maravis.com

The traditional mode of gathering credentials has been phishing attacks sent through email. But this method has been superseded by more effective social engineering attacks. I recently came across an article that described attacks using social networking sites such as MySpace and Facebook.

There was a funny (to me at least, maybe not for Domino’s) story about how Domino’s gave away 11,000 pizzas for free between Monday night and Tuesday. This happened because a customer who ordered online put in the word “bailout” as a coupon code. Apparently, Domino’s has considered that word for a coupon, but never actually used it.

In every web application security training class that I conduct, I keep repeating that programmers can eliminate a lot of security issues by doing two things:

1. Validate all input properly
2. Prevent information leakage, primarily by properly handling exceptions and giving out generic error messages.

This is based on my experience performing penetration tests on web applications since 2001. While my advice is based on my observations, I did not document the data to back this up. Now, the data has been provided by a third-party.