Une infection en masse de sites sous IIS et ASP.NET est en train de s'effectuer. Il s'avère que les sites pointent tous vers le site http://ww.robint.us/u.js. Le problème n'est pas limité à des petits sites, mais des gros, voir très gros sont atteints.
D'après Google, plus d'un million de sites est déja infecté....(FR, CA, US, ....)Tag - appsec
vendredi 11 juin 2010
Infection en masse en cours de sites ISS/ASP.... - UPDATE - 11/06/2010
Par S. le vendredi 11 juin 2010, 22:31 - OWASP
lundi 7 juin 2010
OWASP ModSecurity Core Rule Set
Par S. le lundi 7 juin 2010, 23:56 - Links
OWASP ModSecurity Core Rule Set: "
Hello OWASP Leaders. I wanted to let you all know that a new version of the OWASP ModSecurity Core Rule Set (CRS) is now available (v2.0.7).
(Via Jeff Williams Blog.)
Technorati Tags: owasp, securite, security, modsecurity
vendredi 4 juin 2010
AppSec DC
Par S. le vendredi 4 juin 2010, 23:17 - Links
AppSec DC: "
Colleagues,
- OWASP Tools and ProjectsBuilding on the success of AppSec DC 2009, OWASP is pleased to announce the
OWASP AppSecDC 2010 conference held at the Walter E. Washington Convention
Center on November 8th through 11th 2010. Plenary sessions will be on November
10th and 11th preceded by Web Application Security Training on November 8th and
9th.
- Cloud Application Security
- Government Approaches to Application Security
- Application Security Case Studies
- Application Security and Business Risks
- Metrics for Application Security
- Web Services Security
- Source Code Review
- Web Application Security Testing
- Secure Coding Practices
- Privacy Concerns
- Vulnerabilities/Exploits in the Web App World
- Defense & Countermeasures in the Web App World
- Other web application security topics
Submit papers to http://www.easychair.org/conferences/?conf=appsecdc2010. Submission deadline is July 31st 2010. Inquires can be made to cfp@appsecdc.org.
Additional information can be found in the FAQ. You will have to sign up for an EasyChair account at https://www.easychair.org/account/signup.cgi.
Conference Website: https://www.owasp.org/index.php/OWASP_AppSec_DC_2010
FAQ: https://www.owasp.org/index.php/OWASP_AppSec_DC_2010_-_FAQ
Please forward to all interested practitioners and colleagues.
Regards,
The AppSec DC Program Committee
(Via Jeff Williams Feed.)
mercredi 2 juin 2010
Inline Detection of Evil JavaScript
Par S. le mercredi 2 juin 2010, 23:02 - Links
Inline Detection of Evil JavaScript: "
Exploit kits are a much more common threat on the web
than they used to be. In order to evade detection, the kits frequently contain
logic to obfuscate, or hide, the meaning behind the content that they serve to
the victim. Additionally, with each visit to the exploit page, the obfuscation
techniques will differ slightly so that static, content signatures will be
unable to detect the threat. Other threats contain obfuscated JavaScript (JS)
which sets up the page to exploit a vulnerability and launch a payload (for
example, 'spraying' the heap with shellcode). Still other threats inject
obfuscated JS into legitimate sites, which after decoding embeds a hidden
(0-pixel) IFrame to malicious content. As we have seen in the past, the JS
encodings vary greatly with each incident, and many instances are encoded
multiple times and may contain non-standard JS (reference past blog posts, such
as
(Via Zscaler Research blog.)
lundi 31 mai 2010
Now available: Microsoft SDL version 5
Par S. le lundi 31 mai 2010, 08:47 - Links
Now available: Microsoft SDL version 5: "
Jeremy Dallman here to announce that we are releasing the latest version of the Microsoft Security Development Lifecycle process guidance – Version 5 (SDLv5).
(Via Microsoft SDL blog.)
dimanche 30 mai 2010
OWASP AppSec Research 2010
Par S. le dimanche 30 mai 2010, 22:48 - Links
OWASP AppSec Research 2010
It's time to create a digital storm and invite the world to
OWASP AppSec Research 2010 this summer. We have a fabulous program and will
celebrate with a gala dinner at Stockholm City Hall
(http://international.stockholm.se/Tourism-and-history/The-Famous-City-Hall/Events-and-receptions/Rent-the-Halls).
(Via OWASP Blog.)
Announcing the MSF-Agile+SDL Process Template for TFS 2010 - The Security Development Lifecycle - Site Home - MSDN Blogs
Par S. le dimanche 30 mai 2010, 19:53 - Links
(Via http://blogs.msdn.com/b/sdl/Microsoft SDL Blog.)