http://www.bibsonomy.org/rss/concept/tag/securityBibSonomy RSS Feed for /concept/tag/securityhttp://ha.ckers.org/blog/20081007/clickjacking-details/brightbyte2008-10-08T10:37:16+02:00broeser webapp web security hacks http://rewerse.net/deliverables/m30/i2-d8.pdfclaudia.wagner2008-10-07T10:49:05+02:00workshop 2006 semantic web policy security http://freeworld.thc.org/brightbyte2008-09-30T21:33:38+02:00security hub blog hackers http://freeworld.thc.org/thc-epassport/brightbyte2008-09-30T21:30:32+02:00rfid security wtf passport hacks http://cups.cs.cmu.edu/soups/2008/program.htmledna_foobar2008-09-05T16:53:38+02:002008 social_networks passwords photo_sharing facebook proceedings privacy security conference web_search http://www.tagesschau.de/inland/ueberwachung/datenschutz128.htmlbrightbyte2008-09-04T22:45:38+02:00privacy web security hub http://synflood.at/blog/index.php?/archives/759-Google-Chrome-alles,-was-man-in-die-Adressleiste-eintippt,-wandert-an-Google.htmledna_foobar2008-09-04T02:31:04+02:00google leak chrome privacy security keylogger In order to solve web application vulnerabilities we have created HDIV (HTTP Data Integrity Validator) open source project. We can briefly define HDIV as a Java Web Application Security Framework. HDIV extends web applications’ behaviour by adding Security functionalities, maintaining the API and the framework specification. This implies that we can use HDIV in applications developed in Struts 1.x, Struts 2.x, Spring MVC and JSTL in a transparent way to the programmer and without adding any complexity to the application development. It is possible to use HDIV in applications that don’t use Struts 1.x, Struts 2.x, Spring MVC or JSTL, but in this case it is necessary to modify the application (JSP pages). The security functionalities added to the web applications are these: INTEGRITY: HDIV guarantees integrity (no data modification) of all the data generated by the server which should not be modified by the client (links, hidden fields, combo values, radio buttons, destiny pages, etc.). Thanks to this property HDIV helps to eliminate most of the vulnerabilities based on the parameter tampering. EDITABLE DATA VALIDATION: HDIV eliminates to a large extent the risk originated by attacks of type Cross-site scripting (XSS) and SQL Injection using generic validations of the editable data (text and textarea). CONFIDENTIALITY: HDIV guarantees the confidentiality of the non editable data as well. Usually lots of the data sent to the client has key information for the attackers such as database registry identifiers, column or table names, web directories, etc. All these values are hidden by HDIV to avoid a malicious use of them. For example a link of this type, http://www.host.com?data1=12&amp;data2=24 is replaced by http://www.host.com?data1=0&amp;data2=1, guaranteeing confidentiality of the values representing database identifiers. Also it is possible to hide the name of the parameters becoming the link into http://www.host.com?0=0&amp;1=1. ANTI-CROSS SITE REQUEST FORGERY (CSRF) TOKEN: Random string called a token is placed in each form and link of the HTML response, ensuring that this value will be submitted with the next request. This random string provides protection because not only does the compromised site need to know the URL of the target site and a valid request format for the target site, it also must know the random string which changes for each visited page.http://www.hdiv.org/gresch2008-09-02T15:28:10+02:00software http integrity data security develop springframework In order to solve web application vulnerabilities we have created HDIV (HTTP Data Integrity Validator) open source project. We can briefly define HDIV a<span class="info">...<span>In order to solve web application vulnerabilities we have created HDIV (HTTP Data Integrity Validator) open source project. We can briefly define HDIV as a Java Web Application Security Framework. HDIV extends web applications’ behaviour by adding Security functionalities, maintaining the API and the framework specification. This implies that we can use HDIV in applications developed in Struts 1.x, Struts 2.x, Spring MVC and JSTL in a transparent way to the programmer and without adding any complexity to the application development. It is possible to use HDIV in applications that don’t use Struts 1.x, Struts 2.x, Spring MVC or JSTL, but in this case it is necessary to modify the application (JSP pages). The security functionalities added to the web applications are these: INTEGRITY: HDIV guarantees integrity (no data modification) of all the data generated by the server which should not be modified by the client (links, hidden fields, combo values, radio buttons, destiny pages, etc.). Thanks to this property HDIV helps to eliminate most of the vulnerabilities based on the parameter tampering. EDITABLE DATA VALIDATION: HDIV eliminates to a large extent the risk originated by attacks of type Cross-site scripting (XSS) and SQL Injection using generic validations of the editable data (text and textarea). CONFIDENTIALITY: HDIV guarantees the confidentiality of the non editable data as well. Usually lots of the data sent to the client has key information for the attackers such as database registry identifiers, column or table names, web directories, etc. All these values are hidden by HDIV to avoid a malicious use of them. For example a link of this type, http://www.host.com?data1=12&amp;data2=24 is replaced by http://www.host.com?data1=0&amp;data2=1, guaranteeing confidentiality of the values representing database identifiers. Also it is possible to hide the name of the parameters becoming the link into http://www.host.com?0=0&amp;1=1. ANTI-CROSS SITE REQUEST FORGERY (CSRF) TOKEN: Random string called a token is placed in each form and link of the HTML response, ensuring that this value will be submitted with the next request. This random string provides protection because not only does the compromised site need to know the URL of the target site and a valid request format for the target site, it also must know the random string which changes for each visited page.</span></span>http://www.ipsec-howto.de/fbloeink2008-09-01T16:27:28+02:00ipsec security howto network http://linuxgazette.net/125/pfeiffer.htmlfbloeink2008-09-01T16:03:24+02:00ipv6 ipsec security network http://code.google.com/p/googleappengine/issues/detail?id=671brightbyte2008-08-27T16:20:23+02:00python sandbox security http://strongswan.org/fbloeink2008-08-26T12:08:24+02:00ipsec security network http://www.schneier.com/paper-ipsec.htmlfbloeink2008-08-26T12:07:06+02:00ipsec security network http://tools.ietf.org/html/rfc4301fbloeink2008-08-26T12:05:25+02:00ipsec security rfc network ip http://www.unixwiz.net/techtips/iguide-ipsec.htmlfbloeink2008-08-26T11:48:51+02:00ipsec security network International in scope and free for public use, CWE™ provides a unified, measurable set of software weaknesses that is enabling more effective discussion, description, selection, and use of software security tools and services that can find these weaknesses in source code and operational systems as well as better understanding and management of software weaknesses related to architecture and designhttp://cwe.mitre.org/index.htmlgresch2008-08-19T20:04:10+02:00weakness information software programming java security develop International in scope and free for public use, CWE™ provides a unified, measurable set of software weaknesses that is enabling more effective discussion, <span class="info">...<span>International in scope and free for public use, CWE™ provides a unified, measurable set of software weaknesses that is enabling more effective discussion, description, selection, and use of software security tools and services that can find these weaknesses in source code and operational systems as well as better understanding and management of software weaknesses related to architecture and design</span></span>If the attacker however tries the username ‘admin x’ the application will search for it in the database and will not find it, because it is impossible to find a username with a length of 17 in a database field that has a 16 character limit. The application will accept the new username and insert it into the database. However the username column is to short for the full name and therefore it is truncated and ‘admin ‘ is inserted into the database.http://www.suspekt.org/2008/08/18/mysql-and-sql-column-truncation-vulnerabilities/brightbyte2008-08-18T21:27:20+02:00programmign webapp vulnerability security mysql If the attacker however tries the username ‘admin x’ the application will search for it in the database and will not find it, because it is impos<span class="info">...<span>If the attacker however tries the username ‘admin x’ the application will search for it in the database and will not find it, because it is impossible to find a username with a length of 17 in a database field that has a 16 character limit. The application will accept the new username and insert it into the database. However the username column is to short for the full name and therefore it is truncated and ‘admin ‘ is inserted into the database.</span></span>Department of Homeland Security (DHS) Secretary Michael Chertoff announced today the appointment of Elliott Broidy, Tom Foley and John Magaw to serve on his Homeland Security Advisory Council.http://www.dhs.gov/xnews/releases/press_release_0834.shtmvanderagma2008-08-15T22:44:03+02:00advisory elliott security broidy council homeland Department of Homeland Security (DHS) Secretary Michael Chertoff announced today the appointment of Elliott Broidy, Tom Foley and John Magaw to serve on hi<span class="info">...<span>Department of Homeland Security (DHS) Secretary Michael Chertoff announced today the appointment of Elliott Broidy, Tom Foley and John Magaw to serve on his Homeland Security Advisory Council.</span></span>http://www.heise.de/newsticker/Cyberkrieg-im-Kaukasus--/meldung/114065timo2008-08-11T01:41:51+02:00botnet cyberwar heise security http://www.heise.de/newsticker/Innovation-im-Untergrund--/meldung/105332timo2008-08-11T01:41:14+02:00botnet Untergrund heise security