Hackers have long been known for their tendency to identify weaknesses in programs, but in today’s world, there are a number of programs that people put to use which are incredibly easy to keep safe. CMS or Content Management Systems are standard on the web today, being the software that runs blogs from all over the world. Two common examples of this are Joomla and WordPress, loved by users globally for their ease of use and high number of features. While these blogs are certainly a good way to get content out to the public, they do need to be updated with patches just as soon as those patches are made available because hackers do look for ways to exploit these programs and attack the web application security. While users might be aware that patching is needed, all too often it is not kept up with and when that happens, big problems can arise. SySmox experienced such a problem when a number of users who had not kept with the patching for their Joomla and WordPress installations unwittingly played a role in helping hackers attack the ISP’s shared hosting servers. The hackers were able to run scripts that caused problems and forced the tech support team to go to battle against the scripts to regain control over the servers by exploiting vulnerabilities in the kernel.
Tag: Web application security
Many people understand how important it is to have web application security both in the e-commerce . One of the primary concerns for organizations is attacks by appsec. However, there are many other very dangerous attacks, including cross site scripting, SQL injection and http verbse attack. Data loss is one of the most common issues following one of these attacks. However, data loss would be the least of an organization’s concerns considering attackers are generally also able to get access to the specific pieces of data they are looking for. An example of why web application security is so important is for when SQL injection allows an attacker to get access to credit card information or data relating to a person’s identity. This is often the type of information that hackers are after of course.
select id, firstname, lastname from authors
If one provided:
the query string becomes:
select id, firstname, lastname from authors where forename = ‘evil’ex’ and surname =’newman’
which the database attempts to run as
Incorrect syntax near al’ as the database tried to execute evil. (continue reading…)
Syria hackers take down al Jazeera English website :
Syrian hackers Target the Al Jazeera’s “Syria Live Blog” which has been providing ongoing coverage of the Arab League’s observer mission to Syria and developments in the ongoing unrest in the country .
The attacked changed to display a picture of bashar assad .
Hacked by Syrian Electronic Army | Th3 Pr0.
You Got Hacked Again By SEA.
We Want Bashar Al-Assad
The hackers website : http://syrian-es.com/
It look like tha the hackers exploit a web application security in the drupal .
This is the reason :
Web Application Security May Be More Difficult Than Network Security.
With the increased information sharing that has become quite common over the past few years, especially with social networking and business networking, it is inevitable that websites are being attacked. In the past, using a firewall for the computer and putting a lock on the door to the server room were enough to keep anyone from accessing information from a business and web application security wasn’t even envisioned. However, there are browsers that constantly interact with business web applications through websites that sell products or services. Data connections must be open in order to receive customer input and orders, and one never knows when a person accessing their business through the web is a legitimate customer or someone who is trying to hack into the system or attacking the business through the links on the site.
Technopark.ma got compromised by malware (this is site may harm your computer )
The officelle website of technopark got compromised by malisous code ; It look like that hackers exploit a vulnerability in the open source joomla (Joomla security Flaws) .The website serving malware to anyone visiting it). This attack seems to be targeting smaller and biggest sites that lack personnel with the skills and security awareness .
When i was testing an iis server after defacement attack, the webmaster was confused how hackers gaina ccess to the server and changes the visual appearance of the site or a webpage .
1 – Hackers use xgallery (Absolute gallery): SQL injection to get admin passwords and upload backdoors .
2 -Hackers uploaed automatically tools to deface the server replace every index.
3 -Hackers record the defaced home pages in zone-h digital attack archives.
Hackers exploit Xgallery panel to bypass the upload : Web application security
This attack allows a hacker who can upload a “safe” file extension (jpg, html, etc) to upload an ASP script and force it to execute on the web server. The vulnerability occurs when a file name is specified in the form of “attacker.asp;.jpg” — the application checks the file extension and sees “jpg”, but the web IIS server will stop parsing at the first “;” and sees “asp”. The result is trivial code execution on any IIS server that allows users to choose the file name of their uploaded attachment.
Software security is not an operational issue.
Application security has become one of the highest priorities for organizations as hackers turn their attention to vulnerabilities that traverse traditional network security technologies like web application firewalls and intrusion detection systems
Application security is not an operational issue. The solution lies in building better software. Sysmox helps clients define, design, develop, deploy and maintain reliable and secure software with our Strategic. SySmox delivers a set of comprehensive services and business strategies to help our clients measurably improve their software development life cycle. By understanding and managing the inherent risk, SySmox is able to help its clients reduce their costs and improve their security.
SySmox consultants help organizations understand their security posture and identify the systemic causes of security flaws. SySmox creates meaningful and measurable plans to improve security throughout each stage of the software development cycle. incorporates Enterprise Programs as turn-key solutions as well as Individual Services, such as penetration testing, threat modeling, policy development and source code reviews help clients supplement their own efforts.
Web Application Security : Formal Trust and Authentication :
Secure web application design is not product-specific: it is helpful in securely designing and implementing any web application, regardless of the platform. This article, part of a series of security-related, but many of these concepts are relevant to any application development cycle, including non-web applications.
1 Formal Trust.
2 External Resources (Including Users).
3 Client Applications (Including Users).
4 Authentication (Trusting Identification).
Keeping computer security issues at bay is a full-time job. These columns provide general education, point out common security issues in implementations, and can aid you in both design and troubleshooting. However, they are not a substitute for a full-time security specialist individual or group in your organization.
Bear in mind that individual links are provided for reference; they may not be applicable to your specific architecture or configuration. Be sure to carefully check whether the procedures suggested or described apply to your configuration before implementing them. Also, be sure to test any change to your current configuration or process in a testing environment prior to applying them in any production environment.
1 Formal Trust :
Last month’s column, How to Design Secure Web Applications, briefly discussed formal trust in the context of input validation and architectural research and design. This column discusses formal trust as a general concept, including how it relates not only to input validation, but also to topics such as working with external data resources (including users), building client-server applications (both web-based and not), and most importantly, authentication.
The first thing to keep in mind about formal trust is that it barely resembles the personal act of trusting (such as,. the “Can I trust my friend Bob?” idea). Formal trust is usually a calculation based on existing policies and on informed opinion about the implementation environment and relevant architecture in which an application is intended to execute. When a security analyst calculates the formal trust relationships for a given application implementation, she examines the requirements of the policy and existing procedure, compares these resources to the facilities provided by the data and other supporting resources, and makes implementation and design decisions based on how closely the resources match the policy.
Perhaps a more approachable way to think of the process of calculating formal trust is comparing it to a hiring process. Candidates must be appropriate to the position that is open, but beyond reading their resumes, it is still necessary to do background checks, interview them, and perhaps test them. You usually do this whether or not you personally think that candidates are trustworthy. You do it both because your HR policy states proper procedure for hiring someone to fill the role you need to fill and because you cannot afford to take chances. In no way is the standard way your company hires resources meant to be a personal criticism of a candidate; it is just the way the policy says it must be done.