lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <20041101171714.616DB15F502@mail.ngssoftware.com> Date: Mon, 1 Nov 2004 17:36:50 -0000 From: "Gunter Ollmann" <gunter@...software.com> To: <bugtraq@...urityfocus.com> Subject: New Whitepaper - "Second-order Code Injection Attacks" Hi list, NGS Software is pleased to make available a new whitepaper about second-order code injection attacks. Abstract: "Many forms of code injection targeted at web-based applications (for instance cross-site scripting and SQL injection) rely upon the instantaneous execution of the embedded code to carry out the attack (e.g. stealing a user's current session information or executing a modified SQL query). In some cases it may be possible for an attacker to inject their malicious code into a data storage area that may be executed at a later date or time. Depending upon the nature of the application and the way the malicious data is stored or rendered, the attacker may be able to conduct a second-order code injection attack. A second-order code injection attack can be classified as the process in which malicious code is injected into a web-based application and not immediately executed, but instead is stored by the application (e.g. temporarily cached, logged, stored in a database) and then later retrieved, rendered and executed by the victim." The paper can be accessed from: http://www.nextgenss.com/papers/SecondOrderCodeInjection.pdf Cheers, Gunter ------------------------------------------------------ G u n t e r O l l m a n n, MSc(Hons), BSc Professional Services Director Next Generation Security Software Ltd. First Floor, 52 Throwley Way Tel: +44 (0)208 401 0089 Sutton, Surrey, SM1 4BF, UK Fax: +44 (0)208 401 0076 http://www.nextgenss.com ------------------------------------------------------
Powered by blists - more mailing lists