DWR 2.0.5 Fixes XSS Vulnerability

CEng's picture
By Chris Eng June 29, 2008

DWR 2.0.5 addresses an XSS vulnerability that is likely to be exploitable in most 2.0.4 installations. If your web application uses DWR's Ajax implementation, download and install this update now! As an aside, I've been a fan of DWR for a while now, not only because of its ease of integration but also because it was the first Ajax framework to offer built-in CSRF protection. You could tell that... READ MORE

Why Do I Attend BlackHat?

CEng's picture
By Chris Eng June 26, 2008

This post is a response to Alan Shimel's Topic of Interest #2 for the Security Bloggers Network. So what motivates me to attend BlackHat? The #1 reason for me is networking -- meeting new people and catching up with old friends and colleagues. Despite our best intentions, we are all busy and our networks are constantly expanding, making it increasingly difficult to stay in touch with old friends... READ MORE

Scrawlr: Are We Being Too Greedy?

CEng's picture
By Chris Eng June 25, 2008  | 8

HP released a new tool called Scrawlr yesterday that can be used to identify certain types of SQL Injection vulnerabilities in a website. It was a joint effort with Microsoft and a direct response to the mass SQL Injection attacks of late. Scrawlr quickly came under fire on the Web Security mailing list for having some pretty major limitations. Billy Hoffman et al have been quick to point out... READ MORE

Minimizing the Attack Surface, Part 1

CEng's picture
By Chris Eng June 24, 2008  | 4

What was the first thing you learned about network security? There's a good chance it had something to do with port scanning. After scanning a few boxes, you realized that modern operating systems have a lot of open ports by default, meaning a lot of services. Some had an obvious purpose, like telnet on tcp/23 or ftp fon tcp/21. Others left you wondering, what the heck is listening on tcp/515... READ MORE

Art vs. Science

CEng's picture
By Chris Eng June 20, 2008  | 6

I was just reading Dre's post, R.I.P. CISSP, over at the tssci security blog, in which he predicts the upcoming OWASP People Certification Project will be the next big thing. This paragraph is quoted from James McGovern's blog (James is the project leader): As an Enterprise Architect, I understand the importance of the ability for a security professional to articulate risk to IT and business... READ MORE

Someone Should Have Told Them How Switches Work

CEng's picture
By Chris Eng June 17, 2008

From the Burlington Free Press, a story about a local hacking competition set up as a spectator event. Their competition, tantalizingly called a "digital combat exercise," was supposed to give onlookers a rare opportunity to watch a computer hacking job in progress, complete with play-by-play. It didn't work out that way, though, thanks to -- what else? -- some sort of technical glitch that... READ MORE

Verizon Business Has a New Report on Data Breaches

cwysopal's picture
By Chris Wysopal June 12, 2008

The Verizon Business data breach report is by far the most comprehensive and detailed report on data breaches I have seen. It is great to see the break down of what is the root cause of these expensive and significant computer security failures. While it is interesting to see counts of malware infected computers from Symantec and vulnerability counts from CVE, this report gets to the actual... READ MORE

Trip Report: PH-Neutral

CEng's picture
By Chris Eng May 28, 2008

I spent the weekend in Berlin attending a conference called PH-Neutral, run primarily by the Phenoelit crew. This was the first European security conference I've attended and I found it quite different from any North American security gathering I've been to, such as BlackHat, CanSecWest, SOURCE Boston, BlueHat, or RSA. Everything was far more casual and laid back, which is something I had heard... READ MORE

Responsible-ish Disclosure

CEng's picture
By Chris Eng May 8, 2008 3

Yesterday, Dave Lewis over at LiquidMatrix Security Digest cried foul at Core Security for releasing too much detail about a recent DoS vulnerability they had discovered. His specific gripe was that they provided an IDA Pro excerpt that showed where the vulnerability was triggered. The excerpt is short, so I'll even copy/paste it here: .text:00405C1B mov esi, [ebp+dwLen] ; Our value from packet... READ MORE

Dilbert Does Canonicalization

CEng's picture
By Chris Eng May 5, 2008

I was checking out the "new and improved" Dilbert website a few minutes ago, checking out some of the new features and lamenting the overzealous use of Flash. One new feature is called "Mashups." Naturally, you'd assume that this was some fancy Web 2.0 API that one might use to create a "killer app" combining Google Maps, Twitter, traffic delays, police reports, and Dilbert comics, all neatly... READ MORE

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.




contact menu