Hello participants of Mailing List. I'll tell you briefly about my last publications on backdoors in web applications topic. These topic should be interesting for you (especially for those, who haven't read them before). In February 2011 I've started this topic with my article Placing shells (backdoors) at web sites (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2011-February/007508.html). And in November I've continued it with new article and in December I've published my web application related to this topic. Later I'll write new articles, which I've planned on this topic, so stay tuned. 1. Injecting backdoors into web applications. http://websecurity.com.ua/6195/ In this article I've told about situation with injecting backdoors into web applications. I've monitored it since 2007, so I presented a lot of cases, where servers of popular webapps were hacked and backdoors were injected. I described main vectors how backdoors are injecting into web applications and listed backdoored webapps from WordPress in 2007 till Piwik in 2012. The list includes WordPress, MiniGal, Ucms, Cypress BX script, com_rsgallery2 gallery for Joomla, com_jumi / jumi for Joomla, PyForum, phpMyAdmin, Piwik. And I've told about backdoored OpenSSL in Debian, backdoored OpenSSH in Red Hat Linux and hacks of infrastructure of Linux and FreeBSD (which happened this year), when servers with sources were compromised and there were possibilities of backdoor injections. Also I've mentioned about 2008's article about backdoored exploits. 2. Backdoored Web Application. http://websecurity.com.ua/security_software/ On Tuesday I've presented Backdoored Web Application (BWA) - this is small web applications with built-in backdoor. I position this web application as reference test of backdoors scanners. All qualitative scanners of backdoors must find it, otherwise such scanners not good enough. So everyone can use it to check their scanners. Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua