397-1.html Government agency wake up call]'''

@@ Line 321: / Line 321: @@
 ; '''Jun 23 - [http://digg.com/links/Working_and_active_exploit_on_citibank.com Citibank wrestles with XSS]'''
-: On the same day that Neosmart makes the ridiculous claim that [http://neosmart.net/blog/archives/194 XSS is not a vulnerability], a hacker has highlighted an [[Cross-site scripting|XSS]] flaw in citibank.com and claims dozens more major sites have similar problems. It's not rocket science, but of course it's a [[:Category:Vulnerability|vulnerability]].
+: On the same day that Neosmart makes the ridiculous claim that [http://neosmart.net/blog/archives/194 XSS is not a vulnerability], a hacker has highlighted an [[Cross-site Scripting (XSS)|XSS]] flaw in citibank.com and claims dozens more major sites have similar problems. It's not rocket science, but of course it's a [[:Category:Vulnerability|vulnerability]].
 ; '''Jun 19 - [http://security.tekrati.com/research/news.asp?id=7293 Analyst research discovers that hackers go for low hanging fruit]'''

@@ Line 237: / Line 237: @@
 ; '''Aug 15 - [http://blog.washingtonpost.com/securityfix/2006/08/crosssite_scripting_flaws_abou.html Yes, you have an XSS problem]'''
-: The Washington Post lists flaws in sites from Verisign, eEye Digital Security, Cisco Systems F-Secure, Snort.org, National Security Agency, etc... If you're not sure whether you have [[Cross-site scripting]] problems or not, you probably do. You're compromising your customer's accounts and data. Should the Post be publishing live exploits? We don't think so.
+: The Washington Post lists flaws in sites from Verisign, eEye Digital Security, Cisco Systems F-Secure, Snort.org, National Security Agency, etc... If you're not sure whether you have [[Cross-site Scripting (XSS)]] problems or not, you probably do. You're compromising your customer's accounts and data. Should the Post be publishing live exploits? We don't think so.
 ; '''Aug 14 - [http://www.cio-today.com/story.xhtml?story_id=45124 Ajax threat coming fast]'''

@@ Line 327: / Line 327: @@
 ; '''Jun 16 - [http://news.netcraft.com/archives/2006/06/16/paypal_security_flaw_allows_identity_theft.html For goodness sakes, don't click on links in email]'''
-: A pretty complete writeup about the exploit of an [[XSS]] flaw in PayPal - "The scam works quite convincingly, by tricking users into accessing a URL hosted on the genuine PayPal web site. The URL uses SSL to encrypt information transmitted to and from the site, and a valid 256-bit SSL certificate is presented to confirm that the site does indeed belong to PayPal; however, some of the content on the page has been modified by the fraudsters via a cross-site scripting technique ([[Cross-site scripting |XSS]]). When the victim visits the page, they are presented with a message that has been 'injected' onto the genuine PayPal site that says, "Your account is currently disabled because we think it has been accessed by a third party. You will now be redirected to Resolution Center." After a short pause, the victim is then redirected to an external server, which presents a fake PayPal Member log-In page."
+: A pretty complete writeup about the exploit of an [[Cross-site scripting|XSS]] flaw in PayPal - "The scam works quite convincingly, by tricking users into accessing a URL hosted on the genuine PayPal web site. The URL uses SSL to encrypt information transmitted to and from the site, and a valid 256-bit SSL certificate is presented to confirm that the site does indeed belong to PayPal; however, some of the content on the page has been modified by the fraudsters via a cross-site scripting technique ([[Cross-site scripting |XSS]]). When the victim visits the page, they are presented with a message that has been 'injected' onto the genuine PayPal site that says, "Your account is currently disabled because we think it has been accessed by a third party. You will now be redirected to Resolution Center." After a short pause, the victim is then redirected to an external server, which presents a fake PayPal Member log-In page."
 ; '''Jun 16 - [http://www.informationweek.com/news/showArticle.jhtml?articleID=189500138 When developers go bad...]'''

@@ Line 303: / Line 303: @@
 ; '''Jul 5 - [http://ha.ckers.org/blog/20060704/cross-site-scripting-vulnerability-in-google/ Even Google has application security issues]'''
-: RSnake writes about [Cross-site scripting|[XSS]], [[CSRF]], and [[Open redirect|open redirect]] problems in google.com. "While surfing around the personalization section of Google I ran accross the RSS feed addition tool which is vulnerable to XSS. The employees at Google were aware of XSS as they protected against it as an error condition, however..."
+: RSnake writes about [[Cross-site scripting|XSS]], [[CSRF]], and [[Open redirect|open redirect]] problems in google.com. "While surfing around the personalization section of Google I ran accross the RSS feed addition tool which is vulnerable to XSS. The employees at Google were aware of XSS as they protected against it as an error condition, however..."
 ; '''Jul 5 - [http://www-128.ibm.com/developerworks/library/j-ajax4/index.html?ca=dnw-723 Just because it's AJAX doesn't mean you don't need input validation]'''

@@ Line 267: / Line 267: @@
 ; '''Jul 20 - [http://news.netcraft.com/archives/2006/07/20/paypal_xss_exploit_available_for_two_years.html PayPal challenges Oracle for longest time-to-fix]'''
-: Daring people to sue for negligence, PayPal ignored a 2004 notification of a "[[cross Site Scripting|cross site scripting]] attack that affected donation pages for suspended users." This "is the exact method exploited by the phishing attack in June 2006."
+: Daring people to sue for negligence, PayPal ignored a 2004 notification of a "[[Cross-site scripting |cross site scripting]] attack that affected donation pages for suspended users." This "is the exact method exploited by the phishing attack in June 2006."
 ; '''Jul 19 - [http://www.marketwatch.com/news/story/story.aspx?guid=96D9742BE5B8439A8BD982A419203182&siteid=mktw&dist=nbk&print=true&dist=printTop SQL injection flood reported]'''