• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

90s Web Insecurity – Daily Security Byte

March 21, 2017 By Corey Nachreiner

In my demos, I often show the most basic web applications vulnerabilities. For instance, I show a SQL injection in a very badly designed web login interface. I use this particular example because I think it’s relatively easy for non-security and less technical people to understand. The thing is, web applications and SQL injection have both evolved well beyond this old-school demo. I frankly don’t expect many modern web sites to suffer the very basic coding flaws I exploit in my demo. Yesterday, my assumption was proven wrong.

Recently, Mozilla received a complaint from a web site owner about Firefox’s “notice” of an insecure site. The complaint itself suggests the author does know much about security simply because he doesn’t understand the relevance of using HTTP, rather than HTTPS, for his site’s login page. However, when Redditors noticed this complaint, and started probing the web site in question, they found the site even less secure than expected. Frankly, it suffers from such basic flaws that some think the entire incident may be a bad joke. Watch the Daily Byte video below to learn more about this insecure site. If you’re a web developer, also check out the OWASP link below to learn how to avoid the same mistakes.

Episode Runtime: 5:33

Direct YouTube Link: https://www.youtube.com/watch?v=FRml8n9cezY

EPISODE REFERENCES:

  • Firefox bug report turns into web insecurity drama – Ars Technica
  • Reddit post on this insecure website – Reddit
  • Tweet highlighting the now hidden Mozilla bug submission – Twitter
  • One of my older videos illustrating SQL injection – YouTube
  • Learn about web security with the Open Web Application Security Project – OWASP

Corey Nachreiner, CISSP (@SecAdept)

Share This:

Related

Filed Under: Security Bytes Tagged With: Web Attacks

Comments

  1. Jeff says

    March 27, 2017 at 7:47 am

    I inspected sites like Hyperspin.com and many others had HTTP as their login pages. I suppose they were unaware and what a better way to do it is for Mozilla other than to damage their business without any prior notification in order to wake them up. In my case i took care of mthat problem on my site within 24 hours and I also emailed Hyperspin who also took care of the issue on their own site right away. Yet so many sites remain showing Mozilla “thing” and are unaware that they may be losingmost of their visistors. I believe Mozilla could have done it in a different way instead of going ahead and causeing so much damage worldwide.

    Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
  • US National Cybersecurity Strategy
  • 3CX Supply Chain Attack
  • Here Come The Regulations

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • 3CX Supply Chain Attack
  • The NSA’s Guidance on Securing Authentication
  • Cybersecurity News: LastPass Incident Revealed, White House Issues Cybersecurity Strategy, FBI Purchases Leaked USHOR PII Data, and a Slew of Other Breaches
  • An Update on Section 230
  • Here Come The Regulations
View All

Search

Archives

Copyright © 2023 WatchGuard Technologies · Cookie Policy · Privacy Policy · Terms of Use