Home News

News

Well what about security certifications? There are useful guides to certifications at about.com and dmiessler.com. Arguably, the better internationally known certifications listed are CISSP and SCNP. One recent addition into this arena is the Certified Ethical Hacker (CEH). Their course outline provides a very good background on what you should know as a security tester. Whether the content is...
I released CSRF in MSWord Part 1 a couple of weeks ago, where we utilise frames to backdoor Word documents. SANS Handlers commented on this find with some interesting points. RSnake decided to play a little with this idea and has published CSRF with MSWord Part II where he has uncovered a really neat way to backdoor .doc files by...

Adobe Universal XSS

Discussion In September pdp and I did some really fun work involving backdooring PDF files. It opened alot of eyes and some back accounts in getting it fixed. Now Stefano Di Paola and Giorgio Fedon have found a way to perform universal XSS attacks on systems with Adobe Reader and Professional installed. Affected Versions According to pdp the following versions have been...
Some had a good nights sleep last night. Generally it will be those who heeded our suggestions given last year September with Backdooring PDF Files, while others most likely didnt get any sleep at all. I woke up this morning and started getting ready for work. As usual, I turned on my laptop and cruised over to Michael Daws SecNews...
pagvac from ProCheckUp released an advisory on how to bypass ASP.NET XSS validation. This attack is only possible with Internet Explorer users as it exploits the old IE CSS comment hack; a very creative find indeed from the guys at ProCheckUp. Proof of Concept: Alert box injection - simply provided for testing purposes (may cause DoS issues on Internet Explorer) http://target/vuln-search.aspx?term=</XSS/*-*/STYLE=xss:e/**/xpression (alert('XSS'))> ASP.NET will also escape...