Michael Sutton's Blog -

Michael Sutton's Blog

Sort by: Most Recent | Most Viewed | Most Commented

  • How Prevalent Are SQL Injection Vulnerabilities?

    [Update 01.31.07 - A follow up blog on the prevalence of XSS vulnerabilities has now been posted.] [Update 01.17.07 - This blog is now also available as a webcast .] Earlier this month, Mitre revealed that web application vulnerabilities have now claimed...

  • A Tour of the Google Blacklist

    [Update 01.10.07: In response to some of the queries that I've been receiving, I've published a follow up blog to discuss the structure/decryption algorithm of Google's Encoded/Hashed Blacklist .] I recently decided to devote a day to walking...

  • Top 10 Signs You Have an Insecure Web App

    I often surf the web and see blatant design errors that make me shake my head. Without even investigating the security of a site, I know without a doubt that the site will be chock full of vulnerabilities. How can I be so sure? I see programming mistakes...

  • What is Google Binary Search and Should We Fear It?

    Background The so-called Google Binary Search (GBS) gained a fair bit of press attention in July 2006, when PC World published an article entitled ' Google's Binary Search Helps Identify Malware '. In the article, Websense revealed that they...

  • Will EV SSL Certificates Work?

    What are EV SSL certificates? With the explosion of phishing attacks and identify theft, a new form of SSL certificate is ready to hit the Internet. This new certificate is known as an Extended Validation (EV) SSL certificate and is designed "to...

  • Microsoft Black Tuesday - January 2007

    This month's bulletins leave us with two major headlines. First, ‘What happened to half of the bulletins?' and secondly, Internet Explorer 7.0 isn't apparently quite as bullet proof as advertised. Even before Black Tuesday arrived this...

  • Why All The Hype About 0day?

    The term "0day" has the power to make sys admins cringe. It the greatest fear of anyone tasked with protecting critical assets - a problem without an easy solution. Why? No, seriously why? 0day is a neon sign in the middle of Times Square. Once...

  • Fun With Google Code Search

    Yesterday, Google Labs launched a search tool that has many developers salivating. It's called Google Code Search (GCS) and allows developers to search source code from other projects to assist them in finding code for reuse. It has some impressive...

  • Good Intentions Equal Bad Security

    Earlier this week, yet another rapidly spreading MySapce worm reminded me of a frequent dilemma in computer security. All too often functionality is added to technology without first considering its security implications. The latest MySpace worm was made...

  • How Prevalent Are XSS Vulnerabilities?

    How Prevalent Are Cross Site Scripting (XSS) Vulnerabilities? Based on a recent experiment, I wasn't surprised to see that they're everywhere and finding dozens at a time doesn't present much of a challenge. Back in September, 2006 I sought...

  • Phree Phishing

    I recently blogged about the phishing pages that I found during a Tour of the Google Blacklist . In that posting I noted how I was surprised to find that Yahoo! was actually hosting phishing sites designed to phish Yahoo! credentials. Not surprisingly...

  • Educating Developers

    I spend much of my time on the road conducting presentations on application security for various audiences. Of all the groups that I speak to, developers are a favorite of mine. Developers get a bad rap when it comes to security. They are generally blamed...

  • What is Web 2.0?

    Web 2.0 may be the most ill defined technology term to date. Everyone uses the term but I have yet to hear a decent definition of it. O'Reilly Media is credited with coining the phrase and Tim O'Reilly defines Web 2.0 as: " Web 2.0 is the...

  • Debug Message XSS Vulnerabilities

    I was excited this afternoon when I thought that I'd stumbled upon a universal XSS vulnerability in verbose ColdFusion error messages. While testing a site, I had noted that a verbose debug error message (see below) echoed back many of the request...

  • Decoding the Google Blacklist

    After publishing last week's blog entitled ‘A Tour of the Google Blacklist' , I received a few queries about Google's encoded/hashed blacklist (enchash). This blacklist is separate from the unencoded blacklist that was the focus of the...
1 2 3 Next >
Privacy Statement
Powered by Community Server (Non-Commercial Edition), by Telligent Systems