SecurityRatty: tag: input

Injecting IFRAMEs by Abusing Input Validation

2008-03-07 15:53:50 by HASH0x8bac8b8 in Dancho Danchev's Blog - Mind Streams of Information Security Knowledge

...input validation checks applied so loadable IFRAMEs can no longer load or be accepted at all, despite that the injected pages are still indexed by search engines. A malicious campaign targeting high profile sites that went online and got taken care of for some 48 hours, that's good How was the IFRAME injection possible at the first place?...

Tags: input validation, input validation checks, plan input validation, input, input validation refers, input validation flaw, iframes, iframe, iframe attack

Information flow tracing and software testing

2007-09-17 09:32:00 by Niels Provos in Google Online Security Blog

...input families which trigger them, but not all fuzz testing frameworks have to be this complicated. Fuzz testing originally relied on purely random data, ignorant of specific threats and known dangerous input. Today, this approach is often overlooked in favor of more complicated techniques. Early sanity checks in applications looking for...

Tags: input, flayer marks, initial input samples, flayer, fuzz, fuzz testers require, checks, dynamic analysis framework, sanity checks

Software Security Metrics and Commentary on "Metrics Framework" Paper

2007-09-17 20:41:00 by Security Retentive in Security Retentive

...Input PercentValidatedInput Design Manual review Broken Access Control AnomalousSessionCount Runtime Audit Trail review Broken Authentication / Session Management BrokenAccountCount Runtime Account Review Cross-Site-Scripting XsiteVulnCount Deployment Pen Test Tool Buffer Overflow OverflowVulnCount Deployment Vuln Testing Tools Injection...

Tags: metrics, software security metrics, metrics framework, metrics miss, design-time metric, design, upstream sdl metrics, application, web application security

Android puts out call to mobile security gurus

2008-08-20 00:00:00 by HASH0x8473480 in Network World on Security

Developers of Android, the Linux mobile platform spearheaded by Google, are asking security experts for input

Tags: linux mobile platform, security experts, android, google, developers, input

Automating web application security testing

2007-07-16 11:40:00 by Panayiotis Mavrommatis in Google Online Security Blog

...input received as query parameters is vulnerable to reflected XSS. With a vulnerable application, an attacker can craft a malicious URL and send it to the victim via email or any other mode of communication. When the victim visits the tampered link, the page is loaded along with the injected script that is executed in the context of the...

Tags: web application, application, input, input parameters, accepts user input, xss, xss vulnerabilities, security, security team check

Wired.com and History.com Getting RBN-ed

2008-03-10 14:20:33 by HASH0x8aeaaa0 in Dancho Danchev's Blog - Mind Streams of Information Security Knowledge

...input to have the malicious parties in the face of the RBN introducing a new malware, in between the pharmaceutical scams that they serve on the basis of an affiliation model . So, after " CNET stops IFRAME site attacks - who's next? " in terms of high-profile sites, that is Wired.com and History.com Key summary points the same malicious...

Tags: malware, vbs malware, malware attack, rbn, media malware gang, iframe injection attack, iframe injection, malware research, high-profile sites

Lessons learned from the massive SQL injection attacks against legacy Microsoft ASP apps

2008-07-08 14:32:33 by Chenxi Wang in Security & Risk Management

...input validation is not done (this is one of the fundamental security programming techniques). When a Web application does not validate its form input, it is opening itself up to code injection attacks including SQL injection. Today, the security industry is doing a decent job of communicating the importance of input validation. But you'll...

Tags: asp, attacks, web applications, legacy web applications, input validation, user input validation, microsoft asp applications, user input, code injection attacks

SDL and Web 2.0

2008-02-28 22:26:00 by sdl in The Security Development Lifecycle

...input validation (making sure that user input conforms to a known good format in the case of the wiki entry, to deny HTML and script content) and output encoding (making sure that any active content that gets past the input validation routines is rendered as harmless text and not executed). Internally, we also mandate the use of code analysis...

Tags: web, site, chriss web site, mashups, web mashups, site cookies, persistent cross-site, cookies, benefit anyones web

PR Storm - Mass iFRAME Injectable Attacks

2008-03-17 17:54:21 by HASH0x8b5dc70 in Dancho Danchev's Blog - Mind Streams of Information Security Knowledge

...input validation, a good example of tactical warfare combing two different attack tactics, blackhat SEO for traffic acquisition and abusing input validation for injecting iFRAMES, and abusing the sites' search engine optimization practices of storing the now input violated pages. Meanwhile, Iftach Amit at Finjan points out that as it looks...

Tags: massive iframe attack, iframe attack, attack, attack vector, attack tactics, domains, malicious domains, malicious, sites

Your name:
Your email:
Describe a problem:
AntiSPAM Validation:

	Favorites
	My AOL
	My Ask Jeeves
	Blinklist
	Blogmarks
	Del.icio.us
	Digg
	Facebook
	Faves
	Furl
	Google
	Live
	Magnolia
	Netvouz
	Slashdot
	Spurl
	Technorati
	Yahoo

	Favorites
	My AOL
	My Ask Jeeves
	Blinklist
	Blogmarks
	Del.icio.us
	Digg
	Facebook
	Faves
	Furl
	Google
	Live
	Magnolia
	Netvouz
	Slashdot
	Spurl
	Technorati
	Yahoo

	Favorites
	My AOL
	My Ask Jeeves
	Blinklist
	Blogmarks
	Del.icio.us
	Digg
	Facebook
	Faves
	Furl
	Google
	Live
	Magnolia
	Netvouz
	Slashdot
	Spurl
	Technorati
	Yahoo

	Favorites
	My AOL
	My Ask Jeeves
	Blinklist
	Blogmarks
	Del.icio.us
	Digg
	Facebook
	Faves
	Furl
	Google
	Live
	Magnolia
	Netvouz
	Slashdot
	Spurl
	Technorati
	Yahoo