http://isc.sans.org/diary.html?storyid=6991&rss
Mounting a partition inside a full image is quicker this way, I've blogged about the method before here and here (for LVM). It works with automated tools but if you need to use icat and other manual in-depth filesystem stuff, you need to enter the offset for each and every command and that is a pain. For looking around the partition this is a quick way, though.
Today I read a blog post from the Silver Tail Blog, which is a member of the Security Bloggers Network. Quite frankly, I am not sure I understand the post as it is supposed to be understood. Sorry about that.
I don't understand why marketing people want to redirect a potential customer away from their website or how XSS/SQL is related to business logic flaws. Below are examples that hopefully illustrate the difference between technical and logical flaws.
Business logic flaw: User parameter contains a userid. The user can change the userid and do actions as another user (if userid exists). The request looks perfectly normal, but application lacks a check if established user session is allowed to view the information.
Technical flaw: User parameter contains an address. The user can add HTML code to the address which is stored in a database and rendered in a browser each time when viewing the information (e.g. user profile). The request contains additional code which doesn't look expected. Application fails to validate the user input against allowed character set.
If I misunderstood the original post, explain.
August 25, 2009
Subscribe to:
Post Comments (Atom)
0 comments:
Post a Comment