cat /dev/random | grep security
Some developers and I wandered across a pretty interesting situation recently: it seems there is an ambiguous corner case concerning how to resolve a relative URI containing only query parameters (a link such as "?foo=bar"). We were finding
The release of WebInspect 7.7.113.3 (the Nov/2007 hotfix release) brought along a significant feature: a new-and-improved audit engine for finding local file reading/inclusion vulnerabilities. This article will introduce you to this new engine, how it
Posted By
jbforristal
|
2
Comments
|
Trackbacks
|
Permalink
This is the third part in my three-part series on check tuning. Part one addressed the basic concepts of check inputs and tuning checks , while part two addressed some basic network topology concepts . This part will utilize the previously discussed concepts
I just wanted to post a note saying that I haven't forgotten about part III of my WebInspect check tuning article series. I am working on some rewrites to how the checks destined to be featured in part III operate; thus I want to finish the checks
Launching a web scan is conceptually pretty easy: you just pop in a target URL and click 'Go'. You don't have to necessarily worry about routing tables, firewalls, and all that other network architecture stuff that magically lets the scanning
Posted By
jbforristal
|
1
Comments
|
Trackbacks
|
Permalink
This is the first article in a three part series that focuses on tuning the checks included with WebInspect (and sister products, DevInspect and QAInspect), with the goal of increasing accuracy and usefulness. By default, the current version of WebInspect
Posted By
jbforristal
|
2
Comments
|
Trackbacks
|
Permalink
My blog has been a bit barren lately--trust me when I say it's not because I've been sitting around doing nothing! A lot of interesting stuff has been going on lately, so I thought I'd take a moment to catch you up on the happenings. One big
Posted By
jbforristal
|
1
Comments
|
Trackbacks
|
Permalink
RFCs are what make the Internet work. They describe how things should behave, so that the said 'thing' meets the expectations on how it should fundamentally operate, and more importantly, interoperate with the rest of the world. Now, I'm not
Posted By
jbforristal
|
1
Comments
|
Trackbacks
|
Permalink
[Update 6/27: Dan a.k.a. "Mr. Smoot" pointed me to a URL that further confirms #3 as a NetScaler device, as well as makes a convincing case that #4 is a NetScaler device as well. In addition, he helped narrow down the possible list of suspects
Posted By
jbforristal
|
2
Comments
|
Trackbacks
|
Permalink
[Updated 6/1/2007 to include additional Base64 info] This is just a quick technical post to hopefully help some people out. My cursory research on the 'net shows that other people are asking how to do the same thing, but the answers always varied
Posted By
jbforristal
|
1
Comments
|
Trackbacks
|
Permalink
I thought I would share an email response I sent to an individual on the WASC mailing list regarding the choice between using a web application firewall (WAF) to mitigate your web application vulnerabilities, or a code review to find and remediate your
Posted By
jbforristal
|
1
Comments
|
Trackbacks
|
Permalink
The Month of PHP Bugs (MOPB) has come and gone, leaving 40+ identified PHP security problems in its wake. I've already analyzed the bugs themselves in my previous MOPB mid-month analysis and MOPB end of month full review . Now we were just waiting
Yesterday Zeroknock at MetaEye.org released a post to the WASC mailing list entitled URL Encoding/Decoding Flaw Mechanism In ASP.NET[1.0-2.0] Based Web Applications. I read the analysis, and thought I would give some commentary on what the analysis is saying, as well as offer some additional information on the practice of encoding/filtering data for security purposes in ASP.NET.
Posted By
jbforristal
|
2
Comments
|
Trackbacks
|
Permalink
This is just a quick technical post to hopefully help some people out. My cursory research on the 'net shows that other people are asking how to do the same thing, but no one has a good answer. So I thought I'd share my findings, as a way to give
Posted By
jbforristal
|
1
Comments
|
Trackbacks
|
Permalink
The Month of PHP Bugs (MOPB) has concluded, and thus it’s time to review the state of PHP security. Those of you who read my MOPB mid-month analysis are already familiar with the concept: take the pile of MOPB bugs, analyze their impact, and correlate
Posted By
jbforristal
|
4
Comments
|
Trackbacks
|
Permalink
Information disclosed in this community becomes public.
Exercise caution when deciding to disclose your personal information.
HP reserves the right, but is not obligated to, edit or remove your comment if it contains personally identifiable information or other content HP deems unacceptable.
Opinions expressed are your personal opinions or those of the original authors, and not of HP.
Please see HP's web Terms of Use for more details.
More Posts
Next page »
