An anonymous user posted usernames and passwords for over 10,000 Windows Live Hotmail accounts to web site PasteBin. PasteBin is currently down for maintenance but I managed to get a copy of the list and quickly generated some statistics from these passwords. First, my impression…
Acunetix WVS Version 6.5 build 20091005 released
An updated build for Acunetix WVS Version 6.5 has been released with some improvements, bug fixes and new security checks. New: Added a new check for SVN repositories Improvements: Improved MultiRequest paramenter manipulation; now using the form matcher to match parameter values Improved SQL injection…
Acunetix WVS Version 6.5 build 20090917 released
An updated build for Acunetix Version 6.5 has been released with some improvements and bug fixes. New: Added two new blind SQL injection tests Added a new scanning profile for stored XSS only Added HTTP verb tempering using POST method check Improvements: Improved appearance for…
SQL injection used in largest data security breach in U.S. history to date
Three men, responsible for the largest data security breach in U.S. history, stole 130 million credit and debit card numbers from five leading companies. They took advantage of a coding error, and allegedly used a SQL injection attack to compromise a web application, which was…
Security risks associated with utf8_decode and XSS filters
BlackHat USA 2009; Eduardo Vela Nava (sirdarckcat) and David Lindsay presented a paper entitled “Our Favorite XSS Filters and How to Attack Them”. Very interesting paper, you should definitely take a look at it. In this paper, besides other things, they presented a very interesting…
New Acunetix WVS V6.5 build; better support for CAPTCHA and modern authentication mechanisms
With the release of Acunetix WVS Version 6.5 latest build; 20090728 (https://www.acunetix.com/support/build-history.htm), we announce that Acunetix WVS has better support for web applications with CAPTCHA, single sign-on and Two factor authentication mechanisms. Thanks to the new ‘Manual Intervention’ module, IT security professionals can now save…
2 of SANS’s top 25 most dangerous programming errors led to more than 1.5 million website security breaches in 2008
Earlier on this year, a report from SANS institute showed that two of the twenty five most dangerous programming errors, led to more than 1.5 million website security breaches in 2008. The report is a joint effort from more than 30 US and international cyber…
Web Application Firewalls do not replace secure development and operation of web applications
In eval($WAF); whitepaper, L. Nothdurfter, W.Neudorfer and M. Kirchner from the University of Applied Sciences Upper Austria, explain in detail how they evaluated the capabilities of some leading WAFs (web application firewall), and concluded that although a WAF can raise the security level, secure development…
Every website is a target; hacktivism
As stated in previous blog posts, hackers don’t just hack websites to steal online databases and credit card details. Hacktivism, where innocent websites are defaced from malicious users to transmit their political view or opinion, is on the increase. In many major world political events,…