The Secure Remote Password Protocol
The recent Heartbleed debacle had me remember a project a decade ago where the version of weblogic was upgraded but the script failed to deploy the matching version of the apache plugin. Fortunately we contracted a pen test firm who threw a load of custom perl script attacks at the site before we let the public in. They found that the error responses being thrown back to the attack scripts were just like Heartbleed; raw chunks of memory containing whatever was passing through the web server after having been decrypted. Read the rest of this entry »