http://readlist.com Web-app-security Mailing List - New Threads feed en http://readlist.com/readlist-logo-tiny.gif http://readlist.com/ 156 30 http://readlist.com/lists/securityfocus.com/webappsec/0/1738.html Fri, 9 May 2008 13:53:12 GMT The selected papers for EUSecWest 2008 are: * PhlashDance, discovering permanent denial of service attacks against embedded systems - Rich Smith, HP Labs * Attacking Near Field Communications (NFC) Mobile Phones - Collin Muliner, trifinite * Abusing X.509 certificate features - Alexander Klink, Cynops GmbH * Phoenix, and automated vulnerability finding - Tim Burrell, Microsoft * Cisco IOS Rootkits - ... http://readlist.com/lists/securityfocus.com/webappsec/0/1736.html Thu, 8 May 2008 20:36:58 GMT The call for papers and conference registration is now open for Bellua Cyber Security Asia 2008, our fourth annual information security & hacking conference. Speakers from numerous disciplines are invited to join Bellua Cyber Security Asia 2008 to discuss present and future information security and hacking issues through an intensive series of business and technical sessions and demonstrations. From 18th—19th November 2008, ... http://readlist.com/lists/securityfocus.com/webappsec/0/1735.html Wed, 7 May 2008 17:27:26 GMT Hi All, currently i store the web clients certificates in App Server's keystore. (I am using WebLogic and Java Keystore) so that the server only process request from trusted clients. any easy way to update the keystore with CA's CRL ? Thanks a lot ~ E.L. ------------------------------------------------------------------------- Sponsored by: Watchfire Methodologies & Tools for Web Application ... http://readlist.com/lists/securityfocus.com/webappsec/0/1734.html Sat, 3 May 2008 13:55:00 GMT The codes, tools, exploits, slides and other presentation goodies from HITBSecConf2008 - Dubai are available for download! You will also find a 'bonus download' of the live recording of DJ Negative's set from the HITB Post Conference Party at the URL below :) http://conference.hitb.org/hitbsecconf2008dubai/materials/ The official photos from the training, conference and party have also been posted on-line at the HITB Photos page: ... http://readlist.com/lists/securityfocus.com/webappsec/0/1725.html Fri, 25 Apr 2008 14:37:09 GMT hi Is there any free tool that can convert *.jar files to source code? Thanks in advance App. Tester. [+ +] ^ ------------------------------------------------------------------------- Sponsored by: Watchfire Methodologies & Tools for Web Application Security Assessment With the rapid rise in the number and types of security threats, web application security assessments should be considered a ... http://readlist.com/lists/securityfocus.com/webappsec/0/1722.html Thu, 24 Apr 2008 13:44:35 GMT hi I am new to secure code review. Please suggest any open source tools for secure code review of java applications. thanks in advance App. Tester. ------------------------------------------------------------------------- Sponsored by: Watchfire Methodologies & Tools for Web Application Security Assessment With the rapid rise in the number and types of security threats, web application security assessments ... http://readlist.com/lists/securityfocus.com/webappsec/0/1721.html Wed, 23 Apr 2008 12:30:42 GMT -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ~ *** T2'08 - Call For Papers *** ~ Helsinki, Finland ~ 16 - 17 October 2008 We are pleased to announce the annual T2´08 conference, which will take place in Helsinki, Finland, from October 16 to 17, 2008. We are looking for original technical presentations in the fields of information security. Presentations ... http://readlist.com/lists/securityfocus.com/webappsec/0/1720.html Fri, 11 Apr 2008 06:24:57 GMT (We've moved the conference this year to the a club in Leicester Square in the heart of London and SoHo. We'll be putting speakers up across the square at the Radisson Edwardian Hampshire, but there are lots of hotels in the region there in the center of London for those who want to attend (the venue is physically on top of a tube station on Circle line so easy to get to). Registration is now open and we hope to have the Dojo ... http://readlist.com/lists/securityfocus.com/webappsec/0/1710.html Wed, 9 Apr 2008 18:21:07 GMT Hi there, ** Full disclosure: I work for Aspect Security. This is why I have refrained publicly posting as it is a conflict of interest. I am walking a very fine line here. With this post, I aim to represent you, the webappsec reader in this matter, not my employer nor myself. ** The thread on web app sec companies highlights several issues: it can be tricky to find them - so a directory is needed, but some folks have mixed ... http://readlist.com/lists/securityfocus.com/webappsec/0/1706.html Wed, 9 Apr 2008 18:02:19 GMT Listgoers, I am wondering if anyone has any good resources for computer security tutorials, etc. or so-called "hacking videos". If you haven't found any that you like, what would you look for in such a website? If you have found some sites that offer this content, is there anything that the site is lacking? Forums for members to interact, area to request videos, lack of advanced content? Thanks in advance for all of your ... http://readlist.com/lists/securityfocus.com/webappsec/0/1705.html Wed, 9 Apr 2008 17:38:24 GMT Clint: Seems you're employed by the vendor you just recommended. Not the most up-and-up way to respond to the thread. http://www.linkedin.com/ppl/webprofile?action=vmi&id=2967034 I have a lot of respect for the folks at Neohapsis and IOActive. Not employed by either. ;p -- shawn ------------------------------------------------------------------------- Sponsored by: Watchfire ... http://readlist.com/lists/securityfocus.com/webappsec/0/1700.html Wed, 9 Apr 2008 17:20:48 GMT Christopher H Mitchell wrote: > > I'll apologize for the cross posting up front, but I am interested in > any comments that might be offered > > As a security analyst I find the WebScarab application and Pantera quite > helpful. In fact, I am quite excited to find out how well the WebScarab > NG version will progress from this point. I am constantly writing > /security reviews/ and maintain a /database/ ... http://readlist.com/lists/securityfocus.com/webappsec/0/1698.html Tue, 8 Apr 2008 03:30:45 GMT Hello All, I'm not sure if this is an appropriate question for the list, but who are the top consulting companies or vendors for webapp security? Specifically, I'm searching for consulting orgs that can audit a complex web site with some ecommerce functions. Thanks, Bill Stout ------------------------------------------------------------------------- Sponsored by: Watchfire Methodologies & Tools for Web Application Security ... http://readlist.com/lists/securityfocus.com/webappsec/0/1697.html Tue, 1 Apr 2008 12:25:31 GMT ------------------------------------------------------------------------ *PhD Student Positions in Programming Language-based Security* Dept. of Computer Science and Engineering Chalmers University of Technology, Sweden Application deadline: April 30, 2008 Full version of this announcement: http://www.chalmers.se/en/sections/news/vacancies/positions/phd-student-position s-in6722 ... http://readlist.com/lists/securityfocus.com/webappsec/0/1678.html Tue, 25 Mar 2008 17:27:48 GMT Hello list, I'm curious what the group thinks about the recent surge in support for OpenID across the web and the impact it will have. 1) Beemba - http://www.beemba.com 2) ClaimID - http://www.claimid.com 3) MyOpenID - http://www.myopenid.com These sites are gaining in popularity quickly and with the announcements of support from big players Yahoo, Microsoft and Google, combined with smaller web2.0 celeb-run ... http://readlist.com/lists/securityfocus.com/webappsec/0/1677.html Fri, 21 Mar 2008 15:50:33 GMT Calendar Notes: =========== PacSec 2008 will be on November 12/13 in Tokyo at Aoyama Diamond Hall. EUSecWest 2008 will be on May 21/22 at a fun new venue in central London. (We cooked this schedule up so it will enable people to fly to Berlin on the 23rd and make FX's ph-neutral on Saturday the 24th - which also has a fun new venue. Island???!?) The EUSecWest 2008 CFP opens tomorrow and closes _before_ April 1 :-). ... http://readlist.com/lists/securityfocus.com/webappsec/0/1676.html Fri, 21 Mar 2008 15:37:01 GMT MSA01240108: IE7 allows overwriting of several headers leading to Http request Splitting and smuggling. Date: March 21th, 2008 Tested Versions: Internet Explorer 7.0.5730.11 Tested OS: Windows XP Professional SP2 Italian Minded Security ReferenceID: MSA02240108 Credits: Discovery by Stefano Di Paola of Minded Security stefano.dipaola ... http://readlist.com/lists/securityfocus.com/webappsec/0/1675.html Fri, 21 Mar 2008 15:34:38 GMT MSA01240108: IE7 Transfer-Encoding: chunked allows Request Splitting/Smuggling. Date: March 21th, 2008 Tested Versions: Internet Explorer 7.0.5730.11 Tested OS: Windows XP Professional SP2 Italian Minded Security ReferenceID: MSA01240108 Credits: Discovery by Stefano Di Paola of Minded Security stefano.dipaola [_at_] mindedsecurity.com ... http://readlist.com/lists/securityfocus.com/webappsec/0/1674.html Thu, 20 Mar 2008 15:52:24 GMT Webshag is a free, multi-threaded, multi-platform web server audit tool. Written in Python, it gathers commonly useful functionalities for web server auditing like website crawling, URL scanning or file fuzzing. It also provides innovative functionalities like the capability of retrieving the list of domain names hosted on a target machine and file fuzzing using *dynamically* generated filenames (in addition to common list-based fuzzing). Webshag URL ... http://readlist.com/lists/securityfocus.com/webappsec/0/1661.html Tue, 18 Mar 2008 17:18:24 GMT Hi List, I have tested the following attack in Firefox and it has worked successfully, while I would not have expected this to work because of the same origin policy in Firefox. The Firefox version I am using is 2.0.0.12. http://www.victim.com/webapp/wcs/servlet/ImagePopup?storeId=111&imageName=im age1.jpg&imageText=%3Cimg%20src=http://www.attacker.com/images/image2.jpg%3E Can someone please explain why this attack works ...