Latest Posts


From the Web

Slowloris HTTP DoS

June 19, 2009 from: Rsnake's blog at ha.ckers.org

Robert "RSnake" Hansen discusses a denial of service (DoS) attack against some popular web servers (Apache specifically). His proof of concept code (a working exploit against Apache web servers) takes advantage of connection delays requested by the client

Comments  (1)


From the Web

CWE Top 25 Breakdown - Part 1 of 4

June 11, 2009 from: hackyourself.net

This week, we’ll take a look at the recently published CWE Top 25 Most Dangerous Programming Errors. Since the Top 25 are broken into three main categories, it makes sense to address the list in three separate segments. But first, let’s review what the CWE Top 25 is and its importance.

Comments  (1)


From the Web

Some Free Web App Security Testing Tools & Resources

June 11, 2009 from: hackyourself.net

We went over some of these tools at the latest North Carolina OWASP Meeting, so I thought I’d make this list available here. Enjoy!

Comments  (1)


From the Web

CWE Top 25 Breakdown - Part 3 of 4

June 07, 2009 from: hackyourself.net

Last week we discussed the first 9 (top 9) in the CWE Top 25 Most Dangerous Programming Errors. This week, we’ll discuss the second 8 on the list, which have been grouped into a category called “Risky Resource Management”.

Comments  (1)


From the Web

CWE Top 25 Breakdown - Part 2 of 4

June 07, 2009 from: hackyourself.net

Last week we introduced the CWE Top 25 Most Dangerous Programming Errors in Part 1 of a 4 part series. This week we will discuss the first nine, which have been categorized in a group called “Insecure Interaction Between Components”. Being the first nine, they are also the top 9, or the top most prevalent errors on the list. As me...

Comments  (1)


From the Web

Using Denial of Service for Hacking

June 04, 2009 from: Rsnake's blog at ha.ckers.org

In his web application security blog (http://ha.ckers.org) Robert Hansen (Rsnake) discusses using Denial of Service attacks in new ways against web applications

Comments  (1)


From the Web

Internet Explorer 8 and NoScript View Source Bugs

June 04, 2009 from: Rsnake's blog at ha.ckers.org

Robert "RSnake" Hansen discusses some bugs he discovered in IE8's Anti-XSS (Cross-Site Scripting) module, as well as NoSCRIPT.

Comments  (1)


From the Web

Should I be worried about my web applications?

June 01, 2009 from: hackyourself.net

An interesting article published earlier this week on Information Week’s website here called “Web Applications: Achilles’ Heel Of Corporate Security” discusses the tremendous rise in web-application breaches and attacks th...

Comments  (1)


From the Web

Does PCI Compliance Work?

June 01, 2009 from: hackyourself.net

Given the presence of yet another very high-profile data breach from a supposedly PCI-compliant organization, many have begun to question the purpose and usefulness of PCI DSS and other similar regulations. There is a valid argument here, but let’s consider the purpose for these regulations. PCI and all others are meant to be a baseline set of due diligence operations taken by or...

Comments  (2)


From the Web

Top 10 Issues Observed During Pen Tests in 2008

June 01, 2009 from: hackyourself.net

There has been a lot of press, effort and money focused on Web Application Security over the past year–and rightly so. The attack footprint for many publicly-facing web applications has been growing as new web and browser-based vulnerabilities are being discovered at a scary pace. The PCI DSS push has helped primarily with the escalation of the press given, but we really haven’t cro...

Comments  (1)


From the Web

OSI is Dead

June 01, 2009 from: hackyourself.net

Note: this post is a rambling with no solutions at all–I’m just bitching/rambling, whatever you want to call it–hell, it’s my blog, I’ll write what I please :) There’s an interesting trend in the formerly “Gospel” OSI virtual model for the way computers talk… It used to be that the application layer was sacred and di...

Comments  (1)


From the Web

Largest Attack Vector Still Poor Configuration…

June 01, 2009 from: hackyourself.net

So after 12 years of analyzing security risks (and with a specialty on web app security) I’m surprised to find that a large percentage of webappsec risks we find still revolve around the configuration of the web server itself.

Comments  (1)


From the Web

“Perfect” security

June 01, 2009 from: hackyourself.net

There’s been an interesting theme of late on many of the infosec mailing lists (including WASC) which carry a tune that mimics my own experience in this field — that of “perfect” security vs. acceptable risk mitigation or “operational” security.

Comments  (1)


From the Web

HTTP Cache Poisoning and Host Header Injection

June 01, 2009 from: hackyourself.net

A recent post came through the WASC mailing list today from Carlos Bueno regarding this topic. The basic gist is in the impact of utilizing the browser-supplied Host headers as a means for link consistency in programming your web code

Comments  (1)


From the Web

Hacking Citrix (this again?)

June 01, 2009 from: hackyourself.net

An article from www.hackyourself.net blog describing some techniques and methods of hacking legacy Citrix applications. Much of this was before the advent of the new MetaframeXP, but some of it is still applicable when dealing with Published Applications

Comments  (1)


From the Web

Top 5 SQL Injection Tools

June 01, 2009 from: hackyourself.net

This is a list of the Top 5 FREE SQL Injection tools currently available. Although there is already a list of the Top 15 Free SQL Injection Scanners, not all of them deserve the honors of the best general-purpose tools.

Comments  (1)


From the Web

Using XSS to Launch a SQL Injection Attack

June 01, 2009 from: hackyourself.net

Several weeks ago I stumbled on a client’s e-commerce site that had (what appeared to be) a non-vulnerable SQL Injection pathway on a search form. I used the standard calls to determine if it was vulnerable, determined (or so I thought) that it wasn’t and moved on to test for XSS.

Comments  (1)


From the Web

OSI Model’s Relevance to Web App Security

June 01, 2009 from: hackyourself.net

One of the things that I constantly run into is that of security engineers trying to thwart web application attacks with network security equipment (such as IDS/IPS, AV signatures, etc). A recent example regarded a SQL Injection attack on a web server. This particular entity has a very healthy multi-vendor network security perimeter, and felt that the gear in place was sufficient to both catch...

Comments  (8)

6d117b57d55f63febe392e40a478011f

Heartland Regains PCI Compliant Status

May 03, 2009 Added by:Anthony M. Freed

Heartland’s removal from the list of compliant payment processors had followed revelations that the company had suffered what may have been the largest data breach of payment card information to date, although details of the incident have not been made available due to ongoing investigations...

Comments  (5)

6d117b57d55f63febe392e40a478011f

Payment Card Industry Swallows Its Own Tail

April 01, 2009 Added by:Anthony M. Freed

The greatest threat to the survival of PCI DSS (Payment Card Industry Data Security Standard) may not be the ever-evolving tactics of the criminal hackers, but instead the dysfunctional nature of the relationships between the very parties the standards are meant to serve...

Comments  (2)