Anurag Agarwal continued his series of Reflections on web security superstars by presenting Ivan Ristic, the man who put ModSecurity on the map of mandatory security controls. Just like before, Anurag covers all the articles, books, tools and great contributions to the information security made by Ivan Ristic.

Cursor Injection - A New Method for Exploiting PL/SQL Injection and Potential Defences David Litchfield, NGSSoftware , released this paper which describes a new method whereby an attacker, seeking to exploit a SQL injection flaw in an Oracle database server, may do so without the need to create an auxiliary inject function in order to execute arbitrary SQL.

Anurag Agarwal released the third article from the series of mini biographies called Reflection which so far presented Amit Klein and RSnake ;

Well, having the SQL server call home to your machine is cool enough (bye bye firewall) , but the paper’s author, Cesar Cerrudo went a step forward . These are the main topics covered by his paper :

It seems that debate over the automatic tools vs. manual penetration tools raises serious questions within the government agencies.South Carolina and Delaware already use Core Impact, other might follow:

Nick Baskett wrote an interesting article in it-observer about best practices when hiring an external penetration testing consultant. I hope that more and more business decision makers will apply his advices :

If there is any mention of XSS, there is a big chance RSnake’s name or its cheat sheet is mentioned along with it. His contribution in the web application security awareness is legendary.

ABC News reports on a new attack vector targeted at broadband routers / acces points : Drive-By Pharming.

The February 2007 10th issue of (IN)SECURE Magazine is out ! The topics which are covered include : Microsoft Windows Vista: significant security improvement? Review: GFI Endpoint Security

The (in) famous Adobe Acrobat Reader Plugin Universal PDF XSS is the scariest vulnerability discovered this year because it can turn any pdf into an XSS attack vector.