Recommended: Click here to improve PC speed »
Hacking hotmail via XSSWhen logging into Hotmail, a cookie is created allowing continual access of the userwhile within the domain. Hackers may steal such cookies and produce fakes using suchtools as Proxomitron. Since Hotmail cookies are not IP-bound, hackers do not needthe password or the email address of the victim for logging in and accessingpersonal emails and other data. Through Cross Site Scripting (XSS) the hackerinserts JavaScript code that will send the fake cookie to a Web Server with a logscript and the deed is done.
Vulnerabilities in MSN and Amazon left unfixedSecurity researcher, Yash Kadakia, frustrated by a lack of response from Microsoftand Amazon.com, has gone public with details of flaws on MSN and Amazon. Similar tothe Hotmail case, Cross Site Scripting and CRLF (Carriage Return Line Feed)injection vulnerabilities found in these sites could be used by hackers to steal"cookie" data files allowing them access to Amazon.com and MSN accounts, or todisplay a fake login page that could be used in phishing attacks.
Kadakia said he first notified Microsoft of the problem about a year ago but hewasn't taken seriously until late last week, when he posted screen shots of the flawbeing exploited on his Web site. The Amazon.com flaw was discovered in December andto-date the vulnerability remains un-patched, according to Kadakia.
Sanitizing Web ApplicationsAcunetix Web Vulnerability Scanner automatically audits web applications and checkswhether these applications are secure from exploitable vulnerabilities to such hackattacks as Cross Site Scripting and CRLF injection. An automated check of theHotmail, Amazon and MSN websites (using Acunetix WVS) could pinpoint these and anyother possible vulnerabilities before it is too late saving the popular companiesfrom undue embarrassment, loss of reputation and customer trust, and any financiallosses resulting from the attack.
Acunetix provides free audit to help companies determine the security of their websitesEnterprises who would like to have their website security checked can register for afree audit by visiting www.acunetix.com/security-audi t. Participating enterpriseswill receive a summary audit report showing whether their website is secure or not.Summary reports will be delivered within five business days of submission.
About Acunetix Web Vulnerability ScannerAcunetix Web Vulnerability Scanner ensures website security by automaticallychecking for SQL injection, Cross site scripting, CRLF injection and othervulnerabilities. It checks password strength on authentication pages andautomatically audits shopping carts, forms, dynamic content and other webapplications. As the scan is being completed, the software produces detailed reportsthat pinpoint where vulnerabilities exist.
About Acunetix Acunetix was founded to combat the alarming rise in web attacks. Its flagshipproduct, Acunetix Web Vulnerability Scanner, is the result of several years ofdevelopment by a team of highly experienced security developers. Acunetix is aprivately held company with headquarters based in Europe (Malta), a US office inSeattle, Washington and an office in London, UK. For more information aboutAcunetix, visit: http://www.acunetix.com; http://www.acunetix.de.
All product and company names herein may be trademarks of their respective owners.
