105 matches found
Tools to address OWASP Top 10 Risks
In a recent article published by Security Boulevard. we talked about OWASP Top 10 Risk classification and overlap. In this post, we will look into the tools that may help address these risks. To understand what’s possible to cover with which protection mechanisms we can now color-code our OWASP...
Outpost24 Appsec Scale for Web Application Scanning
Today I would like to write about yet another Outpost24 product - cloud Web Application Scanner Appsec Scale. It is available in the same interface as Outpost24 Outscan, that I reviewed earlier. Select APPSEC SCALE in the start menu and you can scan web applications: New application If you don't...
Cross site request forgery (csrf)
Magento Community Edition and Enterprise Edition before 2.0.10 and 2.1.x before 2.1.2 have CSRF resulting in deletion of a customer address from an address book, aka APPSEC-1433...
Session fixation
Magento Community Edition and Enterprise Edition before 2.0.10 and 2.1.x before 2.1.2 have XSS via e-mail templates that are mishandled during a preview, aka APPSEC-1503...
CVE-2016-10704
Magento Community Edition and Enterprise Edition before 2.0.10 and 2.1.x before 2.1.2 have XSS via e-mail templates that are mishandled during a preview, aka APPSEC-1503...
CVE-2016-10704
CVE-2016-10704 affects Magento Community Edition and Enterprise Edition before versions 2.0.10 (CE) and 2.1.x before 2.1.2. The issue is an XSS in email templates that is mishandled during preview (APPSEC-1503). Root cause: crafted input in email template preview can be reflected in rendered cont...
Wallarm to sponsor OWASP AppSec USA
If you are a SecOps or DevOps professional you can not miss the application security event of the year: AppSec USA, September 19–22nd at Disney Coronado Spring Resort, Orlando, FL Use the code: UNLM50WLLRM to register to get $50 discount. You will get great information on the new security tools a...
Mobile Application Security Training Platform: Security Shepherd
The OWASP Security Shepherd project is a web and mobile application security training platform. Security Shepherd has been designed to foster and improve security awareness among a varied skill-set demographic. The aim of this project is to take AppSec novices or experienced engineers and sharpen...
Autorize - Automatic Authorization Enforcement Detection (Extension for Burp Suite)
Autorize is an automatic authorization enforcement detection extension for Burp Suite. It was written in Python by Barak Tawily, an application security expert at AppSec Labs. Autorize was designed to help security testers by performing automatic authorization tests. Installation 1. Download Burp...
AppUse - Android Pentest Platform Unified Standalone Environment
AppUse Virtual Machine, developed by AppSec Labs, is a unique and free system, a platform for mobile application security testing in the android environment, and it includes unique custom-made tools. Faster & More Powerful The system is a blessing to security teams, who from now on can easily...
Alibaba Marketplace Vulnerability Puts Millions Of Shoppers at Risk
Alibaba Group has patched a major security vulnerability in one of its e-commerce portals that exposed account details of tens of millions of Merchants and shoppers to cyber criminals. An Israeli application security firm, AppSec Labs, found a Cross site scripting XSS vulnerability in AliExpress,...
SoapUI 4.6.3 - Remote Code Execution Vulnerability
Exploit for windows platform in category remote exploits Exploit Title: SoapUI Remote Code Execution Date: 25.12.13 Exploit Author: Barak Tawily Vendor Homepage: http://www.soapui.org/ Software Link: http://www.soapui.org/Downloads/download-soapui-pro-trial.html Version: vulnerable before 4.6.4...
Replacing Security Best Practices With Things That Work
NEW YORK–The term “best practices” is high on the list of overused and nearly meaningless phrases that get thrown around in the security field. It forms the basis for regulations such as HIPAA and PCI DSS and yet if you asked a random sample of 10 security people what the phrase meant, you’d like...
[AppUse] Android Pentest Platform Unified Standalone Environment
AppSec Labs recently developed the AppUse Virtual Machine. This system is a unique, free, platform for mobile application security testing in the android environment, and it includes unique custom-made tools created by AppSec Labs. There is no need for installation of simulators and testing tools...
Sybase Fixes Nine ASE Flaws
Enterprise software and services company Sybase has again patched holes in its Adaptive Server Enterprise ASE product, fixing a handful of database vulnerabilities that could have allowed a hacker to execute code and bypass security parameters on the company’s main database server product. As...
SAP's Sybase RDMS Patches Fail to Repair 10 Critical Vulnerabilities
Patches released this week by database and mobile management vendor Sybase did not completely repair serious privilege escalation and remote code execution vulnerabilities in versions 15.0.3 and later of its Adaptive Server Enterprise ASE product. Researchers at Application Security Inc., which...
A CISO's Guide To Application Security – Part 4: Weighing AppSec Technology Options
This post is the fourth in a 5-part series on Application Security, or “AppSec”. The series will define the components of a sound AppSec program, delineate the growing threats to software, weigh the costs of a data breach, and outline the CISO’s responsibility in managing software security risk...
A CISO's Guide To Application Security – Part 3: Toward an AppSec Center of Excellence
This post is the third in a 4-part series on Application Security, or “AppSec”. The series will define the components of a sound AppSec program, delineate the growing threats to software, weigh the costs of a data breach, and outline the CISO’s responsibility in managing software security risk...
A CISO's Guide To Application Security – Part 1: Defining AppSec
Editor’s Note: This post is the first in a multi-part series on Application Security, or “AppSec” prepared by our friends over at application testing firm Veracode. The series will define the components of a sound AppSec program, delineate the growing threats to software, weigh the costs of a dat...
Behind the Numbers of Mozilla's Bug Bounty Program
Bug bounty programs have been around in various forms for more than 15 years now, and many of the larger software companies, including Mozilla and Google, have established rewards for people who report bugs. But, aside from the amount of money that’s paid out when bugs are fixed, there hasn’t bee...