Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

XSS/Script Injection on my personal site

from [arian.evans] Network Security [Permanent Link]
Subject: XSS/Script Injection on my personal site
Date: Fri, 28 Apr 2006 12:29:40 -0500 
In light of the recent Hacker vs. Humanitarian threads
on these lists in the last few days, I find the 580+ IDS
alerts I just got yesterday poignant, and thought some
of you on the lists might as well:

Someone in Atlanta on Cox cable is once again giving
my personal site a "free pen test". I am going to assume
this is related to notifying various vendors of specific
weaknesses in my hosted apps, and attack types that the
vendor tools ineffectively test for.

For the last time, please contact me personally *before*
starting these tests if you'd be so kind. Do you wait
for me to go out on the road so you can fill my webmail
inbox with IDS alerts? ***Not cool.***

I have limited disk space and have to watch this box
closely or everything on it gets DoS'd. Or, alternately,
I can just not help anyone at all.

I have not shipped off sample code and details to all
the vendors yet, and was waiting to publicly release
examples until all vendors were notified.

***

I have been giving notified parties an open invite to
use apps I host as a testbed, but my ONE request is to
please co-ordinate testing w/me so that you do not DoS
my box. Thanks.

***PostNuke Flaws***

BTW// Had you asked, I could have saved you time
wasted testing irrelevant fields, and told you that
PostNuke has issues with the Func param in Blocks
and with the OP param in several places as well.

Myself and one of my colleagues have attempted to
contact the PostNuke team for about six months now,
and they silently fixed one of the issues we notified
them about in the newest code base, whilst ignoring
us concerning the rest of them.

I did get one response pointing me to where I could
diff their code and find the silent changes myself,
but I lost all personal email in January and no longer
have that contact history,

Arian J. Evans
+1.913.378.3571 [mobile]








-------------------------------------------------------------------------
Sponsored by: Watchfire

Watchfire's AppScan is the industry's first and leading web application 
security testing suite, and the only solution to provide comprehensive 
remediation tasks at every level of the application. Change the way you 
think about application security testing - See for yourself. 
Download a Free Trial of AppScan 6.0 today!

https://www.watchfire.com/securearea/appscansix.aspx?id=701300000007kaF
--------------------------------------------------------------------------
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • XSS/Script Injection on my personal site, arian.evans <=
Previous by Date:  RE: [WEB SECURITY] Fundamental error in Corsaire's paper?, Martin O'Neal
Next by Date:  RE: [WEB SECURITY] Fundamental error in Corsaire's paper?, Martin O'Neal
Previous by Thread:  XSS/Script Injection on my site -- further details, arian.evans
Next by Thread:  SF new article announcement: Five common Web application vulnerabilities, Andrew van der Stock
Indexes:  [Date] [Thread] [Top] [All Lists]