Research « EnableSecurity

Research

EnableSecurity Papers

Surf Jacking – or HTTPS will not save you – describes a security flaw found in many public Web Applications which allows attackers to totally bypass HTTPS and force the victim to reveal the session cookie.

Download the full paper here.

Proof of concept tool.

The Extended HTML Form Attack Revisited – describes a generic security flaw which affects various web browsers such as Internet Explorer, Opera and Safari. This vulnerability allows attackers to launch Cross Site Scripting attacks by making use of non-HTTP protocols. This means that even when a web application does not have any Cross Site Scripting security holes itself, sessions can still be stolen by making use of this attack.

Download the full paper here.

EyeonSecurity Papers

Bypassing JavaScript Filters – the Flash! Attack – a way to inject XSS (Cross site scripting) code in many Web Applications which allow Flash content. Many sites were found to be vulnerable to this kind of attack.

This paper describes the following points:

How Cross-site scripting effects web applications and what major sites can do to prevent this kind of attack
Show that what is described by standard authorities as a solution to XSS is not always enough.
How to create a demonstration Flash document which launches XSS
Examples of major sites that were vulnerable to this kind of attack
Solutions to the issue

Download the full paper here.

Microsoft Passport Account Hijack Attack – An analysis of an attack on Microsoft (now Live.com) Passport – Cross Site scripting. This document describes an obvious flaw in the security of this system and how an attacker can proceed to exploit such a flaw to gain access to other user’s accounts. This paper covers the following points:

An introduction to Web Applications and the underlying authentication schemes and concepts
Description of the idea behind Microsoft Passport
How Microsoft Passport actually works and how to use that knowledge to gain unauthorised access.
How to go about exploiting Cross site scripting
Bypassing countermeasures for Cross site scripting
An actual exploit scenario

Download the full paper here.

Recent Posts
Contact

US: +1 (845) 658-4069
UK: +44 020 8133 7269
MT: +356 3456 9870
E: info@enablesecurity.com
More points of contact
Subscribe in a reader
Blogroll
- SIPVicious Blog
Good stuff
- Security Tube
Media Mentions
Partners
Reading
Resources
- SIPVicious tool suite
Subscribe to EnableSecurity Email
twitter feed
- when you hear them stammer with: "but they told us its secure!!", thats when you know they're in trouble 20 hours ago
- @norbertbonnici in 2006 there was no fluffy buzzwords :p in 2006 we had real hard disks :D 1 day ago
- oh the joys of finding a long lost hard disk with pictures from 2006 :') 1 day ago
- on #brucon training voip pentest training module 4 is about attacking UC - http://bit.ly/aUnar0 .. pick up phone, tap boss's phone? 1 day ago
- VoIP pentest crashcourse at #brucon, module 3 will be about attacking the media, i.e. fun with RTP - intro at http://bit.ly/8ZRx0e 6 days ago

Research

EnableSecurity Papers

EyeonSecurity Papers

Recent Posts

Contact

Blogroll

Good stuff

Media Mentions

Partners

Reading

Resources

twitter feed