http://seclists.org/#webappsec Provides insights on the unique challenges which make web applications notoriously hard to secure. en-us60 Posted by Alberto Trivero on Jul 21<p> <p> The aim of this white paper is to analyze security implications of the <br /> new HTML 5 client-side storage technology, showing how different <br /> attacks can be conduct in order to steal storage data in the client’s <br /> machine. <br /> Download at: http://trivero.secdiscover.com/html5whitepaper.pdf <br /> <p>... http://seclists.org/webappsec/2008/q3/0040.htmlhttp://seclists.org/webappsec/2008/q3/0040.html Mon, 21 Jul 2008 02:57:01 +0200 Posted by mike_at_cenzic.com on Jul 16<p> ('binary' encoding is not supported, stored as-is) To add one more to the fray... <br /> <p>Cenzic has one available off their web site. <br /> <p>http://crackme.cenzic.com/ <br /> <p>Login: mary <br /> Password: mary123 <br /> <p><p>mikekaz <br /> <p>------------------------------------------------------------------------- <br /> Sponsored by: Watchfire... http://seclists.org/webappsec/2008/q3/0039.htmlhttp://seclists.org/webappsec/2008/q3/0039.html 16 Jul 2008 21:08:21 -0000 Posted by Martin ONeal on Jul 16<p> <p> &gt; Yes I did; but it doesn't <br /> &gt; change the fact that your <br /> &gt; comments under &quot;Testing&quot; <br /> &gt; in that section (page 16) <br /> &gt; are still not applicable to <br /> &gt; c#. Nor is the &quot;Recommendation&quot; <br /> &gt; about ==. As I said. <br /> <p>LOL; you would like a testing and... http://seclists.org/webappsec/2008/q3/0038.htmlhttp://seclists.org/webappsec/2008/q3/0038.html Wed, 16 Jul 2008 11:51:37 +0100 Posted by Adrian Pastor on Jul 16<p> <p> <p>Hi Brett, <br /> <p>I came across this paper a while ago but had forgotten about it! Will <br /> definitely keep it in mind for future assessments. <br /> <p>What percentage of ASP.NET/MS SQL environments would you say you find <br /> vulnerable to this attack against &quot;forgotten password&quot; facilities? <br /> <p>Also, have you... http://seclists.org/webappsec/2008/q3/0037.htmlhttp://seclists.org/webappsec/2008/q3/0037.html Wed, 16 Jul 2008 11:31:15 +0100 Posted by silky on Jul 16<p> <p> On Wed, Jul 16, 2008 at 8:02 PM, Martin O'Neal <br /> &lt;martin.oneal_at_corsaire&#46;com&gt; wrote: <br /> &gt; <br /> &gt; &gt; this is fairly stupid. <br /> &gt; <br /> &gt; LOL; more stupid than vacuous name calling, or less? <br /> <p>I'd say it's on par with it :) <br /> <p><p>&gt; &gt; what financial institutions are <br /> &gt; &gt; using... http://seclists.org/webappsec/2008/q3/0036.htmlhttp://seclists.org/webappsec/2008/q3/0036.html Wed, 16 Jul 2008 20:07:35 +1000 Posted by Martin ONeal on Jul 16<p> <p> &gt; this is fairly stupid. <br /> <p>LOL; more stupid than vacuous name calling, or less? <br /> <p>&gt; what financial institutions are <br /> &gt; using floating point and not decimal <br /> &gt; variables to represent their money? <br /> &gt; very few i'd guess. it hardly needs <br /> &gt; to be said that anyone using FP <br /> &gt;... http://seclists.org/webappsec/2008/q3/0035.htmlhttp://seclists.org/webappsec/2008/q3/0035.html Wed, 16 Jul 2008 11:02:43 +0100 Posted by Martin ONeal on Jul 16<p> <p> &gt; you don't ever need to round, and <br /> &gt; can use relatively simple fixed- <br /> &gt; precision for this sort of thing. <br /> <p>Sometimes. Some financial calculations, such as exchange rates etc, are <br /> inherently floats. <br /> <p>Martin... <br /> <p><p><p>... http://seclists.org/webappsec/2008/q3/0034.htmlhttp://seclists.org/webappsec/2008/q3/0034.html Wed, 16 Jul 2008 10:46:05 +0100 Posted by Martin ONeal on Jul 16<p> <p> &gt; Have you reported these issues to Sun/Microsoft? <br /> <p>These are all by-design issues, that have side-effects for the unwary. <br /> <p>Martin... <br /> <p>------------------------------------------------------------------------- <br /> Sponsored by: Watchfire <br /> Methodologies &amp; Tools for Web Application Security... http://seclists.org/webappsec/2008/q3/0033.htmlhttp://seclists.org/webappsec/2008/q3/0033.html Wed, 16 Jul 2008 10:42:59 +0100 Posted by Adrian Pastor on Jul 16<p> <p> <p>Ivan, I agree with you 100% but as you said it's easier said than done. <br /> I think that a lot of insecure configuration settings are forgotten to <br /> be fixed when moving from a UAT to a production environment. <br /> <p>You might want to take a look at the following: <br /> <p>... http://seclists.org/webappsec/2008/q3/0032.htmlhttp://seclists.org/webappsec/2008/q3/0032.html Wed, 16 Jul 2008 10:09:15 +0100 Posted by Brett Moore on Jul 16<p> <p> Hi. <br /> <p>While not directly related to your papers topic. I think it would <br /> be beneficial to raise awareness of the issue illustrated in this <br /> paper by Gary O'Leary-Steele. <br /> <p>http://www.sec-1labs.co.uk/advisories/BTA_Full.pdf <br /> <p>Surprising how many forgotten password mail out features are vulnerable <br /> to... http://seclists.org/webappsec/2008/q3/0031.htmlhttp://seclists.org/webappsec/2008/q3/0031.html Wed, 16 Jul 2008 15:08:29 +1200 Posted by Johannes B. Ullrich on Jul 16<p> <p> /* disclaimer: I work for SANS */ <br /> <p>Take a look at http://www.sans.org. Plenty of courses to choose from. I will not comment on quality as I work for them. Essentially all of them include hands on exercises and can be taken live or online. I will gladly provide more information off-list. <br /> <p>Most... http://seclists.org/webappsec/2008/q3/0030.htmlhttp://seclists.org/webappsec/2008/q3/0030.html Wed, 16 Jul 2008 02:48:51 +0000 (UTC) Posted by Gleb Paharenko on Jul 16<p> <p> Hi. <br /> <p>That seems to be a part of &quot;open redirects problem&quot; which was <br /> discussed a lot on this list. <br /> <p>2008/7/15 MC Iglo &lt;mc.iglo_at_googlemail&#46;com&gt;: <br /> &gt; Hi all, <br /> &gt; <br /> &gt; lately, I see more and more pages using get-parameters to store a <br /> &gt; return url after login. <br /> &gt; two... http://seclists.org/webappsec/2008/q3/0029.htmlhttp://seclists.org/webappsec/2008/q3/0029.html Wed, 16 Jul 2008 15:12:59 +0300 Posted by ClubHack on Jul 15<p> <p> Dear all <br /> We are pleased to announce the opening of CFP for ClubHack2008. <br /> ClubHack is India's own international hackers' convention started in 2007. <br /> <p>We are expecting good deep knowledge technical <br /> presentations/demonstrations on topics from the world of Information <br /> Security. <br /> <p>These... http://seclists.org/webappsec/2008/q3/0028.htmlhttp://seclists.org/webappsec/2008/q3/0028.html Tue, 15 Jul 2008 15:46:20 +0530 Posted by Kevin Johnson on Jul 15<p> <p> On Jul 13, 2008, at 1:18 AM, Jimmy Liang wrote: <br /> &gt; Hello, <br /> &gt; <br /> &gt; I’m looking at expanding my security knowledge and am looking for <br /> &gt; recommendations on training courses. I’ve had a few years of Windows <br /> &gt; and Solaris admin experience managing 30 or so 24/7 systems, and <br /> &gt;... http://seclists.org/webappsec/2008/q3/0027.htmlhttp://seclists.org/webappsec/2008/q3/0027.html Tue, 15 Jul 2008 22:48:05 -0400 Posted by silky on Jul 16<p> <p> On Tue, Jul 15, 2008 at 11:02 PM, Martin O'Neal <br /> &lt;martin.oneal_at_corsaire&#46;com&gt; wrote: <br /> &gt; <br /> &gt; Breaking the Bank <br /> &gt; (Vulnerabilities in Numeric Processing within Financial Applications) <br /> &gt; <br /> &gt; By Adam Boulton, Stephen De Vries, Kevin O'Reilly, July 15, 2008 <br /> &gt; <br /> &gt; This... http://seclists.org/webappsec/2008/q3/0026.htmlhttp://seclists.org/webappsec/2008/q3/0026.html Wed, 16 Jul 2008 10:08:03 +1000