Quantcast
Channel: MaverickBlogging » SecurityMaverickBlogging
Browsing latest articles
Browse All 14 View Live

Easter Egg in Automattic, Inc. HTTP Headers

While doing follow-on research about Rails’ CookieStore security I come across some interesting headers… Thanks for making the mundane part more fun!

View Article



List of websites using Ruby on Rails’ CookieStore for session management

When bringing attention to the session termination security issue present with Ruby on Rails’ CookieStore and Django’s cookie-based session storage mechanism, one of the common questions I get is “Who...

View Article

How to Verify the Rails CookieStore Session Termination Weakness

I want to try it out myself you say. Here is a video explanation using Kickstarter.com as an example:   And here are the steps you take to verify the weakness yourself–using Kickstarter.com, as well as...

View Article

You Can’t Log Out of Pinterest or Instagram – Django Web Framework Security...

The Django Web application framework made to help you build websites fast offers a session storage mechanism that does not allow a visitor to fully terminate their session when they log out. Though not...

View Article

Adding Open Source Framework Hardening to your SDLC: A Podcast with Jeremiah...

I spoke with Jeremiah Grossman, the Founder and interim CEO of WhiteHat Security, about Ruby on Rails, Django, and the need to add additional time to your estimates for adapting these and other Web...

View Article


Disclosed: XSS Vulnerability in IBM WebSphere Application Server Integrated...

Reflected Cross-Site Scripting (XSS) Vulnerability Disclosure in IBM WebSphere Application Server Integrated Solutions Console

View Article

Disclosing CVE-2014-4958: Stored Attribute-Based Cross-Site Scripting (XSS)...

All versions of the popular UI for ASP.NET AJAX RadEditor Control product by Telerik may be affected by a high-risk stored attribute-based cross-site scripting (XSS) vulnerability that is assigned...

View Article

Disclosed (Patched): AddThis Email Sharing Button API XSS and Iframe Injection

AddThis had XSS and Iframe vulnerabilities

View Article


The Following Information Security Counter Arguments are Invalid

After bringing attention to the inability to terminate a session in some popular open source web application frameworks, many of the counterarguments fell into the following bins: We already knew about...

View Article


CWE-613: Insufficient Session Expiration (Supplement)

This is supplemental information to CWE-613: Insufficient Session Expiration. Under Common Consequences: Scope: Access Control Effect: Technical Impact: Permanent session hijacking Under Demonstrative...

View Article
Browsing latest articles
Browse All 14 View Live




Latest Images