xss

ZDNet Resources

• sort by:
• Relevance
• Date
• Popularity

McAfee isn't "McAfee Secure" or "Hacker Safe"

In my most recent discussion on McAfee, I posted a talkback to Russ McRee stating, tongue in cheek mind you, that it'd be interesting to see an XSS or SQL Injection on McAfee's site, see if they are indeed "McAfee Secure". Well, I guess you get what you ask for......

Tags: McAfee Inc., XSS, Hacker, Tool, Productivity, Nathan McFeters

Blog posts 2008-05-13

Morse Code Rickroll 0-day... no, seriously, I mean it

In the security research world, getting Rickrolled has become a global epidemic.  If you've been to any of the recent conferences, you're sure to have been Rickrolled at least once... if you were fortunate enough to be at ToorCon Seattle, then you got Rickrolled about 300 times by Dan Kaminsky....

Tags: Morse Plc., I/O, XSS, Encryption, Security, Nathan McFeters

Blog posts 2008-05-04

More bad news for McAfee, HackerSafe certification

Dan Godin posted a great article that was picked up by The Register a couple days ago about continued challenges for McAfee's newly purchased HackerSafe division.  I find the article interesting as HackerSafe uses a scanning tool that probes for web application security flaws... of course, tools are limited in...

Tags: McAfee Inc., Security, Certification, Vulnerability, XSS, HackerSafe, Godin, Goodin, Nathan McFeters

Blog posts 2008-05-01

ToorCon Seattle 2008: Nuke plants, non-existent sub domain attacks, muffin diving, and Guitar Hero

*** Updated: ToorCon images uploaded.  Click here!  Alright, that title probably sounds pretty random... well, welcome to ToorCon!  ToorCon has long been one of my favorite conferences for the easy atmosphere, laid-back presentations, and parties.  This year's Seattle-based ToorCon was the best I've been to. ...

Tags: Researcher, XSS, Domain, Microsoft Corp., Conference, Attack, ToorCon Seattle 2008, John, Security, Nathan McFeters

Blog posts 2008-04-21

PCI Compliance gets clarified and neutered (further)

At one point, I thought that PCI certification was a great thing.  Now I realize that it's not really about security at all... it's about money and responsibility and transferring ownership of risk. The PCI certification just got a clarification: "6.6 Ensure that all web-facing applications...

Tags: Web, XSS, PCI, Web Application, TV, Attack, PCI Compliance, Web Application Firewalls, WAF, Security, Nathan McFeters

Blog posts 2008-04-17

Taking ownership (pwnership) of content: Cross-site Scripting Google

Taking ownership pwnership of content: Cross-site Scripting GoogleXXS & SaaSOur SaaS includes a vast area of user editable content. We also processes around $18M a month. So we just disable the insertion of [

Tags: XSS, Taking Ownership, Google Inc.

Discussion threads 2008-04-16

Taking ownership (pwnership) of content: Cross-site Scripting Google

My good friend Billy Rios pictured to the right published another interesting exploit recently.  It's a cross-site scripting exposure in spreadsheets.google.com, which is interesting because it's exploited by using the content-type returned by spreadsheets.google.com and a caching flaw on the part of Google.  Here's some details from Billy's blog: I was...

Tags: Security, Google Inc., HTML, XSS, Domain, Billy Rios, Rios, Nathan McFeters

Blog posts 2008-04-16

Snom VoIP phone vulnerability enables phone history theft, addy book poisoning, and more

Fellow VoIP blogger and multi-skilled polymath Tom Keating picks up on security consultancy GNUCitizen.org's description of a  security vulnerability in snom Technology's model 320 VoIP phone. GNUCitizen, in turn, found this via what they term a "side result" of a router hacking challenge...

Tags: VoIP, Phone, Vulnerability, XSS, VoIP Phone, Snom, Telecom & Utilities, Russell Shaw

Blog posts 2008-02-12

Importance of Web Application Firewall Technology for Protecting Web-Based Resources

Web-based applications and services have changed the landscape of information delivery and exchange in today's corporate, government, and educational arenas. Ease of access, increased availability of information, and the richness of web services have universally increased productivity and operational efficiencies. These increases have led to heavier reliance on web-based services...

Tags: Web, CyberTrust, XSS, Web Application, Application Firewall, Channel Management, Firewalls, Identity Theft, Security, Marketing, Networking

White papers 2008-01-10

Notebook: Google Toolbar flaw; Gmail issues; Microsoft assessment tool

Notebook: Google Toolbar flaw; Gmail issues; Microsoft assessment toolSafe Surfing Best PracticesKeep your browser 'lean and mean'. o Don't add extraneous tool bars and pluginso Do add Firefox plugins NoScript and AdBlocko If at all possible run your browser in a VM snapshot or sandboxo Use a decent Email...

Tags: E-mail providers, Web browsers, Microsoft Corp., Google Gmail, Gmail Issues, XSS, Google Toolbar, tool, Google Inc., notebook, toolbar

Discussion threads 2007-12-19

Mozilla patches Firefox latest protocol handling bug; other items

Mozilla has issued a patch for Firefox that fixes the "jar:" protocol handler issue. In an advisory on Monday, Mozilla said: The jar: URI scheme was introduced as a mechanism to support digitally signed web pages, enabling web sites to load pages packaged in zip archives...

Tags: Mozilla Firefox, XSS, Mozilla Corp., Ryan, Web Browsers, Security, Internet, Larry Dignan

Blog posts 2007-11-27

Finding and exploiting holes in software features

* Ryan Naraine is on vacation.  Guest Editorial by Nate McFeters With the holiday season fast approaching, and being so in the spirit of giving,  I thought I'd compile a list of the top features that led to security...

Tags: Software, Google Inc., Attacker, XSS, Trillian, Google Picasa, URI, Security, Ryan Naraine

Blog posts 2007-11-23

Firefox feature introduces danger

Software engineers at Mozilla are working on a fix for another protocol handing issue affecting the company's flagship Firefox browser. The flaw, originally reported in February 2007 and independently discovered by Petko D. Petkov, turns a little-used Firefox feature into a security risk that could lead...

Tags: Mozilla Firefox, XSS, Bug, Secunia, Firefox Feature, Cross-site Scripting Attack, Web Browsers, Internet, Ryan Naraine

Blog posts 2007-11-09

Microsoft ships free tool to swat cross-site scripting scripting bugs

Microsoft ships free tool to swat cross-site scripting scripting bugsTHIS IS SOME SORT OF A SCRIPT INTERPRETERSo---a dll is somehow written or constructed then rendered and you want to see its functions from a particular perspective.This Dynamic Link Library can contain the script or assembly commands to maximize a page...

Tags: Web browsers, Microsoft Corp., XSS, NoScript, tool

Discussion threads 2007-10-24

Microsoft ships free tool to swat cross-site scripting scripting bugs

Microsoft's Application Consulting & Engineering ACE Team has shipped XSSDetect, a free Visual Studio plug-in capable of flagging potential cross-site scripting issues in managed code. The tool, currently available as a beta download, is styled as a stripped-down version of Microsoft's Code Analysis Tool for .NET code...

Tags: XSS, Microsoft Corp., Tool, .Net, Microsoft Development Tools, Software Development, Software/Web Development, Development Tools, Ryan Naraine

Blog posts 2007-10-24

Does Google really take privacy seriously?

Google does take privacy seriously -- and in many respects, they are more conscious about their privacy practices than most other companies because they are an easy target. It is also assuring that they can fix vulnerabilities very quickly in most cases. That said, it is becoming very...

Tags: Google Inc., XSS, Privacy, Security, Garett Rogers

Blog posts 2007-09-30

Bullseye on Google: Hackers expose holes in GMail, Blogspot, Search Appliance

[ UPDATE, October 1, 2007:  Google has issued a fix for this issue.  It's important that you check your filters to ensure your mailbox isn't compromised ] Google's security model is not holding up very well to scrutiny from hackers. In the past few...

Tags: Google Inc., Google Gmail, Search Appliance, Victim, XSS, Hacker, Attack Technique, E-mail Providers, E-mail, Internet, Online Communications, Ryan Naraine

Blog posts 2007-09-25

Understanding Web-Based Threats and How to Thwart Them

The Web has never been more hostile and new dangers can lurk on even the most trusted Web sites. What's more, the potential harm that cross-site scripting XSS, cross-site request forgeries CSRF, and JavaScript malware payloads can cause is growing exponentially. Intranet hacking, history stealing, browser port scanning, and dozens...

Tags: Web, Sophos Plc., XSS, JavaScript, Malware, Intranet, Channel Management, Spyware, Adware & Malware, Security, Marketing

Webcasts 2007-09-20

ISA Server 2000 Security Update for Error Pages (exe)

A security issue has been identified in ISA Server that could allow an attacker to execute a cross-site scripting attack. You can help protect your computer by installing this update from Microsoft. This version is the first release on CNET Download.com.

Tags: Microsoft ISA Server 2000, XSS, Microsoft ISA Server, Microsoft Corp., Security Issue, Security

Software downloads 2007-09-14

Firefox raises barrier to cross-site scripting attacks

Firefox raises barrier to cross-site scripting attackshttponly doesn't prevent XSSThis doesn't prevent cross-site scripting. It mitigates the damage that can be done if a cross-site scripting vulnerability is exploited. One of the most common actions is to steal cookies to impersonate someone. With httponly cookies that becomes...

Tags: Web browsers, barrier, Mozilla Firefox, httpOnly, XSS, Microsoft Internet Explorer 6

Discussion threads 2007-07-19