Saturday, January 19, 2013

SUPPORT ALL THREATS



https://www.owasp.org/index.php/Category:Vulnerability

What is a vulnerability?

[+] API Abuse[+] Authentication Vulnerability[+] Authorization Vulnerability[×] Availability Vulnerability[×] Code Permission Vulnerability[+] Code Quality Vulnerability[×] Concurrency Vulnerability[×] Configuration Vulnerability[+] Cryptographic Vulnerability[×] Encoding Vulnerability[+] Environmental Vulnerability[+] Error Handling Vulnerability[+] General Logic Error Vulnerability[+] Input Validation Vulnerability[+] Logging and Auditing Vulnerability[+] Password Management Vulnerability[×] Path Vulnerability[+] Protocol Errors[+] Range and Type Error Vulnerability[+] Sensitive Data Protection Vulnerability[+] Session Management Vulnerability[+] Synchronization and Timing Vulnerability[×] Unsafe Mobile Code[+] Use of Dangerous APIA vulnerability is a hole or a weakness in the application, which can be a design flaw or an implementation bug, that allows an attacker to cause harm to the stakeholders of an application. Stakeholders include the application owner, application users, and other entities that rely on the application. The term "vulnerability" is often used very loosely. However, here we need to distinguish threats, attacks, and countermeasures.Please do not post any actual vulnerabilities in products, services, or web applications. Those disclosure reports should be posted to bugtraq or full-disclosure mailing lists.

Examples of vulnerabilities

Lack of input validation on user inputLack of sufficient logging mechanismFail-open error handlingNot closing the database connection properlyFor a great overview, check out the OWASP Top Ten Project. You can read about the top vulnerabilities and download a paper that covers them in detail. Many organizations and agencies use the Top Ten as a way of creating awareness about application security.

How to add a new Vulnerability article

You can follow the instructions to make a new Vulnerability article. Please use the appropriate structure and follow the Tutorial. Be sure to paste the following at the end of your article to make it show up in the Vulnerability category:[[Category:Vulnerability]] NOTE: Before you add a vulnerability, please search and make sure there isn't an equivalent one already. You may want to consider creating a redirect if the topic is the same. Every vulnerability article has a defined structure. Please read the details of How To Add a Vulnerability before creating a new article.

Subcategories

This category has the following 24 subcategories, out of 24 total.

A

[+] API Abuse (0)[+] Authentication Vulnerability (1)[+] Authorization Vulnerability (1)[×] Availability Vulnerability (0)

C

[×] Code Permission Vulnerability (0)[+] Code Quality Vulnerability (0)[×] Concurrency Vulnerability (0)[×] Configuration Vulnerability (0)

C cont.

[+] Cryptographic Vulnerability (0)

E

[×] Encoding Vulnerability (0)[+] Environmental Vulnerability (0)[+] Error Handling Vulnerability (0)

G

[+] General Logic Error Vulnerability (0)

I

[+] Input Validation Vulnerability (0)

L

[+] Logging and Auditing Vulnerability (0)

P

[+] Password Management Vulnerability (0)

P cont.

[×] Path Vulnerability (0)[+] Protocol Errors (0)

R

[+] Range and Type Error Vulnerability (0)

S

[+] Sensitive Data Protection Vulnerability (0)[+] Session Management Vulnerability (0)[+] Synchronization and Timing Vulnerability (0)

U

[×] Unsafe Mobile Code (0)[+] Use of Dangerous API (0)

Pages in category "Vulnerability"

The following 168 pages are in this category, out of 168 total.

Pages in category "Vulnerability"

The following 168 pages are in this category, out of 168 total.

A

Access control enforced by presentation layerAddition of data-structure sentinelAllowing Domains or Accounts to ExpireAllowing password agingASP.NET MisconfigurationsAssigning instead of comparingAuthentication Bypass via Assumed-Immutable Data

B

User:Briechenstein Software StudioBuffer OverflowBuffer underwriteBusiness logic vulnerability

C

Capture-replayCatch NullPointerExceptionComparing classes by nameComparing instead of assigningComprehensive list of Threats to Authentication Procedures and DataCovert timing channelCRLF InjectionCross Site Scripting Flaw

D

Dangerous FunctionDeletion of data-structure sentinelDeserialization of untrusted dataDirectory Restriction ErrorDouble FreeDoubly freeing memoryDuplicate key in associative list (alist)

E

Empty Catch BlockEmpty String Password

F

Failure of true random number generatorFailure to account for default case in switchFailure to add integrity check valueFailure to check for certificate revocationFailure to check integrity check valueFailure to check whether privileges were dropped successfullyFailure to deallocate dataFailure to drop privileges when reasonableFailure to encrypt dataFailure to follow chain of trust in certificate validationFailure to follow guideline/specificationFailure to protect stored data from modificationFailure to provide confidentiality for stored dataFailure to validate certificate expirationFailure to validate host-specific certificate dataFile Access Race Condition: TOCTOUFormat String

G

Guessed or visible temporary file

H

Hard-Coded PasswordHeap InspectionHeap overflow

I

Ignored function return valueIllegal Pointer ValueImproper cleanup on thrown exceptionImproper Data ValidationImproper error handlingImproper string length checkingImproper temp file opening


https://www.owasp.org/index.php/Category:Vulnerability

les of Desktop.ini virusC:\windows\system32\services.exeC:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exeC:\Windows\Installer\{bbee3ba2-89af-930c-bb78-1fb4e17db3cc}Step4: Delete malicious registry entries of Desktop.ini virus.HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Random.exeHKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Random.exeHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer"EnableShellExecuteHooks"= 1 (0×1)HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run\Random.exeAs what you can see, Desktop.ini is really a very horrible virus which can finally destroy your 


Using Credential Manager

Fisnik Hasani

Credential Manager (a.k.a. Windows Vault) is a Single Sign-On (SSO) which has been around since Windows® XP, and Windows® Server 2003. In Windows Vista® however Microsoft® did not improve it that much, but in Windows® 7 the credential manager has really become an easy-to-use credential manager with style. Credential Manager allows the user to store credentials, such as, username and password that they use daily to log on to websites or other computers on a network. The credentials are securely stored in special folders called vault.  The Windows Vault in Windows 7 In the Windows Vault you have three vault categories were credentials can be stored (Table 1). Table 1 An explanation of each vault categoriesVault categoryExplanationWindows CredentialsStore network addresses, user IDs and passwords that are required while accessing client computers, intranet and SharePoint sites.Certificate-Based credentialsStore digitally signed public key certificates like Smart Card Logon certificate or Smart Card user certificate if you are using a certificate that is used with the smart card.Generic CredentialsStore URLs and the usernames and passwords associated with them.To add a password to your Windows vault1. Click the Start button , click Control Panel, click User Accounts and Family Safety, and selectCredential Manager.2. Click Add a Windows credential.Add a password to the Windows Vault in Windows 73. In the Internet or network address box, type the name of the client you want to access.4. In the User name and Password boxes, simply type in the user name and the password that you use for that client or website, and click OK.The credentials information we've added to Windows Vault in Windows 7

Conclusion

Credential Manager in Windows® 7 is really awesome, I like the new manager, since it has more style, better management system. So you shall definitely use the new Credential Manager in Windows® 7.

No comments:

Post a Comment