222630 Resource 202612 202768 202768 1231110607224 1231119545301 Controlled Cenzic Adds New SmartAttack for JavaScript Hijacking New support added for JavaScript Hijacking Vulnerability in Cenzic SmartAttack library <p>A New Year means adding a new SmartAttack for Cenzic &ndash;&nbsp;the <strong>JavaScript Hijacking SmartAttack&nbsp;-</strong> making it our 96th SmartAttack!&nbsp; We added this support to&nbsp;the&nbsp;SmartAttack library arsenal on January 2, 2009 due to the rising number of eavesdropping attacks against AJAX-style Web applications.&nbsp; This vulnerability was <strong>discovered on Gmail</strong> and recently fixed.&nbsp; </p><p>JavaScript Hijacking is an attack that tricks the victim into loading a page that contains a malicious request.&nbsp; The request is malicious because it inherits the identity and privileges of the victim to perform an undesired function on the victim's behalf.&nbsp; If an application is vulnerable, an attacker can force a logged-in victim's browser to send pre-authenticated AJAX request to a vulnerable Web application, potentially forcing the victim's browser to perform a hostile action.&nbsp; This allows an attacker to perform all the legitimate actions which a legitimate user can perform after a log-in. </p><p>And because our development team felt extra ambitious over the holiday season, we also added enhanced support for our Web Server SmartAttack by updating it with the <strong>PHP 'imageRotate()' Uninitialized Memory Information Disclosure Vulnerability</strong> (Bugtraq ID 33002).&nbsp; More information about this vulnerability can be found at:<br /><a href="http://www.securityfocus.com/bid/33002/"><strong><u>http://www.securityfocus.com/bid/33002/</u></strong></a></p><p>To learn more details on how you can automatically update your Cenzic Hailstorm product, visit our <a title="Cenzic SmartAttack Library" href="http://www.cenzic.com/index.php?id=technology_cia-research_smartAttacks" target="_blank"><strong><u>Website</u></strong></a>.<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <br /><strong>Background on Cenzic&rsquo;s SmartAttacks</strong><br />Every week, Cenzic&rsquo;s suite of products is updated with the latest vulnerabilities (custom, commercial, and open-source) to use when it emulates a hacker and attacks our customer&rsquo;s Websites to detect their security posture.&nbsp;&nbsp; These Web application vulnerabilities include (but not limited to) cross site scripting, buffer overflow, path or directory traversal, SQL injection, HTTP response splitting, and other workflow types.</p><p>by<br /><strong>Erin Swanson<br /></strong><a href="mailto:ESwanson@cenzic.com"><strong><u>ESwanson@cenzic.com</u></strong></a></p> 9 application/xml false cenzic JavaScript Hijacking Cenzic SmartAttack Library Updates Weekly updates made to Cenzic product suite http://www.cenzic.com/index.php?id=technology_cia-research_smartAttacks Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; GTB5; .NET CLR 1.1.4322; .NET CLR 2.0.50727) 127.0.0.1 127.0.0.1 eswanson 64.60.123.45 false true false false true 204329 false false true false false false true 202612 blog blogsite/Cenzic/web