On the 4th of July 2010 YouTube users began complaining that their videos had been hijacked, the comments section of their videos seemed to be most severely affected, many complained that old comments vanished and new comments could not be added. Others reported that offensive messages were popping up on their screen or scrolling horizontally in large fonts and striking colors. Some users also seemed to suggest that there were experiencing page redirects, often to sites promoting pornographic content.
In-depth analysis of a PHP attack that lead to Apple information disclosure
Recently over 100,000 Apple customers were affected by an information gathering attack on the AT&T website. Security experts blame this breach on “poorly designed software”. An analysis of the attack reveals that the hackers did indeed use a classic attack, in fact…
7 Signs You’re Not Ready to Run a Web Vulnerability Scan
Looking to hop aboard the Web vulnerability scanning bandwagon to see just how vulnerable your Web site or application really is? Well, not so fast. Here are some signs you’re not ready to begin just yet: 1. You don’t have any desired outcomes…
Web application contingency plans – the missing link in Web security?
Why are Web applications out of the loop when it comes to contingency planning? Look at any given security incident response or disaster recovery plan (assuming they even exist) and chances are business critical Web applications and related systems are missing. At least that’s what…
Consider outside of the box for security – It can be exposing
In the past few days, a site selling Durex condoms have had a small ‘exposure’ problem. As reported, the site had been suffering (time length unknown) from several basic security exposures, including even allowing orders to be viewed online, without a login – simply by…
Security usability and accessibility
Recently security and accessibility issues have become an important topic to me. Although I had always considered accessibility and more specifically usability important in my designs, since I’m now down to one active hand two to a surgery on the other hand, I am now…
Creating a Web security testing policy
If you’re reading this blog, Web security testing is undoubtedly on your radar. You may have an ongoing process for testing Web vulnerabilities but do you actually have a policy for it? I’m all about keep things simple with security and, when you think about…
The new OWASP Top 10 for 2010 – Risk and Realities
Kudos to Jeff Williams, Dave Wichers, and the rest of the OWASP team for pulling together the final release of the OWASP Top 10 for 2010. Obviously, a lot of thought and work has gone into this new version. One thing that really jumps out…
XSS redirect attack – root compromized via simple tricky redirect
As the attacks on infrastructure become more complicated, the true nature of deep penetration attacks prove food for thought for all developers and operators. Consider this case – where the Apache open source infrastructure itself became significantly exposed by a simple XSS attack that utilized…