WebApp Sec mailing list archives
XSS/Script Injection on my personal site
From: "arian.evans" <arian.evans () anachronic com>
Date: Fri, 28 Apr 2006 12:29:40 -0500
In light of the recent Hacker vs. Humanitarian threads on these lists in the last few days, I find the 580+ IDS alerts I just got yesterday poignant, and thought some of you on the lists might as well: Someone in Atlanta on Cox cable is once again giving my personal site a "free pen test". I am going to assume this is related to notifying various vendors of specific weaknesses in my hosted apps, and attack types that the vendor tools ineffectively test for. For the last time, please contact me personally *before* starting these tests if you'd be so kind. Do you wait for me to go out on the road so you can fill my webmail inbox with IDS alerts? ***Not cool.*** I have limited disk space and have to watch this box closely or everything on it gets DoS'd. Or, alternately, I can just not help anyone at all. I have not shipped off sample code and details to all the vendors yet, and was waiting to publicly release examples until all vendors were notified. *** I have been giving notified parties an open invite to use apps I host as a testbed, but my ONE request is to please co-ordinate testing w/me so that you do not DoS my box. Thanks. ***PostNuke Flaws*** BTW// Had you asked, I could have saved you time wasted testing irrelevant fields, and told you that PostNuke has issues with the Func param in Blocks and with the OP param in several places as well. Myself and one of my colleagues have attempted to contact the PostNuke team for about six months now, and they silently fixed one of the issues we notified them about in the newest code base, whilst ignoring us concerning the rest of them. I did get one response pointing me to where I could diff their code and find the silent changes myself, but I lost all personal email in January and no longer have that contact history, Arian J. Evans +1.913.378.3571 [mobile] ------------------------------------------------------------------------- Sponsored by: Watchfire Watchfire's AppScan is the industry's first and leading web application security testing suite, and the only solution to provide comprehensive remediation tasks at every level of the application. Change the way you think about application security testing - See for yourself. Download a Free Trial of AppScan 6.0 today! https://www.watchfire.com/securearea/appscansix.aspx?id=701300000007kaF --------------------------------------------------------------------------
Current thread:
- XSS/Script Injection on my personal site arian.evans (Apr 28)