Category Archives: Surviving The Week

Weekly collection of the top news/stories/articles/blog_posts related to application security. These may not always be the big headlines or directly focused on application security, but they will be the items that interested me the most, and hopefully will be of interest to my readers. Great replacement for Jeremiah’s defunct “Best of Application Security” series.

ruby on rails

Surviving the Week 2/1/13 – Ruby on Rails – JSON Parser Vulnerability

Ruby on Rails – JSON Parser Vulnerability

ruby on rails

The JSON parser which converts JSON into YAML and in turn hands over to the YAML parser is buggy. The fix delivered replaces the YAML backend (yaml.rb) which was allowing foo strings. This is far too similar to the previous vulnerabilities for the 156 bug, meaning far more exploits in the wild.

XSS Attacks Spike in Q4 2012

FireHost, a secure cloud hosting company, released statistics on Q4 2012 Web application attacks last week. The attack details both the type and number of attacks hitting its servers in the U.S. and Europe between October and December 2012.

Firehost reports statistics like these quarterly with a focus on what they call “The Superfecta.” The Superfecta are the four most dangerous cyber attacks:

Firehost reported that Cross-Site Scripting and SQL Injection attacks became more prevalent since the third quarter of 2012 with Cross-Site Scripting (XSS) leading the way in terms of attack types

Test your application with NTOSpider to find out all possible vulnerabilities. NTOSpider produces separate report for XSS that enables you to drill into the report and reproduce the vulnerability.

Unicode Security Testing Library

Chris Weber announced on his blog last week that he has released a small utility library, unicode-hax that is now available on Github.  When it comes to testing string input to find bugs, or vulnerabilities, Unicode can be a tester’s best friend.  Strings are not simple things for software engineers – they require a lot of planning – buffers, encodings, transmission, and storage are just a few concerns. Chris wanted to answer some of the common questions people ask like:

  • What characters should I use for testing?
  • Which ones flip text around?
  • Which ones cause problems?
  • Which one maps to an apostrophe for SQL injection, or a less-than sign for XSS?

As Chris said, “Happy Bug Hunting!”

To avoid pain of these permutations, use NTOSpider. NTOSpider will fuzz the application not only with Unicode characters but several other encoding as well.

Multiple Vulnerabilities

CurvyCorners Cross Site Scripting –
gpEasy 3.5.2 Cross Site Scripting –
ImageCMS 4.0.0b SQL Injection –
SonicWALL GMS 6 Arbitrary File Upload –
Kohana Framework 2.3.3 Directory Traversal –


Surviving the Week 1/18/13

A Lesser Cross-Site Scripting Attack Greater Than Your Regex Security

A lot of developers rely on regex to protect against XSS. The following article demonstrates different mechanisms on how developers use regex and how they can be bypassed.

Our web application security scanner, NTOSpider, reports accurate and actionable results that are designed to assist in remediation efforts and to help users quickly get to the data that matters most.

New Java Exploit

Bootleggers were already selling an exploit for a different and apparently still-unpatched zero-day vulnerability in Java less than 24 hours after Oracle patched a dangerous security hole in it’s Java software that was being used to seize control over Windows PCs.

Multiple Vulnerabilities Detected

Drupal Core 6.x / 7.x Cross Site Scripting / Access Bypass –
PHP Chart 1.0 Code Execution –
Cydia Repo Manager Cross Site Request Forgery –
Drupal RESTful Web Services 7.x Cross Site Request Forgery –
Drupal Live CSS 6.x / 7.x PHP Code Execution –
Drupal Mark Complete 7.x Cross Site Request Forgery –
SonicWALL GMS/VIEWPOINT 6.x Analyzer 7.x Remote Root –


Surviving the Week 1/4/13

SSNs, Salary Information Exposed In Breach of Army Servers

Salary-Information-Exposed-In-Breach of-Army-Servers

Computer hackers have illegally gained access to personal information of more than 36,000 people connected to Army commands formerly based at Fort Monmouth. An Army spokeswoman says the information includes names, birth dates, Social Security numbers, addresses and salaries.

Avoid critical hacks and scan your applications with NTOSpider (DAST) or our SaaS solution, NTOSpider On-Demand.

Researchers Find Malware Targeting Java HTTP Servers

Security researchers from antivirus vendor Trend Micro have uncovered a piece of backdoor-type malware that infects Java-based HTTP servers and allows attackers to execute malicious commands on the underlying systems. The threat, known as BKDR_JAVAWAR.JG, comes in the form of a JavaServer Page (JSP), a type of Web page that can only be deployed and served from a specialized Web server with a Java servlet container, such as Apache Tomcat.

Multiple Vulnerabilities

Guru Auction 2.0 SQL Injection –
Polycom HDX Video End Points Cross Site Scripting –
Log Analyzer 3.6.0 Cross Site Scripting –
SonicWall Email Security 7.4.1.x Cross Site Scripting –
WordPress Asset-Manager PHP File Upload –

UN Site Hacked

United Nations website was recently hacked.

Microsoft Releases Fix It Tool to Address IE Security Zero-Day

The Fix It tool is aimed at addressing a vulnerability discovered in the wild roughly a week ago. According to Microsoft, the issue affects IE versions 6, 7 and 8. Internet Explorer 9 and 10 are not impacted.

anonymous real

Surviving the Week 12/28/12

The 2012 Web Session Intelligence & Security Report: Business Logic Abuse Edition

The business logic abuse scenarios presented by the Ponemon Institue are web scraping, account hijacking, click fraud, botnets causing denial of service, electronic wallet exploitation, coupon abuse, testing stolen credit cards, mobile device malware to take over customer accounts, app store/marketplace fraud, and mass registration.

NT OBJECTives provides a white paper on “Attacking and Exploiting the Top 10 Business Logic Attack Vectors” at –

Tool to Decrypt TruCrypt and PGP

ElcomSoft has built a utility that combs for encryption keys in snapshots of a PC’s memory to decrypt PGP and TrueCrypt-protected data.

ElcomSoft’s gear can extract these decryption keys from a copy of the computer’s memory, typically captured using a forensic tool or acquired over Firewire.

Croatian Banks Hacked by Anonymous

anonymous realAnonymous Croatia hacking crew defaced the websites of two Croatian Banks: Karlovacka Banka and Samoborska Banka.

The hackers left a message saying: “We are Anonymous. We don’t forgive. We don’t forget. You were stealing enough from people. Soon the other banks will fall”.


Security Researchers Identify Malware Infecting U.S. Banks

Security researchers from Symantec have identified an information-stealing Trojan program that was used to infect computer servers belonging to various U.S. financial institutions.

Dubbed Stabuniq, the Trojan program was found on mail servers, firewalls, proxy servers, and gateways belonging to U.S. financial institutions, including banking firms and credit unions, Symantec software engineer Fred Gutierrez said Friday in a blog post.

3,000,000 Verizon Wireless Accounts Leaked

A report surfaced this week that Verizon Wireless, a premier mobile carrier in the United States has been breached, with a result of three million customers being compromised. While the number may seem large, it represents a small fraction of the company’s user base.


html5 i am the future i am the browser

Surviving the Week 12/21/12

HTML5 Definition Complete, W3C Moves to Interoperability Testing and Performance

html5 i am the future i am the browser

The 5th revision of HTML is regarded as the future of web markup language. The long awaited specs for HTML5 have been finalized. This week, W3C published the complete definition of the HTML5 and Canvas 2D specifications. –

Multiple Vulnerabilities During the Week

Joomla ZtAutoLink Local File Inclusion –
Kiwi Syslog Web Access 1.4.4 SQL Injection –
Free Hosting Manager 2.0.2 Cross Site Scripting –
Banana Dance B.2.6 Inclusion / Access Control / SQL Injection –
Elite Bulletin Board 2.1.21 SQL Injection –
Drupal Core 6.x / 7.x Access Bypass / Code Execution –
SurgeFTP Remote Command Execution –
Cerberus FTP Server Cross Site Scripting –
TWiki 5.1.2 Command Execution –
D-Link DCS-9xx Password Disclosure –
Centreon 2.3.x SQL Injection –
phpwcms Remote Code Execution –

health care breaches

Surviving the Week 12/14/12, Most Healthcare Organizations Suffered Data Breaches

health care breachesMost Healthcare Organizations Suffered Data Breaches

Two separate reports released this week show the critical condition of U.S. healthcare organizations and hospitals when it comes to data breaches, with 94 percent of healthcare organizations hit by at least one data breach and close to half suffering more than five breaches in the past two years.
Use NTOSpider (DAST) or our SaaS solution, NTOSpider On-Demand, to scan your applications.


Tutorial on SQLi Labs

SQL Injection has been one of the most deadliest attack one can have. This tutorial seems to be a nice start to understand SQL Injection.

SQL Injection cheat sheet –
Also, our free tool, NTO SQL Invader, will help exploit SQLi vulnerabilities.


Microsoft Security Bulletin Summary for December, 2012

It was the final patch Tuesday for Microsoft in 2012 which fixes 5 critical vulnerabilities. Patch your Microsoft products. Details can be found at:


Multiple Vulnerabilities

Splunk 5.0 Custom App Remote Code Execution –
Achievo 1.4.5 Cross Site Scripting / SQL Injection –
ClipBucket 2.6 Revision 738 SQL Injection –
IBM System Director Agent DLL Injection –
Maxthon / Avant Browser XCS / Same Origin Bypass –
m0n0wall 1.33 Cross Site Request Forgery –


Surviving the Week 12/7/12, PayPal Fixes Trio of Remote-Access Vulnerabilities

Detecting Successful XSS Testing with JS Overrides with ModSecurity

The following link demonstrate a proof of concept that uses ModSecurity to add defensive Javascript to response pages that will identify when web browsers execute certain code and then; will send back a beacon alert to the web server. NTODefend helps you generate rules for the vulnerabilities detected with NTOSpider.

Attacks – in 2012 & 2013

10 Top Government Data Breaches Of 2012
SQL injection, post-phishing privilege escalation, and poorly secured back-up information all played their part in exposing sensitive government data stores this year.

Here is a list of the expected “Top 5 security threats for 2013″

PayPal Fixes Trio of Remote-Access Vulnerabilities


PayPal has repaired three remote-access vulnerabilities found in different areas of its website, including a cross-site scripting (XSS) flaw on its PayPal Community Forum. All three flaws were submitted to PayPal’s Bug Bounty Program.

bits and bytes

Surviving the Week 11/30/12, Multiple Instances of Hacking

bits and bytes

In the United Kingdom, hackers attempted to alter the value of goods before trying to buy the items with a stolen credit card. Multiple online companies were able to prevent these attacks. Law enforcement is urging businesses to ensure that their online security is up to date.,,, and 275 other Pakistan websites were hacked.

DreamHost, the popular web hosting company was breached over the long holiday weekend.

Test your application with NTOSpider. NTOSpider uses Universal Translator technology that can automatically crawl, detect and attack vulnerabilities that were previously only discoverable by manual testing.

Half of Companies Unaware of Most Current Threats

As per the survey by Kaspersky, half of companies are not knowledgeable about the potential security threats they may face. Some 31 percent of respondents admitted they had never heard of any of the cyberepidemics that recently pose direct threats to their organizations, the study says. Our NTOSpider On-Demand helps companies scanning their application with experts verifying results of the scan.

Multiple Vulnerabilities

Greenstone XSS / Password Disclosure / Log Forging –
PRADO PHP Framework 3.2.0 File Read –
SmartCMS SQL Injection –
EMC Smarts Network Configuration Manager Bypass –
Apple QuickTime 7.7.2 TeXML Style Element font-table Field Stack Buffer Overflow –

PCI Security Standards

Surviving the Week 11/23/12, PCI Security Standards Council Adds Guidelines

PCI Security Standards Council Adds Guidelines for Data Security Standards Risk Assessment

PCI Security Standards

PCI Security Standards Council released guidelines for DSS risk assessment. There are three key recommendations:

  1. Organizations should implement a formalized risk assessment methodology that best suits the culture and requirements of the organization.
  2. A continuous risk assessment process enables ongoing discovery of emerging threats and vulnerabilities, allowing an organization to mitigate such threats and vulnerabilities in a proactive and timely manner.
  3. Risk assessments must not be used as a means of avoiding or bypassing applicable PCI DSS requirements (or related compensating controls).

NTOSpider with Universal Translator Technology generates reports according to the PCI Data Security Standards to help you find security vulnerabilities which violate PCI controls. Test your application with NTOSpider. Request a free trial today.

Full PCI DSS guidelines can be accessed at:


New Version of Chrome is Released

Google released Chrome version 23.0.1271.64 for Windows, Mac, Linux, and Chrome Frame this week. Some interesting new features for Privacy and Security in the release along with some security fixes.


Interesting Stats on Cyber Attacks

A couple of studies are showing an increase in cyber security attacks. The NCC Group estimates more than 1 billion hacking attempts to take place in the final quarter of 2012.

In another report, Websense Security Labs predicts the top 7 cyber security attacks of 2013.


Multiple Vulnerabilities

ManageEngine ServiceDesk 8.0 Cross Site Scripting –
dotProject 2.1.6 Cross Site Scripting / SQL Injection –
Yii Framework 1.1.8 Search SQL Injection –
TP-LINK TL-WR841N 3.13.9 Cross Site Scripting –
SonicWALL CDP 5040 6.x Cross Site Scripting –
WordPress FireStorm Real Estate 2.06.08 SQL Injection –
Apple QuickTime 7.7.2 Buffer Overflow –
Manage Engine Exchange Reporter 4.1 Cross Site Scripting –
Omni-Secure 5 / 6 / 7 Remote File Disclosure –
Skype Account Service Session Token Bypass –

password protection

Surviving the Week 11/16/12, Not a Great Week for Password Protection

Not a Great Week for Password Protection

password protectionEarlier in the week, we saw Twitter forcing users to change their password due to some password loss. Later in the week, a password vulnerability was disclosed in the most famous messenger – Microsoft’s Skype. The vulnerability allowed an attacker to change username and password of a victim’s Skype account by just knowing their email address. Early Friday, Microsoft informed that vulnerability has been resolved.

Information about the attack description –
Information about the patch –

ModSecurity Rules Are Out

ModSecurity, one of the biggest open source web application firewall, released their updated rules. Download rules at –

One of the unique feature of NTOSpider is, it allows user to generate rules for different WAF including ModSecurity, Snort and Imperva. One can use this feature to import rules in WAF to temporary block all the vulnerabilities detected by NTOSpider.

Multiple Vulnerabilities

Vulnerabilities have been detected in some of the major applications incuding WordPress, Drupal and Oracle. The following list contains patches to the vulnerabilities detected in the past week.

WordPress Kakao Theme SQL Injection –
WordPress Eco-Annu SQL Injection –
WordPress 3.3.1 swfupload.swf Cross Site Scripting –
netOffice Dwins 1.4p3 SQL Injection –
BananaDance Wiki b2.2 Cross Site Scripting / SQL Injection –
Java Applet JAX-WS Remote Code Execution –
MYREphp Vacation Rental Cross Site Scripting / SQL Injection –
dotProject 2.1.6 Remote File Inclusion –
Narcissus Remote Command Execution –
ReciPHP 1.1 SQL Injection –
BabyGekko 1.2.2e XSS / LFI / SQL Injection  –
MYRE Realty Manager XSS / SQL Injection –
Bugzilla Informartion Leak / Cross Site Scripting –
Drupal RESTful Web Services 7.x Cross Site Request Forgery –
Drupal Smiley / Smileys 6.x Cross Site Scripting –
Friendsinwar FAQ Manager XSS / SQL Injection –
iDev Rentals 1.0 Cross Site Scripting –
Drupal Chaos Tool Suite 6.x Cross Site Scripting –
Drupal Table Of Contents 6.x Access Bypass –
Oracle Database Client System Analyzer Arbitrary File Upload –