Application Security Testing

Rigorous testing can improve PCI application security, report says

January 17, 2012

Companies that are part of the payment card industry and process, transmit or acquire cardholder information need to ensure this information remains safe and the organization is compliant with PCI Data Security Standard. This is especially true in today's business environment where many consumers are mobile and partaking in ecommerce through multiple channels, according to Continue Reading…

Metasploit framework allows for easy CSRF demonstration

November 11, 2011

Session hijacking vulnerabilities, though common, are a poorly understood facet of application security, according to blogger Dennis Antunes. However, he noted, the XSSF framework built into the larger Metasploit penetration testing system can be a great demonstration tool. "Oversimplified, think of it as command and control for the browser using Javascript. Essentially, hooked browsers will Continue Reading…

New penetration testing tool tries to brute force directory and file names on servers

November 9, 2011

Web application security testing professionals have a number of robustly featured, innovative tools available to them, and they just got a new one with the Open Web Application Security Project's DirBuster product. DirBuster, according to a release from OWASP, is a multi-threaded Java application that attempts to perform the well-known technique of identifying unprotected but Continue Reading…

New open-source application security tool automates test cases

October 28, 2011

Mozilla's QA staff is working on the development of an open-source application security testing suite to simplify this part of the process, according to an official company blog post this week. The tool is called Garmr, the company said, noting that it was still in its alpha stage of development. The idea behind its creation Continue Reading…

Report: Referrer tag vulnerable to stripping attack

October 24, 2011

The ability of a hacker to strip the referrer tag used by a web browser while simultaneously keeping the cookies has interesting application security implications, according to blogger Krzysztof Kotowicz. The purpose of the tag is to provide a simple way for websites to identify where a visitor has come from, which is important to Continue Reading…

Burp used to break into encrypted data

October 14, 2011

A new technique using the Burp web application security attack automation tool can be used to breach ECB-encrypted data, according to the program's creator, Portswigger. The first step in the attack technique, the company said, is to use Burp Sequencer to sample as many logins as possible for the web application to be tested. These Continue Reading…

Mobile application security glitch to be patched by HTC

October 5, 2011

A potentially significant application security hole in the Sense user interface installed on HTC-built Android smartphones has been acknowledged by the handset maker and will be fixed in an over-the-air update. According to an official statement cited by Engadget, HTC is in the process of designing and testing a fix for the issue, which could Continue Reading…

Potential application security vulnerability for BlackBerry PlayBook found

October 5, 2011

A recent blog entry from AT&T application security consultant Nick Coblentz detailed a possible loophole through which a malware writer could exploit a BlackBerry PlayBook tablet. Although he was unable to confirm the viability of the exploit, Coblentz said that it appears to be possible to edit an application's configuration Flash file in such a Continue Reading…

New framework could help find basic application security vulnerabilities in ASP.NET sites

September 8, 2011

Application security specialist Troy Hunt recently announced an early alpha version of a tool to help web developers discover and correct potential vulnerabilities in ASP.NET sites, dubbing it the Automated Security Analyser For ASP.NET Websites, or ASafaWeb for short. The product, according to Hunt, will be very simple to use and available free of charge, Continue Reading…

Missing the forest for the trees – until you crash into one

September 2, 2011

A recent report from NibbleSec blogger Claudio Criscione said that the response of the application security community to a serious – but unexploited – vulnerability gave cause for concern. The issue, which affected Apache web server, was discovered by an experienced Greek hacker known as Kingcope, according to Criscione. A simple range header with enough Continue Reading…