A hacker, who calls himself “ins3cted”, has demonstrated to Webwereld via video how by exploiting a simple SQL injection, he can retrieve 168,000 personal records from a Dutch website called Experience the OV (http://www.ervaarhetov.nl). Citizens living in the provinces of Gelderland, Overijssel and Flevoland are…
Security usability and accessibility
Recently security and accessibility issues have become an important topic to me. Although I had always considered accessibility and more specifically usability important in my designs, since I’m now down to one active hand two to a surgery on the other hand, I am now…
Creating a Web security testing policy
If you’re reading this blog, Web security testing is undoubtedly on your radar. You may have an ongoing process for testing Web vulnerabilities but do you actually have a policy for it? I’m all about keep things simple with security and, when you think about…
The new OWASP Top 10 for 2010 – Risk and Realities
Kudos to Jeff Williams, Dave Wichers, and the rest of the OWASP team for pulling together the final release of the OWASP Top 10 for 2010. Obviously, a lot of thought and work has gone into this new version. One thing that really jumps out…
Gray Powell and the lost iPhone, and malware
In case you didn’t hear about it already, the story of the day is Gray Powell and the lost iPhone. So I searched for him on Google. I was really surprised to see that 4 out of 10 results from Google’s first page were links…
XSS redirect attack – root compromized via simple tricky redirect
As the attacks on infrastructure become more complicated, the true nature of deep penetration attacks prove food for thought for all developers and operators. Consider this case – where the Apache open source infrastructure itself became significantly exposed by a simple XSS attack that utilized…
The road to glory, from XSS to Root on apache.org
On the 9th of April 2010, Apache.org infrastructure suffered a direct and targeted attack on the server hosting the Apache issue-tracking software, Atlassian JIRA. This is the second major compromise the Apache Software Foundation suffered in less than a year, when last August, the main…
VIDEO: Exploiting a Cross Site Scripting vulnerability in Mambo CMS
In this video we look into the details of how an attacker is able to exploit a Cross Site Scripting vulnerability in Mambo CMS (version: 4.6.5), discovered by Bogdan Calin with Acunetix Web Vulnerability Scanner. This vulnerability is affecting a POST parameter in the Mambo…
Acunetix WVS Version 6.5 build 20100407 released
An updated build of Acunetix WVS Version 6.5 has been released. This build includes a number of bug fixes Bug Fixes: Fixed: Login Sequence Recorder was not using client certificates when recording a login sequence Fixed: Login Sequence Recorder was not using the configured User…