Template:Application Security News
Revision as of 12:27, 23 April 2007 by OWASP
- Apr 21 - Concurrency and porn
- "First it was porn, now it's privacy - a technical stuff-up on reality show Big Brother's website is said to have exposed the personal details of fans who signed up for its special features. Following reports that visitors to a pirate Big Brother site were sent to a hardcore porn page, it now seems the names and phone numbers of people who registered for the official site were able to be viewed by others"
- Apr 21 - Does first Vista 0day undermine SDL?
- Ken van Wyk discusses the importance of process for producing secure software, and notes that attacks on Vista may undermine the general support for Microsoft's approach. Check out Michael Howard's talk from the last OWASP conference for a great discussion on the success of the SDL.
- Apr 19 - Why the software market is full of lemons
- Bruce Schneier finally chimes in on an [old OWASP theme] - the problem of assymetric information between software buyers and sellers. He only talks about security products, but the same problem affects all types of software. Check the [Software Facts Label which is an idea for actually doing something to change the game.
- Apr 10 - "There is no hope"
- Despite all the good stuff at OWASP, Scott Berinato is giving up. "No official announcement is forthcoming, but the Internet is broken and it can't be repaired. Oh, it's still there. You can still use it. Then again, if you went hiking and came across an old, broken-down mine shaft, you could still use that, too."
- Mar 15 - local IE 7 phishing hole
- Provides a nice proof of concept with CNN (Link at the bottom). "Internet Explorer 7.0 is vulnerable to cross-site scripting in one of its local resources. In combination with a design flaw in this specific local resource it is possible for an attacker to easily conduct phishing attacks against IE7 users." CNET News also picked this up as a story.
- Mar 14 - GMail Information Disclosure
- Only a tiny XSS hole to demonstrate a disclosure proof-of-concept through AJAX/JSON of all contacts you ever mailed. If a domains covers a lot of functionality and users, one XSS can be devastating. Remember the Google Desktop vulnerability. What is frightening is that it took Beni only ~5 minutes to find a XSS hole.
- Mar 8 - Anurag Agarwal's reflection series
- Anurag Agarwal maintains an interesting blog on Web Application Security. Recently he started a serie of reflections on people active in this field. Up until now he covered Amit Klein, RSnake, Jeremiah Grossman, Ivan Ristic and Sheeraj Shah. Lot's of good pointers to web application research of the last years!