Security Sift

Why your organization should be concerned with others’ breaches. It seems we’re constantly reading about breaches that result in the leak of login credentials–Gawker, Toshiba, Sony, Yahoo, LinkedIn…this list goes on.  Just this week ArenaNet (developers for Guild Wars 2) announced they are experiencing account hacks believed to be facilitated by the use of password lists stolen from other games and sites.  Many organizational executives or security personnel might read about these…

Here I’ll demonstrate how it’s possible to evade ASP .NET Request Validation and take advantage of Internet Explorer 9 quirks to execute a working XSS exploit.  Let’s look at a scenario… You suspect an ASP.NET application you’re testing is vulnerable to reflected XSS because it displays user input to the screen.  Its login page includes a registration function and if a user inputs the wrong registration number (passed via a…