Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Fun with Foundstone
From: <orangeofficer () hushmail com>
Date: Tue, 14 Feb 2006 11:35:14 -0600

Things for a security company not to do in a webapp:

1. Do not auto-populate form fields on the page with customer names.

2. If you ignore rule number 1, don't use a simple, predictable id 
for said auto-population.


Rinse, increment, and repeat for a list of Foundstone 
customers...or at least a list of companies they've let download 

Now that's just plain sloppy.

Concerned about your privacy? Instantly send FREE secure email, no account required

Get the best prices on SSL certificates from Hushmail

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]