Web Application Security Newsletter - November 2006
A MESSAGE FROM THE EDITOR - On October 30th Cenzic launched Hailstorm Enterprise ARC (Application Risk Controller) to help enterprises stay ahead of the curve in managing their online security status. Many companies are not aware of the numerous web applications they have running; hence, they are not aware of the security risks that some of these applications might pose. Cenzic's new Enterprise ARC offers companies a comprehensive, proactive, and automated solution to their online security.
This month we feature an article that builds awareness about SQL truncation attacks and offers suggestions on how you can avoid the new ways in which attackers are injecting SQL code. Hackers are also behind the new VoMM software being developed to hide browser attack code from some anti-virus software. Also, an additional security flaw was recently discovered in IE 7 and the popular Web site MySpace was used to demonstrate a XSS vulnerability. To all subscribers, we strive to keep you well informed, aware, and ahead of the curve when it comes to your online security and safety.
1. Cenzic Unveils Web Application Discovery and Security Assessment Solution
Product simplifies application vulnerability management for enterprises
Cenzic has unveiled Hailstorm Enterprise ARC (Application Risk Controller), its first product to address application security assessment across the enterprise. According to the latest Symantec Threat Report, 59% of total vulnerabilities relate to web applications. The product simplifies ongoing application testing and application vulnerability management and provides a valuable solution to business risk management. Featuring an intelligent dashboard, the product gives companies the ability to automatically discover and inventory applications and provides a comprehensive view of their application security status.
Read
More
2. SQL Security
New SQL Truncation Attacks and How to Avoid Them
Avoid these new ways that attackers can inject SQL code
SQL truncation attacks are similar to other forms of injection attacks where untrusted data is used in constructing statements. This article discusses some new ways in which SQL statements can be modified or injected. Best practices are recommended for constructing delimited identifiers and SQL literals. Author Bala Neerumalia suggests ways you can avoid these malicious exploits.
Read
More
3. FBI: Companies Need to Report Cyber Attacks
Underreporting: A huge issue for the FBI
Companies are urged to report cyber-crimes to help authorities investigate such attacks and would-be attacks. Underreporting these crimes is a huge issue according to Special Agent Mark Mershin, the assistant director-in-charge of the FBI's New York City office. In a recent keynote address at the Infosecurity Conference and Exhibition, Mershin discussed the three most important issues facing the FBI each day: counterterrorism, counterintelligence, and cyber-crimes.
Read
More
4. Hackers' project hides browser-busting code
New VoMM software hides browser attack code
Hackers are developing a new software program called eVade o' Matic Module Code (VoMM) that will help hide browser attack code from security software. The new software mixes up known exploit code so it becomes unrecognizable to some types of antivirus software. One developer behind the project states that VoMM "can create an endless number of variants of an exploit."
Read
More
5. Another IE 7 pop-up security flaw discovered
Attackers can alter pop-up window content in legitimate sites
Security researchers recently discovered a pop-up window security flaw in IE 7. Researchers at Secunia report that users who visit trusted sites can possibly fall victim to this exploit. Merely viewing the pop-up window will not allow access to a user's computer. If users, however, enter sensitive data in a pop-up window that contains malicious code, their information can be stolen by the attacker. Recently another security flaw was discovered in IE 7 that can spoof the address of a pop-up window.
Read
More
6. MySpace Zero Day Shows XSS Vulnerability
Potential is demonstrated for evading XSS filters
The MySpace Web site has been used to demonstrate a XSS fragmentation attack. In the case demonstrated using the MySpace site, several fragments pass through filters used for forms. The MySpace vulnerability also demonstrates that sites which permit user comments on articles might also be vulnerable.
Read
More
|
