“It’s extremely common for websites to protect your password by encrypting the initial login, but surprisingly uncommon for websites to encrypt everything else. This leaves the cookie (and the user) vulnerable. HTTP session hijacking (sometimes called “sidejacking”) is when an attacker gets a hold of a user’s cookie, allowing them to do anything the user can do on a particular website. On an open wireless network, cookies are basically shouted through the air, making these attacks extremely easy.”

Eric Butler, Firesheep.

“One of the great things about working at Google is that we get to take advantage of an enormous amount of computing power to do some really cool things. One idea we tried out was to let webmasters know about their potentially hackable websites. The initial effort was successful enough that we thought we would take it one step further by expanding our efforts to cover other types of web applications—for example, more content management systems (CMSs), forum/bulletin-board applications, stat-trackers, and so on.”

via googlewebmastercentral

“Over the past year many organizations are noticeably starting to “get” the importance of web application security and studying up on the issues, but experience doesn’t come overnight. At WhiteHat we meet a lot of different people possessing a variety of views on the webappsec world. So a couple days ago, I was sanity checking some of Bill Pennington’s (VP of Services) slides on “Five Things Every Security Professional Should Know about Website Security”. For some reason the way the advice was laid out it reminded me of the Five Stages of Grief (if your familiar) because it closely mimicked the attitudes of those we encounter depending on their degree of webappsec sophistication.  Bill re-did the stages, webappsec style, and it came out pretty funny actually…” via Jeremiah Grossman