The Web Application Security Consortium (WASC) is pleased to announce the WASC Web Application Security Statistics Project 2008. This initiative is a collaborative industry wide effort to pool together sanitized website vulnerability data and to gain a better understanding about the web application vulnerability landscape. We ascertain which classes of attacks are the most prevalent regardless of the methodology used to identify them. Industry statistics such as those compiled by Mitre CVE project provide valuable insight into the types of vulnerabilities discovered in open source and commercial applications, this project tries to be the equivalent for custom web applications.
This article contains Web application vulnerability statistics which was collected during penetration testing, security audits and other activities made by companies which were members of WASC in 2008. The statistics includes data about 12186 sites with 97554 detected vulnerabilities.
WASC Web Application Security Statistics 2008
Download.
Показаны сообщения с ярлыком vulnerabilities. Показать все сообщения
Показаны сообщения с ярлыком vulnerabilities. Показать все сообщения
понедельник, 19 октября 2009 г.
среда, 3 июня 2009 г.
Add protection means add “a hole”
Funny news
New D-Link protection for Wi-Fi routers is a hole in security!
D-Link had barely announced updated firmware for wireless routers with protection from automatic registrations (CAPTCHA), when several enthusiasts found out that this new protection measures make routers more vulnerable to password theft.
http://www.securitylab.ru/news/379779.php
Details:
http://www.sourcesec.com/2009/05/12/d-link-captcha-partially-broken/
There are some comments on SecurityLab forum that say:
Is it again an attack with default password?
The situation is much more amusing, indeed. The problem is that CAPTCHA is used by D-Link to protect from Cross-Site Request Forgery (CSRF) which (to be more precise, exploitation method for a router) was greatly named Drive-by Pharming by Symantec. But implementation error (accepting of requests with valid hash without CAPTCHA) makes this protection to be a vulnerability.
If passwords are standard then there is a method to bypass basic authentication via Javscript (see "Breaking through the perimeter" http://www.securitylab.ru/analytics/292473.php ).
But if the password (or its derivative such as hash) is sent to GET (as Basic duplicate), then the situation is more interesting – an attacker could use not only standard password hash but also conduct user password brute force attack Javascript via CSRF from which CAPTCHA should protect.
It means that the vulnerability concerns not only standard passwords but also could increase the effectiveness of user password brute force attacks via CSRF, and standard password security (timeout, temporary lockout, etc.) does not work as not brute force itself but attempts to connect with different “normal” hashes are taken, used instead of session identifier. A simple script is enough for it, that call the address
GET /post_login.xml?hash=
and check whether the action was successful. The point is to trick a user to open the site:)
In general, rather interesting design error in authentication mechanism of web application.
New D-Link protection for Wi-Fi routers is a hole in security!
D-Link had barely announced updated firmware for wireless routers with protection from automatic registrations (CAPTCHA), when several enthusiasts found out that this new protection measures make routers more vulnerable to password theft.
http://www.securitylab.ru/news/379779.php
Details:
http://www.sourcesec.com/2009/05/12/d-link-captcha-partially-broken/
There are some comments on SecurityLab forum that say:
Is it again an attack with default password?
The situation is much more amusing, indeed. The problem is that CAPTCHA is used by D-Link to protect from Cross-Site Request Forgery (CSRF) which (to be more precise, exploitation method for a router) was greatly named Drive-by Pharming by Symantec. But implementation error (accepting of requests with valid hash without CAPTCHA) makes this protection to be a vulnerability.
If passwords are standard then there is a method to bypass basic authentication via Javscript (see "Breaking through the perimeter" http://www.securitylab.ru/analytics/292473.php ).
But if the password (or its derivative such as hash) is sent to GET (as Basic duplicate), then the situation is more interesting – an attacker could use not only standard password hash but also conduct user password brute force attack Javascript via CSRF from which CAPTCHA should protect.
It means that the vulnerability concerns not only standard passwords but also could increase the effectiveness of user password brute force attacks via CSRF, and standard password security (timeout, temporary lockout, etc.) does not work as not brute force itself but attempts to connect with different “normal” hashes are taken, used instead of session identifier. A simple script is enough for it, that call the address
GET /post_login.xml?hash=
and check whether the action was successful. The point is to trick a user to open the site:)
In general, rather interesting design error in authentication mechanism of web application.
понедельник, 18 мая 2009 г.
Tool for WINS and DNS (MS-09-008)
The utility is used to detect potentially dangerous entries in DNS and WINS services databases. The utility also allows local network scanning to detect hosts with dangerous NetBIOS names. If system administrators and security administrators use the utility regularly then it allows controlling potentially dangerous entries in name servers and availability of hosts with dangerous NetBIOS names in local network.
Detail information could be found in the article by Sergey Rublev and on SecurityLab:
http://www.securitylab.ru/news/extra/380522.php
http://www.securitylab.ru/_download/articles/wpad_weakness_en.pdf
Download here:
http://www.ptsecurity.ru/download/wpadcheck_en.zip
Detail information could be found in the article by Sergey Rublev and on SecurityLab:
http://www.securitylab.ru/news/extra/380522.php
http://www.securitylab.ru/_download/articles/wpad_weakness_en.pdf
Download here:
http://www.ptsecurity.ru/download/wpadcheck_en.zip
воскресенье, 12 апреля 2009 г.
Security in our life
I has taken a flight from Domodedovo airport (Moscow) recently, and thought a lot…
And my thoughts were hard… Hope, only in Britain and only on submarines.
PS. If somebody do not recognize – this is Symantec - Kido/Conficker/Downadup.
And my thoughts were hard… Hope, only in Britain and only on submarines.
PS. If somebody do not recognize – this is Symantec - Kido/Conficker/Downadup.
Подписаться на:
Сообщения (Atom)
