Next Page >>
WASC
The Web Application Security Consortium (WASC) is pleased to announce the long awaited release of the WASC
Threat Classification v2.0. The Threat Classification is an effort to classify the weaknesses, and attacks
that can lead to the compromise of a website, its data, or its users. This document's primarily purpose is
to serve as a reference guide for common attacks and weaknesses.
Main goals
- Refine document scope, terminology, and purpose
- Update existing sections when applicable
- Add missing attacks and weaknesses
- Creation of a firm, scalable base foundation allowing for the introduction of data views allowing for various
WHID 2007-48: MSU investigating hacking incident
Reported: 17 October 2007
Occured: 09 October 2007
Incident Type: Security Breach
WASC Threat Classification: Unknown
Information including birth date and social security number of 1400
students who enrolled online to the Montana State University has been
stolen by hackers. While no technical explanation is provided, the fact
that only students who enrolled online where affected points to a web
average server are enough for many things ;-).
> This is not a command execution vulnerability but an arbitrary file upload
I called this type of vulnerability as Command Execution (as a vulnerability
which belongs to Command Execution category in WASC TC v.1, or it can be
also used OS Commanding (WASC-31) class in WASC TC), because arbitrary file
uploading leads to code execution. Only in case if uploading of scripts is
not allowed, only other files, then I used term Arbitrary File Upload
(which belongs to Abuse of Functionality (WASC-42) class in WASC TC).
The Web Application Security Consortium (WASC) is pleased to announce
the WASC Web Application Security Statistics Project 2008. This
initiative is a collaborative industry wide effort to pool together
sanitized website vulnerability data and to gain a better understanding
about the web application vulnerability landscape.
The statistics was compiled from web application security assessment
projects which were made by the following companies in 2008 (in
alphabetic order):
> This should not be classified as any kind of vulnerability as there is no
> way that any harm can be done to a website using this script.
It's not serious statement. This is known for a long time class of
vulnerability. If you didn't read WASC TC yet, then you'd better read it.
First, this is Insufficient Anti-automation vulnerability. The class
Insufficient Anti-automation is listed in WASC Threat Classification v1
(released in 2004) and in Threat Classification v2 (released in 2010). In TC
v2 it's also referenced as WASC-21.
The Web Application Security Consortium (WASC) is pleased to announce
the WASC Web Application Security Statistics Project 2007. This
initiative is a collaborative industry wide effort to pool together
sanitized website vulnerability data and to gain a better understanding
about the web application vulnerability landscape.
Goals
1. Identify the prevalence and probability of different vulnerability classes
In the report we discuss the drivers for web hacking, the vulnerabilities
exploited and the types of organization attacked. We hope that the report
can serve to highlight the web application security issue and as a base for
risk analysis for web applications.
The report was prepared by The Web Application Security Consortium (WASC)
together with Breach Security Labs, the research arm of Breach Security,
which sponsors the project.
The report is available at:
http://www.webappsec.org/projects/whid/statistics.shtml
project. If you have questions or would like to contribute to future
enhancements of the WASSEC, you can the project leader, Brian Shura, at
bshura73@gmail.com.
Regards,
- WASC Announcements
----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec
Have a question? Search The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/archive/
>
> Subscribe via RSS:
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
> Join WASC on LinkedIn
> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
--
Adrian P. | Senior IT Security Consultant | DDI: +44 (0)207 307 5026 |
> http://www.webappsec.org/lists/websecurity/archive/
>
> Subscribe via RSS:
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
> Join WASC on LinkedIn
> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
>
>
Personal: ofer@shezaf.com, +972-54-4431119
Breach Security
Chair, OWASP Israel
Leader, ModSecurity Core Rule Set Project
Leader, WASC Web Hacking Incidents Database Project
Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/
>>
Subscribe via RSS: http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>>
Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>>
>>
-----BEGIN PGP SIGNATURE-----
Ofer Shezaf [shezaf@xiom.com, +972-54-4431119, www.xiom.com]
Founder, Xiom.com, Proactive Web Application Security, http://www.xiom.com
Chairman, OWASP Israel
Leader, WASC Web Hacking Incidents Database Project
of vectors to execute script within a web page without the explicit use of <script>
tags. This data can be useful when testing poorly implemented Cross-site Scripting
blacklist filters, for those wishing to build an html white list system, as well as
other uses.
WASC is actively seeking volunteers from various sections of the community including
penetration testers, security researchers, and developers to contribute to this project.
If you would like to be involved with the project or if you have comments about the
results, test cases etc., please contact Romain Gaucher ( r@rgaucher.info)
> Personal: ofer at shezaf.com, +972-54-4431119
>
> VP Security Research, Breach Security
> Chair, OWASP Israel
> Leader, ModSecurity Core Rule Set Project
> Leader, WASC Web Hacking Incidents Database Project
>
>
> WHID 2007-71: Hacker uses Social Security numbers from Ohio court site
> ======================================================================
> Reported: 22 December 2007, Occurred: 22 December 2007
Web Application Security Consortium (www.webappsec.org) and SANS
(www.sans.org) has partnered together to define, train, test and certify the
individuals. WASC is a leading web application security organization and
SANS is a leader in training and certification. Together they have the
subject matter expertise and process expertise to make this a huge success.
We are doing a survey of the topics to be covered in the certification. We
request you to spare few minutes to take the survey.
For more details about the certification:
http://www.webappsec.org/lists/websecurity/archive/
Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA
http://www.webappsec.org/lists/websecurity/archive/
Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA
Personal: ofer at shezaf.com, +972-54-4431119
VP Security Research, Breach Security
Chair, OWASP Israel
Leader, ModSecurity Core Rule Set Project
Leader, WASC Web Hacking Incidents Database Project
WHID 2007-71: Hacker uses Social Security numbers from Ohio court site
======================================================================
Reported: 22 December 2007, Occurred: 22 December 2007
Personal: ofer at shezaf.com, +972-54-4431119
VP Security Research, Breach Security
Chair, OWASP Israel
Leader, ModSecurity Core Rule Set Project
Leader, WASC Web Hacking Incidents Database Project
WHID 2007-71: Hacker uses Social Security numbers from Ohio court site
======================================================================
Reported: 22 December 2007, Occurred: 22 December 2007
20.04.2010 - found vulnerabilities.
28.04.2010 - announced at my site.
29.04.2010 - informed developer.
06.05.2010 - developer released Cimy Counter 0.9.5. In version 0.9.5 the
author fixed all mentioned vulnerabilities except Redirector (aka URL
Redirector Abuse in WASC TC v2). And I gave him addition argumentation to
fix Redirector hole also.
24.06.2010 - disclosed at my site.
-----------------------------
Details:
http://www.webappsec.org/lists/websecurity/archive/
Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA
~ Ofer
Ofer Shezaf [shezaf@xiom.com, +972-54-4431119, www.xiom.com]
Founder, Xiom.com, Proactive Web Application Security, http://www.xiom.com
Leader, WASC Web Hacking Incidents Database Project
Chairman, OWASP Israel
Ofer Shezaf
shezaf@xiom.com, +972-54-4431119
Founder, Xiom.com, Proactive Web Application Security, http://www.xiom.com
Chairman, OWASP Israel
Leader, WASC Web Hacking Incidents Database Project
Hi
Recently with an outcome of Owasp RC1 top 10 exploited vulnerability
list , redirection issues have already
made a mark in that. Even the WASC has included the URL abusing as one
of the stringent attacks.
Well to be ethical in this regard these are not the recent attacks but
are persisting from long time. The only
difference is the exploitation ratio has increased from bottom to top.
So that's the prime reason it has been
Ofer Shezaf
shezaf@xiom.com, +972-54-4431119
Founder, Xiom.com, Proactive Web Application Security, http://www.xiom.com
Chairman, OWASP Israel
Leader, WASC Web Hacking Incidents Database Project
Ofer Shezaf
shezaf@xiom.com, +972-54-4431119
Founder, Xiom.com, Proactive Web Application Security, http://www.xiom.com
Chairman, OWASP Israel
Leader, WASC Web Hacking Incidents Database Project
Personal: ofer@shezaf.com, +972-54-4431119
VP Security Research, Breach Security
Chair, OWASP Israel
Leader, ModSecurity Core Rule Set Project
Leader, WASC Web Hacking Incidents Database Project
Personal: ofer@shezaf.com, +972-54-4431119
VP Security Research, Breach Security
Chair, OWASP Israel
Leader, ModSecurity Core Rule Set Project
Leader, WASC Web Hacking Incidents Database Project
Personal: ofer at shezaf.com, +972-54-4431119
VP Security Research, Breach Security
Chair, OWASP Israel
Leader, ModSecurity Core Rule Set Project
Leader, WASC Web Hacking Incidents Database Project
WHID 2007-71: Hacker uses Social Security numbers from Ohio court site
======================================================================
Reported: 22 December 2007, Occurred: 22 December 2007
Next Page>>
|
