Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral


Entries for 'Or Katz'

articlesecurityappsecthreatus March 06, 2012 by Or Katz
Two weeks ago I was in the cinema watching the movie Moneyball. The movie is all about the story of Oakland A's general manager Billy Beane's successful attempt to put together a baseball club not based on collected wisdom of baseball insiders (including players, managers, coaches, scouts, and the front office) but rather by choosing the players and the game plan based on each player statistics such as on-base percentage and slugging percentage. I'm not a big expert in the game of baseball, but...
articlesecurityappsecusxss February 12, 2012 by Or Katz
A couple of weeks ago, a new security advisory was published: CVE-2012-0053 - “Apache HttpOnly Cookie Disclosure”. While the severity of this vulnerability is just “medium”, there are some things that we can learn from it. As far as I see it, this vulnerability actually uses a more sophisticated approach in order to steal sensitive information. It suggests an exploit proof of concept that combines two attack methods: 1. A well-known application security vulnerability named “Cross-Site Scri...
articlesecurityappsecus February 02, 2012 by Or Katz
One year ago an online dating site called Lovely-Faces.com was lunched with over 250,000 profiles. These profiles were scraped from Facebook without the permission of the users. This incident illustrates exactly what web scraping is all about. Another good example when a web scraping attack may occur is when a web application contains cataloged content, for example, electronic equipment with a catalog number and the price for each item. Let’s say that competitors would like to know the price of...
articlesecurityappsecus January 25, 2012 by Or Katz
I don’t know if you had the chance to hear about it but in the last couple of weeks a mini cyber-attack campaign was being held in the Middle East. It all started a couple weeks ago when a hacker (allegedly from the Arabian Peninsula) published several thousand Israeli credit card numbers and email addresses. This was the first round in a potential multi-round skirmish that at its highest peak included Distributed Denial of Service (DDoS) attacks from both parties on both Saudi Arabian and Israe...
articlesecurityus November 08, 2011 by Or Katz
One of the first things that come to mind when talking about a Web Application Firewall is its ability to mitigate web application vulnerabilities. For this reason, it is natural to think about both Application Security Scanners and Web Application Firewalls as complementary products that need to talk to each other in order to solve security hazards waiting to be exploited. For the reasons mentioned above, BIG-IP ASM and Whitehat sentinel offers a unique integration between a Web Application Fi...
articlesecurityus October 12, 2011 by Or Katz
Securing your web application is not an easy job. In this blog post I will explain some of the challenges in protecting a web application and how F5 Application Security Manager (ASM) can help mitigate security risks. HTTP is a flexible protocol that allows clients (browsers in this case) to communicate with servers (web applications) passing information back and forth. The information can be delivered in many ways, and it is up to the application developer to decide how it will be done. For ex...
articlesecurityus August 23, 2011 by Or Katz
Recently a new ASM signature update was released including more than 40 new signatures all with the same criteria: “SQL information leakage”. The obvious objective of using response signatures is to detect and block all sensitive information that returns from the application that may be used by an attacker to steal sensitive information, extend the exploit, and to learn more about application infrastructure. In other words, “use it and abuse it”. While this reason is important enough, there ar...
articlemicrosoftsecurityindustryus August 11, 2011 by Or Katz
SQL injection was first introduced in the late 90’s. A successful execution of this attack results with direct access to the database used by the application, giving the attacker the ability to manipulate SQL queries. As a result, the attacker may be able to insert, update, delete or retrieve information from the vulnerable application. SQL injection is used in order to exploit the web application, one example being “bypass authentication”. In many cases, web applications require a login to the...
articlesecurityus July 28, 2011 by Or Katz
Recently I read a very interesting article from Troy Hunt about “The science of password selection“. While his excellent analysis is focused on web application users and their selection of passwords, I was trying to think how we can quantify passwords strength from the application point of view. So I ran a short analysis on some passwords that were leaked in recent incidents. In the first step I tested password strength by validating four attributes on each password. In order to score the stren...
articlesecurityus July 07, 2011 by Or Katz
It’s a known fact that the improvement of web application security filters also raised the sophistication level of malicious parties in their goal to abuse web applications. While some of the well known attack vectors are here for quite some time, the way these attacks are being executed was changed. In the example below we can see a hacker using an attack vector to try and exploit remote arbitrary code execution on a FreePBX web application GUI that controls and manages Asterisk, the world's m...
Page 1 of 2First   Previous   [1]  2  Next   Last