September 2009
4 posts
How I cross-site scripted Twitter in 15 minutes,... →
A flaw in Rails’ handling of Unicode leads to a hole in some of the framework’s major applications. Twitter handled it gracefully as did Rails… 37Signals, not so much.
4 tags
HSBC France -- SQL injections lead to plaintext... →
Banking giant HSBC France was exposed today with a multitude of unforgivable security violations including MS-SQL injections that led to the revelation of plaintext (and simple) administrator passwords. Unu, the same tester from the UK Parliament SQL injection of a few days ago, now presents you with the clusterfuck that is HSBC France security.
5 tags
The month of Facebook App exploits... XSS, CSRF,... →
While Facebook’s own security awareness seems to be quite high and no serious flaws have been found in their core software, the Facebook API and application platform has become a continual source of nightmares for their security professionals. With the API they have open and the amount of users available, every single third-party Facebook application must seem like a piece of low-hanging...
3 tags
Three obvious flaws in the UK Parliament website... →
The Register, via Romanian hacker “Unu”, disclosed huge web security issues on the UK Parliament website today. The flaws described are three of the most common:
Plaintext passwords stored in the database. Never do this. Period. As a developer, you’re asked to do this so that people can easily retrieve their passwords via email or a call to support. Just say no. Not only do you...