Difference between revisions of "Template:Application Security News"

From OWASP
Jump to: navigation, search
Line 1: Line 1:
 
<!-- please add stories to the main Application Security News page -->
 
<!-- please add stories to the main Application Security News page -->
; '''Feb 26 - [http://www.securityfocus.com/infocus/1888 Building Secure Applications: Consistent Logging]'''
 
:SecurityFocus article, "This article examines the dismal state of application-layer logging as observed from the authors’ years of experience in performing source code security analysis on millions of lines of code."
 
  
; '''Feb 26 - [http://www.honeynet.org/papers/webapp/index.html Know your Enemy: Web Application Threats]'''
+
; '''Mar 15 - [http://aviv.raffon.net/2007/03/14/PhishingUsingIE7LocalResourceVulnerability.aspx local IE 7 phishing hole]'''
:A long paper on web application security threats released by honeynet.org. "This paper focuses on application threats against common web applications. After reviewing the fundamentals of a typical attack, we will go on to describe the trends we have observed and to describe the research methods that we currently use to observe and monitor these threats."
+
:Provides a nice proof of concept with CNN (Link at the bottom). "Internet Explorer 7.0 is vulnerable to cross-site scripting in one of its local resources. In combination with a design flaw in this specific local resource it is possible for an attacker to easily conduct phishing attacks against IE7 users." CNET News also picked this up as a [http://news.com.com/2100-1002_3-6167410.html?part=rss&tag=2547-1_3-0-20&subj=news story].
  
; '''Feb 21 - OWASP Top 10 2007 rc1 feedback'''
+
; '''Mar 14 - [http://mybeni.rootzilla.de/mybeNi/2007/gmail_information_disclosure/ GMail Information Disclosure]'''
:Lots of feedback on the new OWASP Top 10. See e.g. on [http://datasecurity.wordpress.com/2007/02/05/owasp-top-10-for-2007/ PCI DSS blog] with some interesting comments and of course Sylvan von Stuppe's comments on the [http://www.owasp.org/index.php/Top_10_2007 OWASP Top 10 RC1] can be found [http://sylvanvonstuppe.blogspot.com/2007/02/owasp-top-10-2007-update-rc1-a7-a8.html here](A7-A8), [http://sylvanvonstuppe.blogspot.com/2007/02/owasp-top-10-2007-update-rc1-a5-a6.html here](A5-A6), [http://sylvanvonstuppe.blogspot.com/2007/02/owasp-top-10-2007-update-rc1-a3-a4.html here](A3-A4) and [http://sylvanvonstuppe.blogspot.com/2007/01/owasp-top-10-2007-update-rc1-a1-a2.html here] (A1-A2). Last change to review the document prior to February 28th and provide feedback to the [http://lists.owasp.org/mailman/listinfo/owasp-topten owasp-topten@lists.owasp.org] mail list.
+
:Only a tiny XSS hole to demonstrate a disclosure proof-of-concept through AJAX/JSON of all contacts you ever mailed. If a domains covers a lot of functionality and users, one XSS can be devastating. Remember the Google Desktop vulnerability. What is frightening is that it took Beni only ~5 minutes to find a XSS hole.
  
; '''Feb 21 - [http://blog.washingtonpost.com/securityfix/2007/02/serious_flaw_in_google_desktop.html Serious Flaw in Google Desktop Prompts Patch]'''
+
; '''Mar 8 - [http://myappsecurity.blogspot.com/search/label/reflection Anurag Agarwal's reflection series]'''
:"Search engine giant Google has issued an update for people running its powerful Desktop software. Researchers had demonstrated a potentially devastating security hole in the software that could allow bad guys to snoop on users' computers or even to install additional software."
+
:Anurag Agarwal maintains an interesting [http://myappsecurity.blogspot.com/ blog] on Web Application Security. Recently he started a serie of reflections on people active in this field. Up until now he covered Amit Klein, RSnake, Jeremiah Grossman, Ivan Ristic and Sheeraj Shah. Lot's of good pointers to web application research of the last years!
  
; '''Feb 05 - [http://www.scmagazine.com.au/news/45262,myspace-superworm-creator-sentenced-to-probation-community-service.aspx Sammy 'MySpace' KamKar Pleads Guilty in Court]'''
+
; '''Mar 2 - [http://wordpress.org/development/2007/03/upgrade-212/ Wordpress (popular blog software) backdoored]'''
:"The man responsible for unleashing what is believed to be the first self-propagating cross-site scripting worm has pleaded guilty in Los Angeles Superior Court to charges stemming from his most infamous hacking."
+
:"Long story short: If you downloaded WordPress 2.1.1 within the past 3-4 days, your files may include a security exploit that was added by a cracker, and you should upgrade all of your files to 2.1.2 immediately."
  
; '''Feb 05 - [http://www.itsecurity.com/security.htm?s=10164 Why Your Organization Must Increase It's Web Application Security Budget]'''
+
; '''Mar 1 - [http://www.php-security.org/ the Month of PHP Bugs "formerly known as March"]'''
:"The Web application security threat is a real one. A failure to respond to this threat will result in real risk to any enterprise that stores financial or customer data. While the problem is a serious one, it is not something that cannot be fixed so long as proper attention and budget are allocated to it. Unfortunately, given the unique nature of the problem and its impact on the budgetary process, it will likely require direct intervention by the financial staff."
+
:"This initiative is an effort to improve the security of PHP. However we will not concentrate on problems in the PHP language that might result in insecure PHP applications, but on security vulnerabilities in the PHP core."
 +
 
 +
; '''Feb 26 - [http://www.securityfocus.com/infocus/1888 Building Secure Applications: Consistent Logging]'''
 +
:SecurityFocus article, "This article examines the dismal state of application-layer logging as observed from the authors’ years of experience in performing source code security analysis on millions of lines of code."
  
 
; [[Application Security News|Older news...]]
 
; [[Application Security News|Older news...]]

Revision as of 18:05, 19 March 2007


Mar 15 - local IE 7 phishing hole
Provides a nice proof of concept with CNN (Link at the bottom). "Internet Explorer 7.0 is vulnerable to cross-site scripting in one of its local resources. In combination with a design flaw in this specific local resource it is possible for an attacker to easily conduct phishing attacks against IE7 users." CNET News also picked this up as a story.
Mar 14 - GMail Information Disclosure
Only a tiny XSS hole to demonstrate a disclosure proof-of-concept through AJAX/JSON of all contacts you ever mailed. If a domains covers a lot of functionality and users, one XSS can be devastating. Remember the Google Desktop vulnerability. What is frightening is that it took Beni only ~5 minutes to find a XSS hole.
Mar 8 - Anurag Agarwal's reflection series
Anurag Agarwal maintains an interesting blog on Web Application Security. Recently he started a serie of reflections on people active in this field. Up until now he covered Amit Klein, RSnake, Jeremiah Grossman, Ivan Ristic and Sheeraj Shah. Lot's of good pointers to web application research of the last years!
Mar 2 - Wordpress (popular blog software) backdoored
"Long story short: If you downloaded WordPress 2.1.1 within the past 3-4 days, your files may include a security exploit that was added by a cracker, and you should upgrade all of your files to 2.1.2 immediately."
Mar 1 - the Month of PHP Bugs "formerly known as March"
"This initiative is an effort to improve the security of PHP. However we will not concentrate on problems in the PHP language that might result in insecure PHP applications, but on security vulnerabilities in the PHP core."
Feb 26 - Building Secure Applications: Consistent Logging
SecurityFocus article, "This article examines the dismal state of application-layer logging as observed from the authors’ years of experience in performing source code security analysis on millions of lines of code."
Older news...