SEARCH RESULTS
 
Showing 1-10 of 55 records
 
Expand article

Injecting IFRAMEs by Abusing Input Validation

The Article has images
2008-03-07 15:53:50 by HASH0x8bac8b8 in Dancho Danchev's Blog - Mind Streams of Information Security Knowledge
...input validation checks applied so loadable IFRAMEs can no longer load or be accepted at all, despite that the injected pages are still indexed by search engines. A malicious campaign targeting high profile sites that went online and got taken care of for some 48 hours, that's good How was the IFRAME injection possible at the first place?...
 
Tags: input validation, input validation checks, plan input validation, input, input validation refers, input validation flaw, iframes, iframe, iframe attack
 
 
 
 
Expand article

Information flow tracing and software testing

2007-09-17 09:32:00 by Niels Provos in Google Online Security Blog
 
...input families which trigger them, but not all fuzz testing frameworks have to be this complicated. Fuzz testing originally relied on purely random data, ignorant of specific threats and known dangerous input. Today, this approach is often overlooked in favor of more complicated techniques. Early sanity checks in applications looking for...
 
Tags: input, flayer marks, initial input samples, flayer, fuzz, fuzz testers require, checks, dynamic analysis framework, sanity checks
 
 
 
 
Expand article

Software Security Metrics and Commentary on "Metrics Framework" Paper

2007-09-17 20:41:00 by Security Retentive in Security Retentive
 
...Input PercentValidatedInput Design Manual review Broken Access Control AnomalousSessionCount Runtime Audit Trail review Broken Authentication / Session Management BrokenAccountCount Runtime Account Review Cross-Site-Scripting XsiteVulnCount Deployment Pen Test Tool Buffer Overflow OverflowVulnCount Deployment Vuln Testing Tools Injection...
 
Tags: metrics, software security metrics, metrics framework, metrics miss, design-time metric, design, upstream sdl metrics, application, web application security
 
 
 
 
Expand article

Automating web application security testing

2007-07-16 11:40:00 by Panayiotis Mavrommatis in Google Online Security Blog
 
...input received as query parameters is vulnerable to reflected XSS. With a vulnerable application, an attacker can craft a malicious URL and send it to the victim via email or any other mode of communication. When the victim visits the tampered link, the page is loaded along with the injected script that is executed in the context of the...
 
Tags: web application, application, input, input parameters, accepts user input, xss, xss vulnerabilities, security, security team check
 
 
 
 
Expand article

Wired.com and History.com Getting RBN-ed

The Article has images
2008-03-10 14:20:33 by HASH0x8aeaaa0 in Dancho Danchev's Blog - Mind Streams of Information Security Knowledge
...input to have the malicious parties in the face of the RBN introducing a new malware, in between the pharmaceutical scams that they serve on the basis of an affiliation model . So, after " CNET stops IFRAME site attacks - who's next? " in terms of high-profile sites, that is Wired.com and History.com Key summary points the same malicious...
 
Tags: malware, vbs malware, malware attack, rbn, media malware gang, iframe injection attack, iframe injection, malware research, high-profile sites
 
 
 
 
Expand article

SDL and Web 2.0

2008-02-28 22:26:00 by sdl in The Security Development Lifecycle
 
...input validation (making sure that user input conforms to a known good format in the case of the wiki entry, to deny HTML and script content) and output encoding (making sure that any active content that gets past the input validation routines is rendered as harmless text and not executed). Internally, we also mandate the use of code analysis...
 
Tags: web, site, chriss web site, mashups, web mashups, site cookies, persistent cross-site, cookies, benefit anyones web
 
 
 
 
Expand article

PR Storm - Mass iFRAME Injectable Attacks

The Article has images
2008-03-17 17:54:21 by HASH0x8b5dc70 in Dancho Danchev's Blog - Mind Streams of Information Security Knowledge
...input validation, a good example of tactical warfare combing two different attack tactics, blackhat SEO for traffic acquisition and abusing input validation for injecting iFRAMES, and abusing the sites' search engine optimization practices of storing the now input violated pages. Meanwhile, Iftach Amit at Finjan points out that as it looks...
 
Tags: massive iframe attack, iframe attack, attack, attack vector, attack tactics, domains, malicious domains, malicious, sites
 
 
 
 
Expand article

Software Security Metrics and Commentary - Part 2

2007-10-23 20:31:00 by Security Retentive in Security Retentive
 
...input and have a set of untrusted input functions (things that read from sockets, stdin, etc). It should be relatively straightforward to model our own application-specific output functions to detect where we're handing unchecked/unfiltered input to an output routine, potentially those across a trust boundary. If we can model these, we can at...
 
Tags: security metrics, software security metrics, metrics, software, metrics framework, metric, upstream sdl metrics, concrete metric, paper steve bellovin
 
 
 
 
Expand article

Oklahoma Data Leak

2008-04-18 06:16:51 by schneier in Schneier on Security
 
...input. This holds especially true when your input comes from users, and even more so when it comes from the anonymous, general public. Apparently, the developers at Oklahomas Department of Corrections slept through that day in computer science class, and even managed to skip all of Common Sense 101. You see, not only did they trust anonymous...
 
Tags: knowledge, basic sql knowledge, computer science class, sql, computer, negligently bad, bad, website, input