When it comes to Web security why is it we always seem to focus on layer 7 only? Sure, it can be argued that XSS, SQL injection, flawed application logic and so on are the big deal items in any given Web system. But who…
Statistics from the top 1,000,000 websites
Note: This article refers to an older version of Acunetix. Click here to download the latest version. The next version of Acunetix Web Vulnerability Scanner (version 7), will contain a much more improved HTTP stack. While testing, we wanted to test the new HTTP stack…
Rockyou gets rocked by hackers and old exploit
Well, it has happened. This time, the users themselves have taken action against rockyou.com for their inadvertent disclosure of customer information. Hacker activity has meant Rockyou disclosed what looks like over 32,000,000 accounts. Yes, 32 Million! What is interesting about this case, for me anyways,…
An In-Depth Look at SQL Injection
SQL injection attacks are one of the most common techniques hackers use to access secure information from web servers to carry out illegitimate activities. This hacking technique also demonstrates how vulnerable systems are on not just the insecure ports and other firewall protected fronts, but…
Is a Vulnerability Scan Invasive Enough to Damage my Site or Data?
A common question asked about web vulnerability scanners is – “does this tool perform invasive scans?”, or “will it damage my website or web application?”. Such questions are common since black-box scanners tend to cause email floods, as well as publishing of garbage blog posts…
PHP "multipart/form-data" denial of service
PHP version 5.3.1 was just released. This release contains a patch for a denial of service condition we’ve reported some time ago. The problem is related with PHP’s handling of RFC 1867 (Form-based File Upload in HTML). When you send a POST request to a…
Looking back at 2009 through SQL Injection goggles
The earliest public mention I could find of SQL Injection (‘piggybacking SQL statements’ as the author put it) was from someone who called himself Rain Forest Puppy (RFP). In 1998 RFP wrote an article for Phrack Magazine (Volume 9, Issue 54) in which he talks…
Secure Password Recommendations and Research
You have a lot of things you try to keep secure, and some of them you simply have to put in other people’s hands because you can’t do it on our own (like your website *hint hint*). However, there are some things you do have…
Statistics from 10,000 leaked Hotmail passwords
An anonymous user posted usernames and passwords for over 10,000 Windows Live Hotmail accounts to web site PasteBin. PasteBin is currently down for maintenance but I managed to get a copy of the list and quickly generated some statistics from these passwords. First, my impression…