In December, Claus Overbeck of RedTeam Pentesting held the invited talk “Ten Commandments of IT-Security for Web 2.0 Startups” at the HackFwd Build 0.4. The talk was recorded on video, and is now available via the HackFwd Blog. HackFwd is led by Lars Hinrichs, the people behind it describe themselves as
experienced tech entrepreneurs looking to [...]
Tagged hackfwd, startup, talk, videoThe Netzwerk Recherche Annual Conference 2010 in Hamburg at the NDR is over and it was a great event. Although the hottest topic was the outside temperature of over 36°C, more than 800 people signed in for the event, many more than expected.
We were invited to give a workshop about advanced technical investigation techniques for [...]
We released a new JBoss security whitepaper with the title “JBoss Application Server – Deploying WARs with the DeploymentFileRepository MBean” today. It explains how to deploy WAR files with the DeploymentFileRepository MBean and how this is even possible with Cross Site Request Forgery (CSRF). The paper is available at
http://www.redteam-pentesting.de/publications/jboss
This new informational page also contains the [...]
Cross Site Scripting (XSS) vulnerabilities are still one of the security problems you find in almost every web application. If the application’s interaction surface is reasonably large, it’s really just a matter of time.
For us, this means that in almost all web application pentests, we find XSS vulnerabilities to be documented. And there’s one thing [...]
On April 21, 2010 we will give the talk “Bridging the Gap between the Enterprise and You – or – Who’s the JBoss now” (in German) at the Bachelor-Vertiefungspraktikum zur Hackertechnik of the Chair for Network and Data Security, Ruhr-Universität Bochum.
It doesn’t say so on the website, but according to the organisers the talk is [...]
When it comes to IT security, one of the things you tell every IT worker, be it the system administrator or the web application developer, is that they should thoroughly read the documentation for whatever they are working with. It doesn’t matter if it’s a new network component or a web application framework you’re [...]
Tagged dbal, documentation, sql_injection, typo3Another story from the trenches:
Client: “You will have to work on site for this job. The data you’re gonna work with is of course highly sensitive and confidential. We cannot risk any of it to leave the company premises.”
Ok, so at this point, you usually prepare yourself to disillusion the client about how secure large [...]
Tagged on-site, policy, security, trustLocation: A security area with access control. Two pentesters need to get (legitimate) access to the area, which requires three things: An authorisation token, your signature, and your identity card. The token is ready, the paper sheet signed and… access is granted. Wait, what about the identity card? The friendly security guard is stumped.
“Well, the [...]
Another year passed by and it’s time again for the annual DFN-CERT workshop. It’s taking place for the 17th time, and this year, Lutz will talk about emulation based unpacking of runtime packed malware in his (German) talk
“Emulationsbasiertes Entpacken von laufzeitgepackten Schadprogrammen und darüber hinaus”
He’ll show you his project “Pandora’s Bochs”, based on the popular [...]
Apparently, the guys at Acunetix were tired of examining their JBoss Application Servers manually for vulnerabilities. In their Web Vulnerability Scanner from Version 6.5 build 20091215 on, they integrated various checks for the stuff from our JBoss paper.
To give you a little reminder: Always check for
http://www.example.com/jmx-console
http://www.example.com/web-console
http://www.example.com/web-console/Invoker
http://www.example.com/invoker/JMXInvokerServlet
and any open JBoss Remoting / RMI ports. See the [...]
Tagged acunetix, invoker, jboss, scanner, wvs