Accipiter DirectServer This path traversal flaw could be exploited by placing URL-encoded dot-dot-slash sequences into a request. For more information about this flaw, see www.securityfocus.com/bid/9389 . Alibaba This path traversal flaw could be exploited by placing simple dot-dot-slash sequences into a request. For more information about this flaw, see www.securityfocus.com/bid/270 . Cisco ACS Acme.server This … Read more
Buffer overflow vulnerabilities occur when an application copies user-controllable data into a memory buffer that is not sufficiently large to accommodate it. The destination buffer is overflowed, resulting in adjacent memory being overwritten with the user’s data. Depending on the nature of the vulnerability, an attacker may be able to exploit it to execute arbitrary … Read more
The topic of code injection is a huge one, encompassing dozens of different languages and environments, and a wide variety of different attacks. It would be possible to write an entire book on any one of these areas, exploring all of the theoretical subtleties of how vulnerabilities can arise and be exploited. Because this is … Read more
Enumerating as much of the application’s content as possible is only one element of the mapping process. Equally important is the task of analyzing the application’s functionality, behavior, and technologies employed, in order to identify the key attack surfaces that it exposes, and begin formulating an approach to probing the application for exploitable vulnerabilities. Some … Read more
The first step in the process of attacking an application is to gather and examine some key information about it, in order to gain a better understanding of what you are up against. The mapping exercise begins by enumerating the application’s content and functionality, in order to understand what the application actually does and how … Read more
Several years after their widespread adoption, web applications on the Internet today are still rife with vulnerabilities. Understanding of the security threats facing web applications, and effective ways of addressing these, remains immature within the industry. There is currently little indication that the problem factors described previously are going to go away in the near … Read more
There is no doubt that web application security is a current and very news-worthy subject. For all concerned, the stakes are high: for businesses that derive increasing revenue from Internet commerce, for users who trust web applications with sensitive information, and for criminals who can make big money by stealing payment details or compromising bank … Read more
Vulnerabilities need to be identified by both the penetration tester and the vulnerability scanner. The steps are similar for the security tester and an unauthorized attacker. The attacker may choose to proceed more slowly to avoid detection, but some penetration testers will also start slowly so that the target company can learn where their detection … Read more