The technique, found by Lava Kuppan describes a scenario where a mix of CSRF, parameter pollution and Clickjacking can defeat CSRF tokens in JSP and (sometimes) in ASP.NET. It’s worth a read. I did briefly mention using CSRF to pre-populate fields that may be necessary to create a Clickjacking scenario during Jeremiah and my brief talk at the world OWASP in New York. But this takes it to a new level, where you can pre-load information in such a way that it will actually defeat the application logic in the process. Anyway, cool stuff by Lava...
There is an UNEQUAL amount of good and bad in most things, the trick is to work out the ratio and act accordingly… The Jester
Today’s Malware Strategy and Tactics are advanced and sophisticated. The main purpose for that is to trick antiviruses. Some are using encryption to make the detection difficult for any security software product, other add an AutoRuns to the registry entries to defend itself against anti-malware software or just adding a line to the host file to prevent the antivirus from updating their definition...
Scammers have been devising ways to ride on someone else's coattails since the dawn of time. With every new technology they find another way to make money from nothing. Today I am going to highlight a method that involves Twitter, Yahoo!, and Google AdSense.
Many security professionals have sent me irrate comments via e-mail like: You’re insane! You can’t block China! How long have you been in security! You can’t block a whole country! These remarks come in response to my writings concerning cyberwarfare, China and similar themes. In today’s blog entry, I bring to you: “Advanced Persistent Errata – Defending The Castle;” in other words, Blocking ANYONE you damn well choose to block…
IT security firm, Sophos, has warned Twitter users on a new attack that has led to thousands of accounts being compromised by hackers using a Web 2.0 botnet. The hijacked accounts are later used to spread money-making spam campaigns. The security firm found out that fellow members of the micro-blogging network had posted messages disguised as humorous inks, but were actually aimed to phish passwords credentials from unsuspecting users. These messages were accompanied with clickable links which redirected users to a fake Twitter login page hosted on a website based in China. Watch the video which demonstrates the attack…
Infosec Island has gained exclusive access to a video demonstration of the XerXeS DoS attack as it is unleashed on the Taliban website www.alemarah.com, and carried out by infamous patriot hacker The Jester (th3j35t3r). The video release follows an earlier announcement that The Jester has been working to improve and automate aspects of the attack method, which unlike a DDoS attack, requires only one low spec machine to implement…
Everyday the news bombards us with security issues of minor or major magnitude. Currently, some of the hottest topics are the Chinese Google Hacking, Botnets, Online War between organized Crime Cartels, and Vigilante Hackers on a Jihad Crusade. Applauding hacking vigilantes like The Jester is just another road to hell paved with good intentions…