SQL injection attacks are also often referred to as SQL malware. Like local and remote file inclusion attacks, an SQL injection attack inserts a malicious script into a website’s code. In this case, a web page that is using a tool like MySQL to query…
10 great ways to get hacked in the New Year
It’s that time of year for us to get inundated with all those Top 10 lists to help us achieve this, prevent that and so on. Those lists are valuable indeed, especially if you need some motivation to get your year started off on the…
Which scan policy should you use to find everything that matters?
If only Web application security were black and white. We could simply load our scanner without thinking anything through, enter the URL, click Scan, generate a report of issues for someone else to address and be done with it. Sadly I think some people do…
Google XSS Flaw in Website Optimizer Scripts explained
This week thousands of system administrators who make use of Goolge products will open their inbox to see an email from Google explaining that their Web Optimizer product contains an XSS flaw that allows hackers to inject scripts into their Google Optimized web pages.
Statistics from a phisher’s list
Yesterday night I was following some security related forums and some person posted a phishing kit for a popular bank from Romania. A phishing kit is a collection of scripts to help a script kiddie launch a phishing exploit and steal data such as credit…
HTTP Post Denial Of Service: more dangerous than initially thought
Wong Onn Chee and Tom Brennan from OWASP recently published a paper* presenting a new denial of service attack against web servers. What’s special about this denial of service attack is that it’s very hard to fix because it relies on a generic problem in…
Notable changes in PCI DSS 2.0 affecting Web application security
“Clarification, additional guidance, and evolving requirements” – welcome to the new PCI standards! Hot off the press are the new PCI DSS and PA-DSS requirements which take effect January 1, 2011. So, if you work in or around Web application security, it’ll behoove you to…
Application Security; Don’t get caught off guard with dangerous assumptions
Don’t get caught off guard. We hear that statement all the time with regards to information security. Sadly, as many businesses have experienced, such talk is cheap. Obviously no one wants their Web site to get hacked. Okay, maybe a few admins or developers who…
Preventing phishing attacks is not just a technical issue
A client of mine who’s a security administrator for a business in the financial industry contacted me recently about some odd behavior he was seeing on his network. Apparently numerous spidering/mirroring requests were being sent to his company’s marketing website from a foreign country –…