A recent post on “Full-Disclosure” mailing list referenced a web page called “Session Destroyer”. This web page is a demonstration by Kristian Erik Hermansen that promises to make logging off various popular websites very easy. How does it work? This static html page simply contains…
Author Archives Acunetix
THE AUTHOR
Acunetix
American Express website vulnerable… again!
A few days ago a Cross-site-scripting vulnerability was discovered and reported on the American Express Site. A XSS vulnerability can allow attackers to steal user authentication cookies from americanexpress.com, thus leading to an account hijack. As web-security consultant Joshua D.Abraham said, web developers addressed only…
Why upgrade PHP to 5.2.8? Part 2
To read part 1 of this article please refer to the previous post. Note: a large number of vulnerabilities described in this post can be exploited to bypass safe_mode. It is not recommended to rely on this PHP functionality for the security of your web…
What do American Express and Facebook have in common?
Cross Site Scripting seems to be the word of the past few days with high profile sites getting featured on the technology news sites. ZDNet reported how Facebook just fixed four XSS security flaws affecting their developer’s page, the iPhone login page, the new users…
Why upgrade PHP to 5.2.8? Part 1
Note: PHP 5.2.7 is the actual version that fixes the below security holes. PHP 5.2.8 fixes an issue introduced in 5.2.7. Details from the PHP news site. A new version of the popular scripting language, PHP includes a couple of security fixes (taken from the…
Two factor authentication and Web Application Security
A few days ago PayPal announced that they will be supporting Mobile Access for the PayPal Security Key. This means that to log into their accounts, PayPal users receive a 6 digit security code via a text message. This feature obviously adds an extra layer…
How XSS can lead to a Windows Domain compromise
Many times internal web applications are excluded from the scrutinity that external ones are subjected to. It is often assumed that attackers are on the external side of the network and therefore do not have access to any internal resources. In turn this usually leads…
Acunetix WVS Scripting reference available
With Acunetix WVS version 6, Acunetix introduced a Port Scanner and Network Alerts. When scanning a website, a port scan against the web server can be launched (optional) and once open ports are found specific network security tests are launched against the network service running…
Facebook Worm on the Loose
A worm abusing Facebook‘s messaging system is making rounds between friends. It consists of an executable worm known as Koobface that runs on the victim’s computer and searches for Facebook cookies on his or her computer. It will then use these cookies to hijack an…