|
|
(28 intermediate revisions by 5 users not shown) |
Line 1: |
Line 1: |
− | <!-- please add stories to the main Application Security News page --> | + | <IfLanguage Is="en"> |
| + | This news feed is moderated by OWASP and will feature high-quality posts focused on application security that advance the field, provide useful insight, or are useful educational resources. |
| + | </IfLanguage> |
| + | <IfLanguage Is="es"> |
| + | Estas noticias son moderadas por OWASP y mostrarán publicaciónes de alta calidad enfocadas en seguridad de aplicaciones de avanzada, proveen razonamiento profundo o son recursos educativos útiles. |
| + | </IfLanguage> |
| | | |
− | ; '''Dec 14 - [http://jeremiahgrossman.blogspot.com/2006/12/i-know-if-youre-logged-in-anywhere.html JavaScript error handler leaks information]'''
| + | <owaspfeed/> |
− | : An attacker can find out whether you're logged into your favorite website or not. They include a script tag where the src attribute doesn't point to a script, but instead to a page on your favorite websites. Based on the error the script parser generates when trying to parse the HTML of the page that's returned, the attacker can tell whether you're logged in or not. Should extend to access control easily. Protect yourself with CSRF protection.
| |
− | | |
− | ; '''Dec 13 - [http://www.washingtonpost.com/wp-dyn/content/article/2006/12/12/AR2006121200173.html UCLA spins massive breach]'''
| |
− | : Why not just say what measures you've really taken? Are all developers trained? Do you do code review and security testing? "Jim Davis, UCLA's chief information officer, said a computer trespasser used a program designed to exploit an undetected software flaw to bypass all security measures and gain access to the restricted database that contains information on about 800,000 current and former students, faculty and staff, as well as some student applicants and parents of students or applicants who applied for financial aid. 'In spite of our diligence, a sophisticated hacker found and exploited a subtle vulnerability in one of hundreds of applications,' Davis said in the statement."
| |
− | | |
− | ; '''Dec 10 - [http://news.com.com/Security+Bites+Podcast+MySpace,+Apple+in+patch+snafu/2324-12640_3-6142120.html MySpace and Apple mess]'''
| |
− | : MySpace and Apple show how NOT to handle security incidents (see also [http://blog.washingtonpost.com/securityfix/2006/12/how_not_to_distribute_security_1.html How Not to Distribute Security Patches])
| |
− | | |
− | ; '''Dec 2 - [http://blogs.oracle.com/security/2006/11/27#a39 Oracle blames security researchers]'''
| |
− | : "We do not credit security researchers who disclose the existence of vulnerabilities before a fix is available. We consider such practices, including disclosing 'zero day' exploits, to be irresponsible." So the question on everybody's mind - is the [http://www.oracle.com/security/software-security-assurance.html Oracle Software Security Assurance] program real? Or are David Litchfield and Cesar Cerrudo right that Emperor has no clothes?
| |
− | | |
− | ; [[Application Security News|Older news...]]
| |
Latest revision as of 15:30, 6 May 2012
This news feed is moderated by OWASP and will feature high-quality posts focused on application security that advance the field, provide useful insight, or are useful educational resources.
<owaspfeed/>