Archive for web

[hackersmag] Don’t SSL-ify full site until SSL is itself Secure

Posted in ABK Labs, security with tags , , , , , , , , , on April 3, 2011 by abhishekkr

http://hackersmag.blogspot.com [30/03/2011]

http://hackersmag.blogspot.com/2011/03/full-site-ssl-ification-is-not-option.html

Full Site SSL-ification is not an option, need to make SSL secure first

I have  heard (Recently and in past) security aware lives wasting a lot of their potential over the argument like
+ ‘Basic HTTP is insecure‘ {sometimes in novice past}
+ ‘SSL-ify entire web service‘ {still a lot push is there}
Now, ‘Basic HTTP’ being insecure is not a flaw by design… but a flaw by choice.

……….
Though it has been haunting the websites by attacks like
+[] SSL Stripping:
It’s due to……….
+[] Sidejacking:
It occurs……….
……….
Then, ‘Full Site SSL-ification’ is a good choice from theoretical security point-of-view, but just in theory.
Different SSL-Defeating attacks involving
+[] Flaws in Libraries like NSS:
There was a……….
+[] Fake SSL Certificate generation:
Not a flaw……….
……….
So, if you will look deeper into serial-murder case file of   SSL Certificates, you’ll see it ain’t safe…
and so there is no point in argument over its mixed/full   implementation.
…click here to read in detail

Advertisements

[hackersmag] bypass user level restrictions, bug-case in ‘Scribd.com’

Posted in AbhishekKr, ABK Labs, security with tags , , , , , , , , , , on December 21, 2010 by abhishekkr

@ hackersmag.blogspot.com [21/Dec/2010]

entry@Blogpost: http://hackersmag.blogspot.com/2010/12/bypass-of-user-level-restrictions-case.html

view-video@Youtube: http://www.youtube.com/watch?v=g-ETsFjRhqs
access-video@Vimeo: http://vimeo.com/18020569 [view/download original nice resolution video here]

bypass of user level restrictions, a case of bug in ‘Scribd.com’

So, here is a bug (which  has now been fixed) in Scribd.com… that allowed users to get a local copy of documents which were devoid of download and print options.

It’s how layered limitation can be broken, and why restrictions must be implemented root-level-up and not just as user-level module.

…click here to read full blog-post and view real-case video

[blog.kaffenews.com] Zozzle (Microsoft’s Javascript-Malware Analysis Tool)

Posted in AbhishekKr, Blogroll, security with tags , , , , , , , , , , , on December 10, 2010 by abhishekkr

@blog.kaffenews.com [9/Dec/2010]

http://blog.kaffenews.com/?p=1700

Zozzle (Microsoft’s Javascript-Malware Analysis Tool)

in a sentence Zozzle is a static web-page analyzer for detecting ‘Heap-Spray Exploits’

[ 3-Things It Is ]

+ a product of

…click here to Read the full post

[hackersmag.blogspot.com] XSS Defeating PoC

Posted in Blogroll, security with tags , , , , , , , , , , , , , , , , , on September 7, 2010 by abhishekkr

@ hackersmag.blogspot.com [6/Sep/2010]

http://hackersmag.blogspot.com/2010/09/xss-defeating-poc-if-have-any-time-for.html

Video Demo of the same PoC: http://www.youtube.com/watch?v=ENiiAccY1v0
WhitePaper is also available at SourceForge link above
I was working on a XSS-Patch PoC, which I now feel works proper enough to prove its point.
This neither require Web-Developers for any Filtering/Validation, nor any javascript blocking add-on on user’s browser.

…….click here to read full BlogPost