Tag Archives: Surviving The Week

Surviving the Week – 02/17/2012

The NTO team keeps growing and the demands of running the business and supporting our customers is keeping me busy… and its a blast. But now its good to be getting back to these weekly postings.

On to the news, so I can help keep you all informed about the important news in web app security.

  • Will a standardized system for verifying Web identity ever catch on? – Maybe the question is “Do we even want a standardized system for verifying Web Identity?” I for one see stuff like this everyday, and if the FBI’s site can be hacked, who is going to promise the security of OpenID? It will just become the single place an attacker has to attack to get access to everyone’s confidential/private data.
  • CSRF with upload – XHR-L2, HTML5 and Cookie replay – XHR-Level 2 calls embedded in an HTML5 browser can open a cross domain socket and deliver an HTTP request. Cross-domain calls will abide by CORS, but browsers end up  generating preflight requests to check policy and based on that, will allow cookie replay. Interestingly, multi-part/form-data requests will go through without the preflight check and “withCredentials” allow cookie replay. This is how some new cutting edge attacks are going to be performed.
  • Vote Now! Top Ten Web Hacking Techniques of 2011 – This is an incredibly useful survey that they do each year. So, please vote to help the community get an idea of what is interesting and important to you.
  • Twitter Enables HTTPS By Default – As sites like Google, Facebook and now Twitter start pushing all traffic to HTTPS, I fear that users will mistake this for real security. “Oh, I can put all my information on Facebook/Twitter/etc now because they are ‘secure’. See there is even a little padlock icon in my browser when I go to those sites, just like the bank.” – FAIL

Surviving the Week – 12/09/2011

Sorry I missed last week, this one will cover the last two weeks.


Surviving the Week – 11/18/2011

This week was a busy one for me, as I’m finally done traveling for awhile and and got back to working on NTOSpider6 and our growing team. I should be able to keep up with this weekly post again, and will keep you all informed about the important news in web app security.


Twitter shortened links – Security bad practice?

As as spend more time using twitter, I understand the need for shortened URL’s and make heavy use of them. But, when I am viewing a tweet I always hesitate before clicking on those links knowing that they could be easily used to hide some sort of XSS or SQL Injection payload in the redirect.

It would be a great way to target accounts of twitter followers to even attack Intranet sites as well as public facing sites. Maybe some good proof of concept hacks will need to be created to demonstrate. Will leave that for another day.

I am sure some of these link shortening providers have put some effort into blocking XSS payloads from the URL’s they shorten, but its easy enough to have the short URL point to a page on the bad guys site which will perform a 302 with the payload in the Location header. This story/video on Help Net Security from a couple years ago tried to warn us.

I wish links didn’t count against the 140 char limit on twitter so these shortened URLs wouldn’t be as needed. Oh well, looks like another instance where features trump security.

(Now time to use bit.ly to make a short link of this blog post so I can tweet it)

Surviving the Week – 11/11/2011

Web application security news from the last couple weeks.
[I guess I didn't figure out how to keep going with this weekly post when Im traveling, but now I'm done traveling for a couple months, so should be able to keep up with the news]

Surviving the Week – 09/30/2011

The hacks are continuing to take place on more and more critical sites.


Surviving the Week – 09/23/2011

Sorry for the missing posts the last couple of weeks, I need to figure out how to manage these weekly posts during travel periods. So this week will include a couple items from the missing weeks.


mitnick on colbert

Surviving the Week – 09/02/2011

Welcome to “Surviving the Week”!

Each week I will be collecting the top news/stories/articles/blog_posts related to application security. These may not always be the big headlines or directly focused on application security, but they will be the items that interested me the most, and hopefully will be of interest to my readers. Great replacement for Jeremiah’s defunct “Best of Application Security” series.