Easter Egg in Automattic, Inc. HTTP Headers
While doing follow-on research about Rails’ CookieStore security I come across some interesting headers… Thanks for making the mundane part more fun!
View ArticleList of websites using Ruby on Rails’ CookieStore for session management
When bringing attention to the session termination security issue present with Ruby on Rails’ CookieStore and Django’s cookie-based session storage mechanism, one of the common questions I get is “Who...
View ArticleHow to Verify the Rails CookieStore Session Termination Weakness
I want to try it out myself you say. Here is a video explanation using Kickstarter.com as an example: And here are the steps you take to verify the weakness yourself–using Kickstarter.com, as well as...
View ArticleYou Can’t Log Out of Pinterest or Instagram – Django Web Framework Security...
The Django Web application framework made to help you build websites fast offers a session storage mechanism that does not allow a visitor to fully terminate their session when they log out. Though not...
View ArticleAdding Open Source Framework Hardening to your SDLC: A Podcast with Jeremiah...
I spoke with Jeremiah Grossman, the Founder and interim CEO of WhiteHat Security, about Ruby on Rails, Django, and the need to add additional time to your estimates for adapting these and other Web...
View ArticleDisclosed: XSS Vulnerability in IBM WebSphere Application Server Integrated...
Reflected Cross-Site Scripting (XSS) Vulnerability Disclosure in IBM WebSphere Application Server Integrated Solutions Console
View ArticleDisclosing CVE-2014-4958: Stored Attribute-Based Cross-Site Scripting (XSS)...
All versions of the popular UI for ASP.NET AJAX RadEditor Control product by Telerik may be affected by a high-risk stored attribute-based cross-site scripting (XSS) vulnerability that is assigned...
View ArticleDisclosed (Patched): AddThis Email Sharing Button API XSS and Iframe Injection
AddThis had XSS and Iframe vulnerabilities
View ArticleThe Following Information Security Counter Arguments are Invalid
After bringing attention to the inability to terminate a session in some popular open source web application frameworks, many of the counterarguments fell into the following bins: We already knew about...
View ArticleCWE-613: Insufficient Session Expiration (Supplement)
This is supplemental information to CWE-613: Insufficient Session Expiration. Under Common Consequences: Scope: Access Control Effect: Technical Impact: Permanent session hijacking Under Demonstrative...
View Article
More Pages to Explore .....