[WEB SECURITY] Current state with passwords on web sites and Using XML External Entities (XXE) for attacks on other sites

MustLive mustlive at websecurity.com.ua
Fri Aug 3 11:51:55 EDT 2012


Hello participants of Mailing List.

In July, besides publishing to the list my June's translation of my April's
article "Attack via tables corruption in MySQL"
(http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2012-July/008438.html),
I also wrote new articles. So now I will tell you about two my articles
written last month. Request full translation of any of them if needed.

I'll tell you briefly about my articles concerning current state with
passwords on web sites and using XML External Entities (XXE) for attacks on
other sites. These topics should be interesting for you (especially for
those, who haven't read them before).

1. Current state with passwords on web sites
http://websecurity.com.ua/5961/

In this article I've told about state with passwords on web sites based on
my own experience and analysis of leaked passwords for last years. I've
described such problems as using of simple passwords and using of passwords
which are equal to usernames. Which is the main reason why Login Leakage and
Login Enumeration vulnerabilities are dangerous and why they must be fixed
(as I'm hardly working for many years to draw attention to these
vulnerabilities at web sites and web applications and to stimulate web
developers to fix them). Also I've made analysis of logins and passwords,
which recently leaked from one gov.ua site.

2. Using XML External Entities (XXE) for attacks on other sites.
http://websecurity.com.ua/5987/

In 2010 in the article "Using of the sites for attacks on other sites"
(http://lists.grok.org.uk/pipermail/full-disclosure/2010-June/075384.html)
I've wrote about possibility of attacks on other sites via Abuse of
Functionality and Remote File Include vulnerabilities, and showed examples
of Abuse of Functionality holes at different web sites (including sites of
Google, Yahoo and W3C).

And after that I've wrote about my tool for automation of such attacks -
DDoS attacks via other sites execution tool (DAVOSET)
(http://lists.grok.org.uk/pipermail/full-disclosure/2010-July/075621.html).
In this article I've told about using XML External Entities (XXE)
vulnerabilities (WASC-43) for conducting CSRF and DoS attacks on other
sites. About XXE vulnerabilities in different web applications and
automation of such attacks.

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua





More information about the websecurity mailing list