A log injection vulnerability occurs when a poorly-written program uses user-provided data to write to a system or application log without any security pre-processing. If an attacker controls this data they can then manipulate entries in the log for their purposes. Based on their level of knowledge of log format and content, this often results in the ability to add new entries and falsify events and actions. More...
Web services are a widely touted technology that aim to provide tangible benefits to both business and IT. However, currently a specific security testing methodology is not currently avaliable in the marketplace. SIFT's newest paper proposes a framework that covers the entire security testing process tailored specifically for web services applications. More...
This report describes a mechanism through which an attacker could use XML to have your webserver complete an internal scan of your environment, passing the information back to the external attacker. More...