How can any web page log you off all other websites?

A recent post on “Full-Disclosure” mailing list referenced a web page called “Session Destroyer”. This web page is a demonstration by Kristian Erik Hermansen that promises to make logging off various popular websites very easy. How does it work? This static html page simply contains IMG tags that link to the logout url for various […]

Read More →

American Express website vulnerable… again!

A few days ago a Cross-site-scripting vulnerability was discovered and reported on the American Express Site. A XSS vulnerability can allow attackers to steal user authentication cookies from americanexpress.com, thus leading to an account hijack. As web-security consultant Joshua D.Abraham said, web developers addressed only one instance of the problem. They did not fully assess […]

Read More →

Why upgrade PHP to 5.2.8? Part 2

To read part 1 of this article please refer to the previous post. Note: a large number of vulnerabilities described in this post can be exploited to bypass safe_mode. It is not recommended to rely on this PHP functionality for the security of your web servers. Only use safe_mode as a supplement to PHP code […]

Read More →

Why upgrade PHP to 5.2.8? Part 1

Note: PHP 5.2.7 is the actual version that fixes the below security holes. PHP 5.2.8 fixes an issue introduced in 5.2.7. Details from the PHP news site. A new version of the popular scripting language, PHP includes a couple of security fixes (taken from the Changelog): Upgraded PCRE to version 7.8 (Fixes CVE-2008-2371) Fixed missing […]

Read More →

How XSS can lead to a Windows Domain compromise

Many times internal web applications are excluded from the scrutinity that external ones are subjected to. It is often assumed that attackers are on the external side of the network and therefore do not have access to any internal resources. In turn this usually leads to Web Applications being vulnerable to common security flaws such […]

Read More →

Acunetix WVS Scripting reference available

With Acunetix WVS version 6, Acunetix introduced a Port Scanner and Network Alerts. When scanning a website, a port scan against the web server can be launched (optional) and once open ports are found specific network security tests are launched against the network service running on that port. A full range of tests are available, […]

Read More →