Ebay - Advertisement

Monday, May 31, 2010

Tabnabbing - an example

The example:

Saturday, May 29, 2010

Improper Authentication Mechanism in 3Com Wireless8760 Dual Radio 11a/b/g Poe Access Point

Recently i found the following vulnerability in the 3Com Wireless8760 web administration interface: If one user is authenticated to the web interface, other users can access to internal pages without further authentication. That means that one opened session is enough between the user and web administration , and other users can also access to the web administration interface.

Malicious user can wait until ones logins to the interface and then he can access and administer 3Com Wireless8760 Access Point without further authentication. Among different operations the malicious user can cause to Denial of Service (Dos) attack to the entire network by changing the configuration such as IP addresses.

Wednesday, May 26, 2010

Man infects himself with computer virus

University of Reading researcher Mark Gasson has become the first human known to be infected by a computer virus. The virus, infecting a chip implanted in Gasson's hand, passed into a laboratory computer. From there, the infection could have spread into other computer chips found in building access cards. Read More...

Monday, May 24, 2010

Fiddler GZIP Issue

Recenly, I found that the GZIP zip/unzip feature in fiddler does not work properly. There are applications which are based on HTTP protocol and also zip HTTP Requests and Responses with GZIP format. So I decided to write some script using Fiddler Script Editor for converting and extracting Requests that are in GZIP format. Here is the code, copy this to the CustomRules.js file (Rules---->Customize Rules)
public static ContextAction("GZIP Request")
       function GZIPRequest(oSessions:Session[]){
       public static ContextAction("UNGZIP Request")
       function UNGZIPRequest(oSessions:Session[]){
              var oBody = System.Text.Encoding.UTF8.GetString(Utilities.GzipExpand(oSessions[oSessions.Length-1].requestBodyBytes));
public static ContextAction("GZIP Response")
       function GZIPResponse(oSessions:Session[]){
public static ContextAction("UNGZIP Response")
       function UNGZIPResponse(oSessions:Session[]){  
              var oBody = System.Text.Encoding.UTF8.GetString(Utilities.GzipExpand(oSessions[oSessions.Length-1].responseBodyBytes));
After copying this code, and saving it in the CustomRules.js files, select one of the HTTP Requests which are in GZIP format, right click and... here it is...you will have 4 options: GZIP Request, GZIP Response, UNGZIP Response, UNGZIP Request Have fun ;-)

Saturday, May 22, 2010

ATM Clickjacking

Fraudsters can install another keypad by covering the original existing ATM keypad. The 'new' keypad contains a memory block which can store PAN (credit card number) and PIN code while the customer tries to get money out of the ATM.

In such way, fraudsters can obtain credit card numbers and PIN codes and succeed in their frauds.

Why i called that as ATM clickjacking? Because it is very similar to webpage clickjacking definition. The user thinks that he clicks on legitimate link or button while actually he clicks on hidden functionality which performs unintended malicious operations.

Tuesday, May 18, 2010

OWASP TOP 10 - 2010 Released

The primary aim of the OWASP Top 10 is to educate developers, designers, architects, and organizations about the consequences of the most common web application security vulnerabilities. The Top 10 provides basic methods to protect against these vulnerabilities – a great start to your secure coding security program.

Ten most popular application security flaws