This article describes the advantages of using input validation frameworks during development to reduce risks such as Cross-site Scripting.

Fuzzers are used to perform negative testing against application inputs to identify unexpected behaviors. This is accomplished by throwing valid and invalid data in application inputs. Fuzzers can be good tools to identify filtering problems (E.g. a email address verifier that does a poor job) and after initial setup require little maintenance with the exception of medium to major application changes. These behaviors may be harmless bugs, but could lead to some sort of security risk. A hacker/security person typically will identify an application's inputs and outputs, and adjust a fuzzer application to start throwing bad data at them. Depending on the fuzz session configuration they can run for hours, days, weeks, even months. A software tester (QA) can also utilize this common method to identify the same sorts of issues, and incorporate it into their reguler testing cycle. For the scope of security testing the primary focus lies in fuzzing input fields to perform negative testing.

The Cross-site Request Forgery FAQ has been released to address some of the common questions and misconceptions regarding this commonly misunderstood web flaw. This paper serves as a living document for Cross-Site Request Forgery issues and will be updated as new information is discovered.

"There are many challenges that web application security scanners face that are widely known within the industry however may not be so obvious to someone evaluating a product. For starters if you think you can just download, install, and run a product against any site and get a report outlining all of its risks you'd be probably be wrong."

This book was written by Ivan Ristic, the author of the popular Apache web application firewall module mod_security. Naturally this book does discuss how to use mod_security to harden your system, but I'm happy to report it isn't his main area of focus. One of the first things that I do while reviewing a book is to find all the things that the text doesn't cover that it *really* should have and point them out in my review. Simply put this book has everything, and I do mean everything. Here's the low down on a per chapter basis.

(Last Updated 8/03)

This is a FAQ covering Cross Site Scripting. This paper also provides examples of practicle cookie theft, along with public tools for use with testing.

Read more below.
Cross Site Scripting FAQ (TXT) (HTML) (French) (Russian) (Hungarian) (Russian) (German)

The French, Russian, and German translations are not up to date, and are translated as of the last version of this document.

"This FAQ is superb. This has been a missing part of web application security for a long time. Many people unfamillar with the XSS threat are going are to enjoy the paper and gain a much better understanding of the issues involved. Well done."
- Jeremiah Grossman (www.whitehatsec.com)

Read more below.
Anatomy of the Web Application Worm (TXT) (HTML)

This review covers things I liked, and disliked about this book. May be of some interest if you planned on picking it up.