http://blog.gmane.org/gmane.comp.security.websecurity hourly 1 1901-01-01T00:00+00:00 http://gmane.org/img/gmane-25t.png http://gmane.org http://comments.gmane.org/gmane.comp.security.websecurity/8498 <pre>Dear All, Here we are with the 28th issue of ClubHack Magazine. This issue covers following articles:- 0x00 Tech Gyan - Steganography over covert channels 0x01 Tool Gyan - Kautilya 0x02 Mom's Guide - HTTPS (Hyper Text Transfer Protocol Secure) 0x03 Legal Gyan - Section 66C - Punishment for identity theft 0x04 Code Gyan - Don’t Get Injected – Fix Your Code 0x05 Poster - "Look both side before crossing one way track" Check http://chmag.in/ for articles. PDF version can be download from:- http://chmag.in/issue/may2012.pdf Send us your feedback, articles at info&lt; at &gt;chmag.in Regards, Team CHMag http://chmag.in/ _______________________________________________ The Web Security Mailing List WebSecurity RSS Feed http://www.webappsec.org/rss/websecurity.rss Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA WASC on Twitter http://twitter.com/wascupdates websecurity&lt; at &gt;lists.webappsec.org http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org </pre> Abhijeet Patil 2012-05-21T06:13:43 http://comments.gmane.org/gmane.comp.security.websecurity/8497 <pre>Hi, I am running into one issue with XSS and was interested if there is any way I can bypass it. Following the response code where user supplied input is embedded. Input is taken via a text box. *&lt;script type="text/javascript"&gt;alert('No Information is found for the card 1');&lt;/script&gt;* User supplied input *1* is highlighted in red. I am trying to break out of this alert box, however when a single quote is given as input, the output is escaped using a backslash. It is as follows: * Input:* *1'** Output:** &lt;script type="text/javascript"&gt;alert('No Information is found for the card 1\'');&lt;/script&gt;* I am using IE 8 and tried using back ticks just to check if I can get around this limitation, however it did not work. Any suggestion on how to break out of this would be much helpful. All characters except the *single quote, &lt;!-- and &lt;/script&gt;* are working. Using a I tried the following vector to escape out: *Input:* *1`);alert(1);(`'**);** Output:** &lt;script type="text/javascript"&gt;alert('No Information </pre> Chintan Dave 2012-05-18T06:34:59 http://comments.gmane.org/gmane.comp.security.websecurity/8496 <pre> Hi All, There is a new web application vulnerability scanner available. It is called WebVulScan and it is open source. Here is the link for it if you want to check it out: http://code.google.com/p/webvulscan/ Regards, Dermot Blair _______________________________________________ The Web Security Mailing List WebSecurity RSS Feed http://www.webappsec.org/rss/websecurity.rss Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA WASC on Twitter http://twitter.com/wascupdates websecurity&lt; at &gt;lists.webappsec.org http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org </pre> Dermot Blair 2012-05-15T21:37:48 http://comments.gmane.org/gmane.comp.security.websecurity/8494 <pre>Dear all, Two examples come to my mind when I think about classic examples of secure software development: OpenSSH and Qmail. Both a) were designed with security in mind b) were heavily audited (--&gt; open source) c) are widely used in security sensitive environments for long times (&gt; 10 years) d) had relatively few known security bugs despite b), and c). My question is: Are there any web applications that can be seen as a classic example of secure software development on the web (similar to OpenSSH and Qmail in the network service area)? Thanks, Sebastian --- Sebastian Schinzel Universität Erlangen-Nürnberg Lehrstuhl für Informatik 1 IT-Sicherheitsinfrastrukturen Web: http://www1.cs.fau.de/ Twitter:http://twitter.com/seecurity _______________________________________________ The Web Security Mailing List WebSecurity RSS Feed http://www.webappsec.org/rss/websecurity.rss Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA WASC on Twitter http://twitter.com/wascupdates </pre> Sebastian Schinzel 2012-05-15T10:50:52 http://comments.gmane.org/gmane.comp.security.websecurity/8493 <pre> . ______________________________________ ._\\. Breakpoint 2012 (___. : Intercontinental Rialto : : Melbourne, Australia : : October 17th-18th : :__ . ___: )____________________________________\\ . www.ruxconbreakpoint.com www.twitter.com/ruxconbpx Introduction ------------ Breakpoint is a new security conference to be held on the 17th and 18th of October, in Melbourne Australia. The event will show case the work of expert security researchers from around the world on a wide range of topics. Breakpoint is organised by the Ruxcon conference team and will offer a specialised and more professional security conference to complement and lead into the larger and</pre> cfp< at >ruxcon.org.au 2012-05-10T11:48:16 http://comments.gmane.org/gmane.comp.security.websecurity/8492 <pre>Hello participants of Mailing List. As I've wrote last month in the list, I've presented full translation of my articles (in a form of new complex article), which I told you briefly in my post Bypassing of security mechanisms (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2011-September/008051.html). And now I will tell you about other my articles, written in September 2011 and in April 2012. Request full translation of any of them if needed. I'll tell you briefly about my two articles concerning bypassing web antiviruses and attack via tables corruption in MySQL. Which I wrote in September and in April accordingly. These topics should be interesting for you (especially for those, who haven't read them before). 1. Effective use of cloaking against web antiviruses http://websecurity.com.ua/5359/ In this article I told more about the cloaking - the way how web antiviruses became fighting with it and other ways of bypassing them with cloaking. This is third article in my series about </pre> MustLive 2012-05-05T20:50:36 http://comments.gmane.org/gmane.comp.security.websecurity/8491 <pre>Hi everyone, WOOT is the USENIX Workshop on Offensive Technologies and this year will focus on the future of web exploitation and HTTPS security. One of the specificity of WOOT is that it is meant to be a a bridge between the industry and the academic world which always give rise to interesting discussion :) So if you just gave a cool talk at BSide or got something interesting planned for Black Hat or DEFCON, it is exactly the type of work we'd like to see submitted to WOOT. Don't be shy, it will be a very fun workshop ! The WOOT call of paper is available here: http://ow.ly/aH1X0 -- Elie http://elie.im - Twitter: &lt; at &gt;elie _______________________________________________ The Web Security Mailing List WebSecurity RSS Feed http://www.webappsec.org/rss/websecurity.rss Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA WASC on Twitter http://twitter.com/wascupdates websecurity&lt; at &gt;lists.webappsec.org http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org </pre> Elie Bursztein 2012-05-04T05:25:50 http://comments.gmane.org/gmane.comp.security.websecurity/8489 <pre>New post on abusing password managers with Cross-Site Scripting. http://labs.neohapsis.com/2012/04/25/abusing-password-managers-with-xss/ _______________________________________________ The Web Security Mailing List WebSecurity RSS Feed http://www.webappsec.org/rss/websecurity.rss Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA WASC on Twitter http://twitter.com/wascupdates websecurity&lt; at &gt;lists.webappsec.org http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org </pre> mastah yeti 2012-04-30T16:30:35 http://comments.gmane.org/gmane.comp.security.websecurity/8487 <pre>Dear security experts, Hacking-Lab is proud to announce the upcoming online OWASP 2012 hands-on competition about web security issues. The competition will start next Tuesday (May 1 2012) and ends June 17th, 2012. It's all about web security, including the Greece Hackademics challenges plus some advanced Hacking-Lab challenges. The winner will gain a free ticket to either the OWASP AppSec EU conference in Athens or AppSec US. Winner Selection Criteria a) how many points you receive (complete) b) how complete your solutions are (quality) c) how fast you are completing the challenges (time) d) creativity, unseen solutions, geek factor The OWASP GEC (Global Education Committee) and Hacking-Lab have the right to select the winner in case of identical a) to d) levels. OWASP teachers, Hacking-Lab volunteers, Compass Security Switzerland staff are not allowed to play. Sorry for that, folks. Checkout the upcoming "OWASP 2012 Online Competition" here * https://www.hacking-lab.com/events/ Train your Brain - Expl</pre> Ivan Buetler 2012-04-29T19:15:30 http://comments.gmane.org/gmane.comp.security.websecurity/8486 <pre>First off, my anal retentive side simply *MUST* correct you: It's "padding oracle". An "oracle" is a system which provides answers to specific types of questions. In cryptography, there is a concept of "padding", extra data appended to the unencrypted message to satisfy the length requirements of a block cipher, which requires that data it is encrypting is to be of a certain length. A padding oracle normally only will reveal if an encrypted message, when decrypted, is properly padded. Vaudenay presented at EUROCRYPT that with PKCS#5 padding, a padding oracle can actually be used as a decryption oracle, given the ability to make lots of submissions to the padding oracle. This allows us to decrypt arbitrary data using a padding oracle. Thai Duong and Juliano Rizzo applied this theoretical attack in a practical way: against Web applications. They also presented a way of using padding oracles as encryption oracles, allowing encryption of arbitrary data. The ASP.NET framework not only had padding oracle flaw</pre> Daniel "unicornFurnace" Crowley 2012-04-28T06:20:53 http://comments.gmane.org/gmane.comp.security.websecurity/8485 <pre>Hi all, May be this a very stupid question, however, after many unsuccessful attempts, I would appreciate your assistance. In testing a web application, I found that on sending the following request header: GET /path/path-contd/resource.asp?key1=value1&amp;key2=value2&amp;key3=value3 HTTP/1.1 .... I got the the following response header: HTTP/1.1 302 Found Date: xxxx Server: xxxx Location: https:// &lt;full-domain&gt;/path/path-contd/resource.asp?https=redirect&amp;key1=value1&amp;key2=value2&amp;key3=value3 .... I tried to inject "CRLF" (%0d%0a) in value3 to perform a HTTP Response Splitting, however, the input was always output to the response header as text and the injected CRLF (%0d%0a) was never executed. I tried: 1. double url encoding: %250d%250a 2. encoding the attack vector to unicode 16-bit 3. injecting %0d%0a (and double encoded value) in value1 instead 4. injecting %0d%0a (and double encoded value) in value2 instead Am I missing something trivial or any other attack vector to bypass CRLF Injection protection/filt</pre> Mon 2012-04-30T12:32:00 http://comments.gmane.org/gmane.comp.security.websecurity/8483 <pre>I'm doing a web app pen test and the Oracle Padding vulnerability popped up in Nessus and Acunetix. I tried playing with padbuster.pl and watched every video on YouTube on this, and can't exploit it. I'm doing the bruteforce option I found at this http://blog.securitywhole.com/2010/10/21/net-padding-oracle-attack-padbusterpl-and-the-microsoft-recommended-workarounds.aspx now and hit 40K attempts and counting. It seems that the goal of all of these docs and videos is to grab the web.config file from the server. Just so happens that I found we.config.bak on the server already and have the file. In that file I found the DB connection login and password info, as well as DB table names. I'm assuming that I cant login to the web app with these credentials....could I do anything else? Any insight is appreciated! --Chris _______________________________________________ The Web Security Mailing List WebSecurity RSS Feed http://www.webappsec.org/rss/websecurity.rss Join WASC on LinkedIn http://www.linkedin.com/e/gi</pre> chris serafin 2012-04-25T23:34:05 http://comments.gmane.org/gmane.comp.security.websecurity/8469 <pre>Hi - I am researching approaches to protecting against Web risks, specifically in the HTML5 area, where I include language elements/attributes, CORS, XHR2, Websockets, Web Workers, Web Messaging (e.g. jpostMessage), and Storage. Looking for 1) native browser techniques/plugins; 2) vendor offerings; and 3) PoC tools that mitigate published issues. In particular, I am interested in vendors with HTML5-specific capabilities. Just to be clear - I have done a lot of research on the technologies and ways they might be manipulated or attacked and am now looking for ways to address/mitigate the problems. The research report will be available this quarter, so if you want a copy, please send me a note offline. (I am looking for a few early reviewers as well). Goal is to translate technical implications of HTML5 into business risks - geared to enterprise CISO audience. thanks, Pete Pete Lindstrom Principal, VP of Research Spire Security, LLC &lt; at &gt;SpireSec www.spiresecurity.com 610-644-9</pre> Pete Lindstrom 2012-04-23T15:56:00 http://comments.gmane.org/gmane.comp.security.websecurity/8468 <pre>The 8th issue of the HITB Quarterly Magazine is now available for download! http://magazine.hitb.org/ This edition is a little bit 'lighter' than previous issues as the editorial team is busy working on an extra special release for our 10th year anniversary conference in October, HITBSecConf2012 - Malaysia. http://conference.hitb.org/hitbsecconf2012kul/ For the first time ever though, we're making print editions of the magazine available (courtesy of HP MagCloud) - A print edition of the HITB Quarterly is a perfect addition for your coffee table or office reception area and we'll be making past issues also available for print over the next couple of weeks. We're hoping that print sales will allow us to pay our authors and contributors for their articles, so ordering a print copy is a way for you to help support them! Putting together content for the magazine is practically a full time job and it would be nice to offer authors some form of compensation for the time and energy taken to produce the high qu</pre> Hafez Kamal 2012-04-23T14:21:28 http://comments.gmane.org/gmane.comp.security.websecurity/8462 <pre>Hello list, I was playing with the idea making a JavaScript based network scanner / CSRF exploiting tool. I know the idea in itself isn't very new, but I feel somehow it never really got the credit that it deserved and still believe it's a valid attack vector and with some preparation and minimal tweaking/configuring of the scanning engine before sending it to a target will yield very good results. Anyways; I made a quick write-up of my ideas/findings. Any feedback on the matter would be greatly appreciated. http://allodox.wordpress.com/2012/04/21/javascript-based-network-scanners/ Regards, Raf _______________________________________________ The Web Security Mailing List WebSecurity RSS Feed http://www.webappsec.org/rss/websecurity.rss Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA WASC on Twitter http://twitter.com/wascupdates websecurity&lt; at &gt;lists.webappsec.org http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org </pre> allodoxa 2012-04-21T14:03:17 http://comments.gmane.org/gmane.comp.security.websecurity/8461 <pre>Ruxcon 2012 Call For Papers The Ruxcon team is pleased to announce the call for papers for the 2012 annual Ruxcon conference. This year the conference will take place over the weekend of 20th and 21st of October at the CQ Function Centre, Melbourne, Australia. The deadline for submissions is the 15th of July. * What is Ruxcon? Ruxcon is the premier technical computer security conference in the Australia. The conference aims to bring together the individual talents of the best and brightest security folk in the region, through live presentations, activities and demonstrations. The conference is held over two days in a relaxed atmosphere, allowing attendees to enjoy themselves whilst networking within the community and expanding their knowledge of security. Live presentations and activities will cover a full range of defensive and offensive security topics, varying from previously unpublished research to required reading for the security community. For more information, please visit http://www.ruxcon.</pre> cfp< at >ruxcon.org.au 2012-04-19T05:04:06 http://comments.gmane.org/gmane.comp.security.websecurity/8460 <pre>Hello Readers, The 27th Issue - April 2012 is out now! From this month we have started a new section - Code Gyan. Code Gyan section will focus on good programming practices and snippets to mitigate various vulnerabilities. Hope you like it. This issue covers following articles:- 0x00 Tech Gyan - XSS – The Burning issue in Web Application 0x01 Tool Gyan - Sysinternals Suite 0x02 Mom's Guide - Decoding ROT using the Echo and Tr Commands in your Linux Terminal 0x03 Legal Gyan - Provisions of Sec. 66B 0x04 Matriux Vibhag - How to enable WiFi on Matriux running inside VMWare 0x05 Code Gyan - Local File Inclusion 0x05 Poster - http://chmag.in/poster/apr2012/poster-month PDF version can be download from:- http://chmag.in/issue/apr2012.pdf Check http://chmag.in/ for more articles. Submit your articles, feedback to info&lt; at &gt;chmag.in Regards, Team CHMag http://chmag.in _______________________________________________ The Web Security Mailing List WebSecurity RSS Feed http://www.webappsec.org/rss/websecurity.rss Jo</pre> Abhijeet Patil 2012-04-18T17:00:54 http://comments.gmane.org/gmane.comp.security.websecurity/8458 <pre>Hello participants of Mailing List. I want to draw your attention to the updates concerning my articles. In February my article CSRF Attacks on Network Devices (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2012-February/008265.html) was released in PenTest Extra 02/2012. I remind you, that in this article I've told about different CSRF attacks on network devices, including attacks on login forms described in my 2011's article (such attacks can be conducted on login forms of web applications, including the control panels of network devices). And in this article I've described this topic in details (with examples of attacks on vulnerabilities in real network devices). As I've mentioned in my announcement, I put pdf-file teaser of the magazine with part of the article at my site (and full text was available in the magazine). For those of you who are interesting in this subject, but haven't read the article due to lack of possibility to read this issue of the magazine, here is a good p</pre> MustLive 2012-04-17T20:50:05 http://comments.gmane.org/gmane.comp.security.websecurity/8457 <pre>Dear all, This is to announce release of winAUTOPWN version 3.0 The improved GUI extension - WINAUTOPWN ACTIVE SYSTEMS TRANSGRESSOR GUI [ C4 - WAST ] is a Systems and Network Exploitation Framework built on the famous winAUTOPWN as a backend. C4 - WAST gives users the freedom to select individual exploits and use them. A complete list of all Exploits in winAUTOPWN is available inside MISC\CHANGELOG.TXT A complete list of User Interface changes is available in MISC\UI_CHANGES.txt BSDAUTOPWN has been compiled, like always for various flavours and has been upgraded to version 1.8 alongwith all applicable exploits which have been added in this release. Included this time is the bsd_install.sh, which will set chmod on all applicable BSD compiled binaries. WINAUTOPWN requires PERL,PHP,PYTHON,RUBY and its dependencies alongwith a few others' too for smooth working of exploits included in it. A complete Document explaining : How to use winAUTOPWN/bsdAUTOPWN, How to add your own exploits usin</pre> QUAKER DOOMER 2012-04-17T10:36:58 http://comments.gmane.org/gmane.comp.security.websecurity/8456 <pre>LoginWall announces: A new cyber hackathon Mission: To crack a LoginWall password. Prize: the new iPad! No registration necessary! Unlimited number of tries! Join the competition now at hackathon.loginwall.com For more info, please contact tehila&lt; at &gt;loginwall.com _______________________________________________ The Web Security Mailing List WebSecurity RSS Feed http://www.webappsec.org/rss/websecurity.rss Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA WASC on Twitter http://twitter.com/wascupdates websecurity&lt; at &gt;lists.webappsec.org http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org </pre> Omer Granot 2012-04-17T11:11:00 http://comments.gmane.org/gmane.comp.security.websecurity/8454 <pre>Hi everybody, I want to announce that a Pre-Release of WATOBO 0.9.8 is now available as a ruby gem. WATOBO is intended to enable security professionals to perform semi-automated web application security audits. Here's a brief summary of its features: - Session Management; Login scripts, logout recognition, automated relogin - One-Time-Token support; for testing CSRF protected functions - NTLM-Authentication for servers and proxies - Active security checks: SQLi, XSS, LFI, DirWalker, HTTP-Methods, JBoss, SAP, ... - Passive checks/filters: Cookie-Options, Login-Encryption, DOMXSS, ... - Plugins: SSLChecker, FileFinder and Catalog-Scanner - Fuzzer: fuzz engine, e.g. for username enumeration or collecting cookies - Manual Request Editor: customize and send requests - Differ: diffing request/response pairs More informationen as well as (new) video tutorials are available at http://watobo.sourceforge.net If you find a bug, have a feature request or simply want to tell some success stories please send a mail t</pre> Andreas Schmidt 2012-04-11T21:59:56 Search the mailing list at Gmane query http://search.gmane.org/?group=$group=gmane.comp.security.websecurity