Worst security hole you've ever seen?

In a thread on StackOverflow people (programmers mostly) post about worst security holes they have ever seen. It's pretty interesting reading.

You know what's most interesting about it? If you are a practising pentester, you'll be bored half way through the first page, because you have seen most of those holes. Negative amount of pizza? You bet.

(Avoiding) SQL Injection In LIKE Clause

A lot of web developers have gotten the message about the SQL injection and are using parametrized statements. Still, there are a few cases where using parametrized statements is not quite straightforward, such as in LIKE clause.

Suppose you want to do something like this:

SELECT * FROM people WHERE name LIKE 'joe%'

and the string "joe" is supplied by the user. How do you do that? This won't work:

SELECT * FROM people WHERE name LIKE '?%'

Neither will this:

SELECT * FROM people WHERE name LIKE ?%

MagicTree Beta One Is Out

MagicTree Beta One is out!MagicTree Beta One is out!

They don't have <dance> or <jump-up-and-down-excitedly> tags in HTML or I'd use those too.

Enabling SSL/TLS Renegotiation in Java

All the crazy SSL servers seem to come my way - ones that only support weird combinations of protocols and ciphers, ones that require client certificates stored on PKCS#11 hardware, and ones that require SSL renegotiation.

Apache Foundation Hacked via Reflected Cross-Site Scripting

I am thoroughly impressed. A combination of reflected XSS, insecure file uploads and bad passwords allowed the attackers to gain root on one of the Apache Foundation's servers, and gain non-privileged shell on another one. Here is the story directly from Apache.

In my opinion the most interesting part here is the fact that reflected XSS was used as the initial step. I always thought XSS, particularly the reflected sort, is somewhat over-hyped. I don't think so any more.


Free Flash Decompiler

Supporting ActionScript 2 and ActionScript 3

During a recent test I have stumbled upon this wonderful tool: HP SWF Scan. It is positioned as a vulnerability scanner for Flash, but what it also does is decompiling. Here is a screenshot:

HP SWF Scan Screenshot

MagicTree Beta One Release Delayed

We are very sorry to say that we have to delay Beta One release of MagicTree. It was planned for the beginning of April, but due to unexpectedly high consulting workload we will have to delay it at least until the beginning of May.

There is just one major feature that is missing for the Beta. It is Microsoft Word reporting. We have reporting in OpenOffice format, but MS Word still needs to be implemented.

Autocomplete and Input History for MagicTree

Components for Java Swing

Most modern user interfaces remember user input and provide autocomplete function. When you start typing a URL in a browser location bar, you get a list of URLs matching the pattern you have typed.

We wanted similar functionality for MagicTree. Whenever user has to type something, whether it is a command line, an XPath expression or a search term, we wanted the application to remember the previous input and provide autocompletion. Now we have that:

Pentesting Silverlight and WCF RIA Web Services

During a recent test I have encountered a Silverlight application with WCF RIA web services on the server side.

Silverlight application runs in the browser. It is conceptually similar to a Java applet. The compiled code is downloaded to the browser where it is executed in a sandbox. The client side communicates to the server. In case of the application I was testing, the server side was implemented as several web services.

How To Tell A Good Security Test Report From A Bad One

Suppose you had a penetration test, a vulnerability assessment, a security test, whatever it was called. (Different people would use different names for different kind of test). Now you have a report, and, apart from having to sort out the problems that were discovered, you want to know if the testers have done a good job.

This post should help you with that last one.


Subscribe to RSS - blogs