A few days ago a Cross-site-scripting vulnerability was discovered and reported on the American Express Site. A XSS vulnerability can allow attackers to steal user authentication cookies from americanexpress.com, thus leading to an account hijack. As web-security consultant Joshua D.Abraham said, web developers addressed only…
Why upgrade PHP to 5.2.8? Part 2
To read part 1 of this article please refer to the previous post. Note: a large number of vulnerabilities described in this post can be exploited to bypass safe_mode. It is not recommended to rely on this PHP functionality for the security of your web…
Why upgrade PHP to 5.2.8? Part 1
Note: PHP 5.2.7 is the actual version that fixes the below security holes. PHP 5.2.8 fixes an issue introduced in 5.2.7. Details from the PHP news site. A new version of the popular scripting language, PHP includes a couple of security fixes (taken from the…
URL Rewriting and AcuSensor Technology; automation and advantages
Note: This articles refers to an older version of Acunetix. Click here to download the latest version. Nowadays, a lot of web applications are using URL rewriting. URL rewriting involves converting normal URLs to search engine friendly URLs. Usually the reason for doing this is…
Two factor authentication and Web Application Security
A few days ago PayPal announced that they will be supporting Mobile Access for the PayPal Security Key. This means that to log into their accounts, PayPal users receive a 6 digit security code via a text message. This feature obviously adds an extra layer…
AcuSensor Technology in action; finding backdoors in web applications
On March 2, 2007 the following was posted on the WordPress blog: Long story short: If you downloaded WordPress 2.1.1 within the past 3-4 days, your files may include a security exploit that was added by a cracker, and you should upgrade all of your…
How XSS can lead to a Windows Domain compromise
Many times internal web applications are excluded from the scrutinity that external ones are subjected to. It is often assumed that attackers are on the external side of the network and therefore do not have access to any internal resources. In turn this usually leads…
SQL Injection in Mambo found with Acunetix AcuSensor Technology
This post shows how with Acunetix AcuSensor Technology improves scanning reliability by using sensors placed inside the web application being scanned. It also proves that with this technology, one can detect SQL injections in INSERT statements. Such vulnerabilities cannot be found using a typical web…
Looking back at how Microsoft UK events website got hacked in 2007
Back in 2007, the partner event registration page of the Microsoft UK events website has been defaced by a hacker who managed to discover and exploit a web application vulnerability in one of the parameters used by the form on the website. Read more in…