Firefox has released new version 3.0.4. Well functionality is nearly the same but they have patched the security fixes.

Read more »

SQL Injection

Well personally I don’t totally depend on automated scanners totally for appsecs but they do help in many cases where the task is repeating or large number of input fields need to be audited. but Appscan would be my choice if it was freeware

Read more »

Ahaaaa.. Newer version of Metasploit is ready to be released sooner. these will contain few newer added features. To brief , they include names such as Browser AutoPwn, Metasploit in the Middle and the Evil Wireless Access Point. As all know Metasploit is free exploit scanner and the best available. Metasploit3.0 project has moved to an all Ruby programming base, which Moore credits with quickening development and exploits.

It has made hacking (for kiddies) very easy. Just choose the target, the exploit and the payload and Boom you get their shell (of-course if the system is vulnerable).

Read more »

Well Here I will not be providing some PoC to hack into these mailing accounts. I will be telling you the methodology that can be used to hack into any of these mailing accounts. The real effort will be yours.

Lets start without any more disclaimer speech and sort.

Read more »

Hi All !

I was browsing the net and stumbled across this article on ZDNet. Researchers have come across an open source tool that is capable of launching automated man-in-middle attacks against popular sites such as Gmail and Facebook. This tool, Middler, is designed to target users who access services via public networks in hotels, coffee shops and aeroplanes. Besides launching man-in-the-middle attacks, in which communications are intercepted so the attacker can pass his own data between the website and the client device, the tool can also compromise computers and even iPhones via their software-update mechanisms.

The tool is intended to demonstrate a particular weakness found in many popular online applications — the use of clear-text HTTP transmissions for much of the user session.

Read more »

Two researchers, Robert Hansen and Jeremiah Grossman were planning to present their research on Clickjacking @ OWASP , New York City but had to postpone their presentation because they figured out that the exploitation of this vulnerability can be worst. Affected Vendors requested them to postpone their disclosure so that they can fix it. Most of the times the vulnerability needs to be fixed by web application but this time browser owners have taken up the task of fixing the vulnerability. Microsoft, Adobe are few of those affected.

Well these attacks are sort of tedious and require precision as compared to other powerful attacks like CSRF, SQLi etc. Attacker needs to know the exact layout of page that victim would possibly be viewing. A small here-and-there can foil the whole attack. These attacks can be done on those pages whose button positions remain static. CSRF token solution will not work here.

Read more »

Gnucitizen has started a new project called Secapps which will be hosting all online web tools. Seems to be nice idea. As of now, they have hosted 2 tools: GHBD and CSRF. Both seem to be nice tool especially the GHDB tool. It has coded a huge DB of Goodle dorks from Johnny.ihackstuff.com.

The project is still in its beta version but looks promising.

Good news for FF fans, new version 3.0.2 has been released for download. Following issues have been adressed in newer version:

Last month, we at our client side were busy fighting phishing attacks. In 30 days we had around 25 phishing attacks. These phishing sites were all hosted on compromised sites with Jhoomla applcation hosted on it. So we had 25 compromised Jhoomla sites. However we were not able to figure out the exploit being used but it surely would be RFI or Remote code execution attack vector being used. So beware you all Jhoomla application users, dont forget to keep monitoring your web-logs frequently. Also check the server files if any suspicious file is lying around. It may be php shell file. Also keep Jhoomla up-to-date.

What’s the big deal about DLP? Guys this is the next big happening thing in security. A new report by analyst Thomas Raschke at the Forrester Research Security Conference 2008 answers some of the FAQs about emerging DLP technology. Raschke notes that DLP, which is designed to prevent insiders from accidentally exposing sensitive data, has four basic functions. First, it provides a means to identify and classify sensitive data. Second, it provides the means to apply policies for handling different kinds of data, based on its content and context. Third, a DLP solution provides a way to monitor data as it travels around the business. Lastly, it provides a way to audit and report on the status of sensitive data, and documents any incidents in which the data was threatened

read more : http://www.darkreading.com/document.asp?doc_id=163021&WT.svl=news1_1