Friday, June 25, 2010

XSS and SQL injection

These attacks are not new but yet are still very effective against web applications. Here is an article that discusses how to test for such vulnerabilities and how to mitigate them.

Thursday, June 24, 2010

Tabnabbing

A new type of phishing attack conceptualised by this security researcher. Rather than try to rehash his explanation, it is best to read his article.

Monday, June 21, 2010

HTTPS Everywhere

Most websites support HTTPS but do not switch users to the more secure protocol when they visit their sites. The EFF and Tor project have collaborated to release a Firefox addon to automatically redirect users' sessions to HTTPS.
Here I demonstrate a Google search prior to installing the plug-in. My search is trasmitted over the Internet in cleartext. After installing the tool, my Google search is automatically secured over HTTPS. The tool has a default list of websites supported but offers the flexibility of adding your own URLs to be managed by it.

Wednesday, June 16, 2010

iPhone pin bypass

Another reason to love "Lucid Lynx". Security researcher discovers that Ubuntu 10.04 permits users to access data on iPhone without needing to know the security pin. Too bad I do not own an iPhone to test this myself.

Saturday, June 12, 2010

Automated social engineering

Cool POC. It again demonstrates how humans are the weakest link in security. You can educate people and display warnings but victims will still click on malicious links.