This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Template:Application Security News"
From OWASP
| Line 3: | Line 3: | ||
: Comment or "Quote" | : Comment or "Quote" | ||
--> | --> | ||
| + | |||
| + | ; '''Jul 28 - [http://www.f-secure.com/weblog/archives/archive-072006.html#00000930 Web application worms]''' | ||
| + | : "We picked two among the top social networking sites with a reported combined user base of 80 million. Within half an hour we had discovered over half a dozen potentially "wormable" [[XSS]] vulnerabilities in each site! We stopped looking after finding half a dozen, but we are sure there are a lot more holes in there. With about a day's work a malicious attacker with a half-decent knowledge of javascript could create a worm using just one of these vulnerabilities." | ||
; '''Jul 26 - [http://www.gcn.com/print/25_21/41397-1.html Government agency wake up call]''' | ; '''Jul 26 - [http://www.gcn.com/print/25_21/41397-1.html Government agency wake up call]''' | ||
| Line 15: | Line 18: | ||
; '''Jul 19 - [http://www.marketwatch.com/news/story/story.aspx?guid=96D9742BE5B8439A8BD982A419203182&siteid=mktw&dist=nbk&print=true&dist=printTop SQL injection flood reported]''' | ; '''Jul 19 - [http://www.marketwatch.com/news/story/story.aspx?guid=96D9742BE5B8439A8BD982A419203182&siteid=mktw&dist=nbk&print=true&dist=printTop SQL injection flood reported]''' | ||
: "From January through March, we blocked anywhere from 100 to 200 [[SQL Injection]] attacks per day. As of April, we have seen that number jump from 1,000 to 4,000 to 8,000 per day...The majority of the attacks are coming from overseas, and although we certainly see a higher volume with other types of attacks, what makes the [[SQL Injection]] exploits so worrisome is that they are often indicative of a targeted attack." | : "From January through March, we blocked anywhere from 100 to 200 [[SQL Injection]] attacks per day. As of April, we have seen that number jump from 1,000 to 4,000 to 8,000 per day...The majority of the attacks are coming from overseas, and although we certainly see a higher volume with other types of attacks, what makes the [[SQL Injection]] exploits so worrisome is that they are often indicative of a targeted attack." | ||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
; [[Application Security News|Older news...]] | ; [[Application Security News|Older news...]] | ||
Revision as of 08:59, 28 July 2006
- Jul 28 - Web application worms
- "We picked two among the top social networking sites with a reported combined user base of 80 million. Within half an hour we had discovered over half a dozen potentially "wormable" XSS vulnerabilities in each site! We stopped looking after finding half a dozen, but we are sure there are a lot more holes in there. With about a day's work a malicious attacker with a half-decent knowledge of javascript could create a worm using just one of these vulnerabilities."
- Jul 26 - Government agency wake up call
- The OWASP Top Ten was originally drafted with government in mind, but most agencies have steadfastly ignored the risk. "Instead of relying on firewalls, IDSes and compliance teams preparing documents, leaders within organizations need to put new emphasis on a secure software development lifecycle."
- Jul 24 - Fuzzing comes of age
- "In fact, fuzzing tools appear to be the source of the deluge of Office flaws. Once considered a crutch for the lowest form of code hacker - the much-denigrated "script kiddie" - data-fuzzing tools have gained stature to now be considered an efficient way to find vulnerabilities, especially obscure ones."
- Jul 20 - PayPal challenges Oracle for longest time-to-fix
- Daring people to sue for negligence, PayPal ignored a 2004 notification of a "cross site scripting attack that affected donation pages for suspended users." This "is the exact method exploited by the phishing attack in June 2006."
- Jul 19 - SQL injection flood reported
- "From January through March, we blocked anywhere from 100 to 200 SQL Injection attacks per day. As of April, we have seen that number jump from 1,000 to 4,000 to 8,000 per day...The majority of the attacks are coming from overseas, and although we certainly see a higher volume with other types of attacks, what makes the SQL Injection exploits so worrisome is that they are often indicative of a targeted attack."
