|Web App Security Mailing List
Provides insights on the unique challenges which make web applications notoriously hard to secure, as well as attack methods including SQL injection, cross-site scripting (XSS), cross-site request forgery, and more.
WebSurgery v1.1 released (Web application security testing suite)
John Stamatakis (Nov 11)
Sunrise is proudly announces WebSurgery v1.1!
WebSurgery is a suite of tools for security testing of web applications. It
is designed to address the ongoing needs of security auditors so to
facilitate them with web application planning and exploitation. Suite
currently contains a spectrum of efficient, fast and stable web tools
(Crawler, Bruteforcer, Fuzzer, Proxy, Editor) and some extra functionality
tools (Scripting Filters,...
[CVE-2013-2751, CVE-2013-2752] NETGEAR ReadyNAS Remote Root
Craig Young (Oct 22)
NETGEAR ReadyNAS with firmware 4.2.x before 4.2.24 and 4.1.x before
4.1.12 is prone to command injection from an unauthenticated HTTP GET
request. This vulnerability can lead to complete root access as
outlined on the Tripwire blog:
If you have not already, I strongly advise all ReadyNAS administrators
to apply the...
OWASP Vulnerable Web Applications Directory Project
psiinon (Oct 19)
The OWASP Vulnerable Web Applications Directory (VWAD) Project is a
comprehensive and well maintained registry of all known vulnerable web
applications currently available. These vulnerable web applications
can be used by web developers, security auditors and penetration
testers to put in practice their knowledge and skills during training
sessions (and especially afterwards), as well as to test at any time
the multiple hacking tools and...
Re: OWASP Vulnerable Web Applications Directory Project
psiinon (Oct 19)
And in converting my original email to text format the link got lost ;)
The project is here:
OWASP Xenotix XSS Exploit Framework 4.5 is Relesed
Ajin Abraham (Oct 16)
OWASP Xenotix XSS Exploit Framework V4.5 is Released.
OWASP Xenotix XSS Exploit Framework is an advanced Cross Site
Scripting (XSS) vulnerability detection and exploitation framework. It
provides Zero False Positive scan results with its unique Triple
Browser Engine (Trident, WebKit, and Gecko) embedded scanner. It is
claimed to have the world’s 2nd largest XSS Payloads of about 1500+
distinctive XSS Payloads for effective XSS...
ImmuniWeb® Self-Fuzzer (Oct 02)
ImmuniWeb® Self-Fuzzer is a simple Firefox browser extension designed to
detect Cross-Site Scripting (XSS) and SQL Injection vulnerabilities in
It demonstrates how rapidly and easily these two most common types of
web vulnerabilities can be found even by a person who is not familiar
with web security.
ImmuniWeb® Self-Fuzzer is not a web application security scanner or
crawler, but a real-time web fuzzer. Once being...
Arachni v0.4.5.1-0.4.2 has been released (Open Source Web Application Security Scanner Framework)
Tasos Laskos (Sep 16)
There's a new version of Arachni, an Open Source, modular and
high-performance Web Application Security Scanner Framework written in Ruby.
Brief list of changes:
* Optimized pattern matching to use less resources by grouping patterns to only
be matched against the per-platform payloads. Bottom line, pattern matching
operations have been greatly reduced overall and vulnerabilities can be used
to fingerprint the...
saghar estehghari (Sep 12)
In the system that i'm working on, we are having some session cookies
on the client side that we need to protect against the replay attack !
So I find the following paper
http://www.cse.msu.edu/~alexliu/publications/Cookie/cookie.pdf and I
really like the way that they put thing together. There is only one
problem with this and that is the use of SSL session key (this is used
for anti-replay purpose). I have some problems to get this...
OWASP Zed Attack Proxy 2.2.0
psiinon (Sep 12)
ZAP 2.2.0 is now available from http://code.google.com/p/zaproxy/downloads/list
This includes support for scripts embedded in ZAP components like the
active and passive scanners as well as support for Zest - a new
security focused scripting language from the Mozilla security team.
It also supports Mozilla Plug-n-Hack, localization in 20 languages,
various minor enhancements and lots of bug fixes.
For more details see the release...
CBC Byte Flipping Attack 101 Approach
Danux (Sep 10)
Nothing new, just a 101 approach of this attack:
Administrivia: Limited list admin for a little while
Andrew van der Stock (Sep 05)
I will be off the grid for the next 10 days. Therefore, there will be
limited (i.e. none! nada! zip! zero!) posts approved until I get back.
This will the first time in 24 years that I've been away from the
Internet for this long.
Wish me luck!
This list is sponsored by Cenzic
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE....
SpiderFoot 2.0.4 released
Steve Micallef (Sep 02)
I'm pleased to announce the release of SpiderFoot 2.0.4. SpiderFoot is a
free, multi-platform open-source footprinting and intelligence gathering
Since 2.0.0 was released in May, there have been a number of subsequent
releases not announced to these lists, so if you are upgrading from
2.0.0 to 2.0.4, you'll get the following improvements:
- Collects SSL certificate information and performs a number of...
Checkout Passive Web Application Firewall (WAF) Testing Framework (like mod_security , naxsi etc)
Bhaumik Merchant (Aug 27)
Created one framework for Passively evaluating Web Application
touching existing infrastructure and Web Application Firewall vendor
(Passive mode) support for each and every Web Application Firewall
like mod_security. Code coming soon ! Checkout Hands-on !!
Find out more @
http://bhaumikmerchant.in/w-o-f.htm (Official Blog)
http://youtu.be/9KbDXIi94r4 (Official Video,hands-on)...
Re: Forgotten Password
Amol Arakh (Aug 21)
Both Solutions suggested by clemens and tudor must be considered from
Also as per your last suggestion, regarding questions may increase
complexity, and also user's may forgot answers to these questions also.
instead of using questions,go for just simply use mob number for
creating encryption and code through SMS as decryption, which provides
authentication functionality also.
Re: Forgotten Password
saghar estehghari (Aug 21)
Thanks for the all the replies :)
@Clemens :The system is semi-trusted. This implies that we can't
access to user's data while he is offline (the data is encrypted at
rest). This is because the client is considered as a weakest link and
it is complicated for him to handle the keys securely and to do the
encryption/decryption. So having this in mind, we can't be involved in
any encryption and decryption related to...
Dozens of other network security lists are archived at