Microsoft Korea website(http://www.microsoft.co.kr/dynamic/ko/kr) is vulnerable to cross-site scripting(XSS).

Combining phishing technique when exploiting XSS vulnerability, therefore could lead to series security breaches or neak personal informations.


On May, I published that Microsoft website contailed SQL Injection vulnerability. This issue seemed to be resolved silently.

link: http://moonslab.com/930


reTweet
Posted by 문스랩닷컴
blog comments powered by Disqus

    A Vietnamese hacker called "Thuat Nguyen" had hacked into iTunes accounts and manipulated the rating and sales for his book apps in July.

     

    Apple does not confirmed an official statement regarding this hacks. But I guess that attack point of this hacks caused by phishing(such as E-mail) or malware such as keylogger.

     

    I assumed that iTunes website may be vulnerable to SQL Injection or XSS attack.

     

    Finally, I've found that iTunes website is vulnerable to XSS attack.


    <#1. XSS Attack. iTunes likes google? >

     

    While there are a huge numbers of XSS attack vectors, secure coding (input validation, output escaping) can defend against XSS attack(and SQL Injection).

     

    Please email me(moonslab@gmail.com) if you’re security administrator of Apple or iTunes site.

    .

    reTweet
    Posted by 문스랩닷컴
    blog comments powered by Disqus

      15th, July. Kaspersky as one of an famous Antivirus venders blocked BBC News site because BBC site was used to steal database like password, credit card information and so so, according to KitGuru.

      http://www.kitguru.net/software/zardon/kaspersky-block-bbc-news-by-accident/

      After being false positive, many people posted their forum and tweeted on twitter service. Kaspersky has immediately issued a signature update that should fix this false positive problem and prevent BBC site from being blocked in future.

      But, assume that BBC site is to be vulnerable, What would you do?

      You're right. BBC site is really vulnerable to SQL Injection attack. As you know, SQL Injection is technique that exploits a top-rated security vulnerability occuring in the database level of web application.


      BBC site uses MySQL database and Perl scripts. And DB owner is ... ...

      I will not proceed any more attacks.

      Please email me(
      moonslab@gmail.com), if you are security administrator of BBC site.


      reTweet
      Posted by 문스랩닷컴
      blog comments powered by Disqus


        Web Analytics Blogs Directory