Last 50 'Development' Tagged Posts

Five pieces of advice for those new to the infosec industry

I've worked in the security field in various roles (script kiddie, security researcher, incident response, application security engineer, security consultant, strategy, etc..) and thought I'd share a few points to those of you starting out in the security industry. Things are worse than you expect The reality is that companies, even large...

NIST publishes 50kish vulnerable code samples in Java/C/C++, is officially krad

NIST has published a fantastic project (its been out since late December, but I only just became aware of it) where they've created vulnerable code test cases for much of MITRE's CWE project in Java and c/c++. From the README "This archive contains test cases intended for use by organizations and individuals...

Improving ASP.NET Security with Visual Studio 2010 Code Analysis

Sacha Faust has published a great article on some of the security checking functionality in Visual Studio. From the article "Anyone doing ASP.NET development probably admits, openly or not, to introducing or stumbling upon a security issue at some point during their career. Developers are often pressured to deliver code as quickly...

New Site Addressing Python Security

For you python developers out there, Craig Younkins sent the following to The Web Security Mailing List (which I moderate) this morning. "I'd like to invite you to a new community - http://www.pythonsecurity.org/ - which is now the central hub for security in Python. We're writing articles on security topics and how...

A reminder as to why using random salts is a good idea

I came across a post on stackoverflow that I felt was worth mentioning. The person was wanting to hash user passwords and implement per user salting. A response by Dave Sherohman provided a good overview as to why using random salts (instead of just using the user's username) is a good idea....

Be careful of "scheme relative urls" when performing 3xx redirects

Former coworker Sacha Faust has published an entry on how the lack of handling relative urls when implementing URL redirection can lead to open redirector's. Article: http://blogs.msdn.com/sfaust/archive/2010/03/30/saferedirect.aspx

Secure Application Development on Facebook Platform

Facebook and isecpartners have teamed up to write an article on developing secure applications on the Facebook platform. "This document provides a basic outline/best practice for developing secure applications on the Facebook platform. Facebook applications are web, desktop, or mobile applications that make use of the Facebook API to integrate tightly with...

Announcement: WASC Threat Classification v2 is Out!

I am very pleased to announce that the WASC Threat Classification v2 is finally out the door. This project has by far been one of the most challenging, intellectually stimulating projects I've had the chance to work on. I have included the official announcement below. "The Web Application Security Consortium (WASC) is...

Adobe on Fuzzing Adobe Reader For Security Defects

Adobe has published an entry on their blog outlining how fuzzing plays a part in discovering security issues in their product prior to launching it. Its good to see a company such as Adobe publishing this information as its one of those things that is discussed frequently by the security community, however...

Preventing Security Development Errors: Lessons Learned at Windows Live by Using ASP.NET MVC

Microsoft has published a paper on its ASP.NET MVC framework, how to use it, and how utilization of an SDL eliminates the potential to introduce vulnerabilities such as XSRF. From the paper "On the Microsoft platform, most Web applications are based on ASP.NET and the Microsoft®.NET Framework. ASP.NET MVC is a new...

Microsoft's Enhanced Mitigation Evaluation Toolkit adds protection to processes

Microsoft has published the Enhanced Mitigation Evaluation Toolkit. This toolkit allows you to specify a process to add the following forms of protection (without recompiling). SEHOP This mitigation performs Structured Exception Handling (SEH) chain validation and breaks SEH overwrite exploitation techniques. Take a look at the following SRD blog post for more...

WASC TC v2 - Improper Input Handling Section Completed

I lead the WASC Threat Classification v2 project and we've just completed a section that I felt deserved its own post. Prasad Shenoy along with the WASC TC peer review team authored a really great section on Improper Input Handling meant to describe each aspect of input handling with a medium level...

Strict Transport Security (STS) draft specification is public

Fellow coworker Jeff Hodges has announced the formal specification draft for Strict Transport Security. STS is a new proposed protocol for allowing a website to instruct returning visitors to never visit the site on http, and to only visit the site over https and is entirely opt in. This can prevent MITM...

Article: Bypassing DBMS_ASSERT in certain situations

David "I like to beat up on oracle" Litchfield has published a new paper outlining how DBMS_ASSERT can be misused in such a way that SQL Injection is possible. From the whitepaper "The DBMS_ASSERT builtin package can be used by PL/SQL developers to protect against SQL injection attacks[1]. In [2] Alex Kornbrust...

WASC Threat Classification 2.0 Sneak Peek

Here is a sneak peek at the WASC Threat Classification v2.0. We've been working on this for more than a year and it's been a very challenging, educational experience to say the least. Sections that are gray are currently in peer review and are not completed. Mission statement "The Threat Classification v2.0...

Fuzzware 1.5 released

"Fuzzware is tool for pen-testers and software security testers that is designed to simplify the fuzzing process, while maximising the fuzzing quality and effectiveness. Fuzzware is adaptable to various testing scenarios (e.g. file fuzzing, Web Services fuzzing, etc), gives you fine grain control over the fuzzing techniques used and ensures any interesting...

Session Attacks and ASP.NET - Part 2

"In Session Attacks and ASP.NET - Part 1, I introduced one type of attack against the session called Session Fixation as well as ASP.NET’s session architecture and authentication architecture. In this post, I’ll delve into a couple specific attack scenarios, cover risk reduction, and countermeasures." Read: https://blogs.sans.org/appsecstreetfighter/2009/06/24/session-attacks-and-aspnet-part-2/

Session Attacks and ASP.NET - Part 1

Sans has published part 1 of an article discussing Session Fixation attacks against .NET applications. "I’ve spent some time recently looking for updated information regarding session attacks as they apply to ASP.NET and am still not completely satisfied with how Microsoft has decided to implement session management in ASP.NET 2.0+ (haven’t looked...

Article: 'Setting the appropriate security defect handling expectations in development and QA

I have just published the following article on handling application security defects (vulnerabilities) in development and QA. "If you've worked in information security you've likely had to report a security defect to development in an effort to remediate the issue. Depending on your organization and its culture this can be a rather...

Microsoft bans Memcpy() in their SDL program

"Memcpy() and brethren, your days are numbered. At least in development shops that aspire to secure coding. Microsoft plans to formally banish the popular programming function that's been responsible for an untold number of security vulnerabilities over the years, not just in Windows but in countless other applications based on the C...

Gap Analysis of Application Security in Struts2/WebWork

"The purpose of this paper is to discover what features and capabilities, if any, the Struts2/WebWork (hereafter referred to simply as Struts2) development team could add to increase the security of applications built with Struts2. The version analyzed was version 2.1.6, which was the latest version available when the project was started....

OAuth Session Fixation Security Flaw Discovered

From the advisory "The attack starts with the attacker logging into an account he owns at the (honest) Consumer site. The attacker initiates the OAuth authorization process but rather than follow the redirect from the Consumer to obtain authorization, the attacker instead saves the authorization request URI (which includes the Request Token)....

Improving Security with URL Rewriting

"Most web application security experts frown on the practice of passing session or authentication tokens in a URL through the use of URL rewriting. Usually these tokens are passed between the server and the browser through HTTP cookies, but in cases where users configure their browsers to not accept cookies, this is...

XSS (Cross Site Scripting) Prevention Cheat Sheet

"This article provides a simple positive model for preventing XSS using output escaping/encoding properly. While there are a huge number of XSS attack vectors, following a few simple rules can completely defend against this serious attack. These rules apply to all the different varieties of XSS. Both reflected and stored XSS can...

Blackhat 2006 RSS Security Talk Video Available

In 2006 I gave a talk on hacking RSS feeds, and feed readers. I stumbled upon the video for blackhat 2006 by accident the other day and thought it was worth posting. Video: http://media.blackhat.com/bh-usa-06/video/2006_BlackHat_Vegas-V36-Auger_and_Sima-0day_subscriptions.mp4 Slides: http://www.cgisecurity.com/papers/RSS-Security.ppt Paper: http://www.cgisecurity.com/papers/HackingFeeds.pdf

Facebook Fixes User Email Address Leakage

"Previously, when people typed in a legitimate e-mail address on Facebook's password reset page they got a message either saying that their password had been reset or that an e-mail with instructions on how to reset the password had been sent to their e-mail account, thus providing verification that the e-mail address...

The Safe Math Library

"The Safe C Library implements a subset of the functions defined in the ISO TR24731 specification which is designed to provide alternative functions for the C Library (as defined in ISO/IEC 9899:1999) that promotes safer, more secure programming in C. To recap: The Safe C Library (available for download here) provides bound...

Protect Your Site With URL Rewriting

Bryan Sullivan over at Microsoft has published a lengthy article on the advantages of URL writing to prevent certain types of attacks. "Tim Berners-Lee once famously wrote that "cool URIs don't change." His opinion was that broken hyperlinks erode user confidence in an application and that URIs should be designed in such...

Putting Vulnerabilities in Perspective

"AppSec Notes complains that Netflix has not fixed all of their CSRF vulnerabilities. You can no longer access account information, billing information, change shipping address, or anything of value, but you can still add movies to someone’s queue. This apparently still bothers the author who has a note of annoyance that Netflix...

Application Security Vendors Need Help With Reporting

I've been reading web application vulnerability reports from tools and services for 6-7 years and found that 99% of these reports are geared towards security engineers or system administrators. Many of the reports I see focus on The type of flaw and what it its impact is The URL affected Links to...

The security industry needs to re-align its training expectations for QA

I've been involved in the security community for over 10 years and have worked for small, medium, and large companies. I have also worked in Quality Assurance and base my comments here on my experiences being a QA tester, and speaking with them as an outsider. I've seen advice in articles, and...

Microsoft's SDL and the CWE/SANS Top 25

"Bryan here. The security community has been buzzing since SANS and MITRE’s joint announcement earlier this month of their list of the Top 25 Most Dangerous Programming Errors. Now, I don’t want to get into a debate in this blog about whether this new list will become the new de facto standard...

A run down of the major security mailing lists

Here's a run down of the main mailing lists that I follow. While most of these are known in the security industry, many people who frequent this site are from various backgrounds and may find this list useful. Bugtraq: "BugTraq is a full disclosure moderated mailing list for the *detailed* discussion and...

Microsoft Open Sources Web Sandbox

Sacha Writes "Microsoft has announced plans to release the code of its Web Sandbox project under the open source Apache Software License. The Web Sandbox project aims to mitigate some of the security risks that are associated with building Web mashups that mix in untrusted content from third-party sources. The task of...

Security metrics on flaws detected during architectural review?

I recently attended a private event where there was a talk on security metrics. Security metrics can be used to determine if action x is reducing risk y. Software security metrics typically involve counting the number of defects discovered over time to see if things are getting better. Most of these metrics...

CWE & SANS TOP 25 Most Dangerous Programming Errors

"Most of the vulnerabilities that hackers exploit to attack Web sites and corporate servers are usually the result of common and well-understood programming errors. A list of 25 of the most serious such coding errors is scheduled to be released later today by a group of 30 high-profile organizations, including Microsoft, Symantec,...

Facebook, MySpace, Digg, and Ning Discuss Their Architectures

"Facebook, MySpace, Digg and Ning recently shared their trials and tribulations at the QCon conference in San Francisco, California. Dan Farino, chief systems architect at MySpace.com, said his site started with a very small architecture and scaled out. He focused on monitoring and administration on a Windows network and the challenge of...

Software [In]security: Software Security Top 10 Surprises

"Using the software security framework introduced in October (A Software Security Framework: Working Towards a Realistic Maturity Model), we interviewed nine executives running top software security programs in order to gather real data from real programs. Our goal is to create a maturity model based on these data, and we're busy working...

Interview: Robert Seacord on the CERT C Secure Coding Standard

"Robert C. Seacord and David Chisnall discuss the CERT C Secure Coding standard, developing C standards, and the future of the language and its offshoots. I recently had the opportunity to interview Robert Seacord, author of the recently-published The CERT C Secure Coding Standard. Robert has been deeply involved with C and...

Unicode attacks and test cases: IDN and IRI display, normalization and anti-spoofing

"Internationalized Resource Identifiers (IRI’s) are a new take on the old URI (Uniform Resource Identifier), which through RFC 3986 restricted domain names to a subset of ASCII characters - mainly lower and upper case letters, numbers, and some punctuation. IRI’s were forecasted many years ago by Martin Dürst and Michel Suignard, and...

XMLHttpRequest will be more secure in the future

"Some of the most recent iterations of the XHR specifications at w3c have made some excellent security choices that will lock down the JavaScript HTTPOnly edge-case exposure vectors. The latest editorial draft of the XHR w3c spec http://dev.w3.org/2006/webapi/XMLHttpRequest/ • prevents creating set-cookie/2 headers via setRequestHeader() in a case insensitive way. (but XHR...

Executing scripts with non-english characters

There is a write up at Coding Insecurity on filtering non ascii characters to prevent XSS attacks. "I have been working on a medium-sized development project lately and, came across a peculiar phenomenon where I could execute scripts on a page without the use of less-than (<) or greater-than (>) symbols. Instead...

Budgeting for Web Application Security

Jeremiah has published an entry on budgeting for web application security in your company. "“Budgeting” is a word I’ve been hearing a lot of questions about recently, which is another data point demonstrating that Web application security and software security are increasingly becoming a top of mind issue. The challenge that many...

Microsoft publishes uber patch to address 28 vulnerabilities

"Microsoft Corp. today patched 28 vulnerabilities, nearly all of them marked "critical," in the biggest batch of fixes it has issued since it switched to a regular monthly update schedule more than five years ago. Of the 28 bugs quashed today, Microsoft ranked 23 of them critical, the top rating in its...

Article: What the NSA thinks of .NET 2.0 Security

Romain Guacher to the SC-L mailing list that the NSA has published a massive 298 page unclassified document on .NET 2.0 security. From the introduction. "The purpose of this document is to inform administrators responsible for systems and network security about the configurable security features available in the .NET Framework. To place...

Protecting a Web Application Against Attacks Through HTML Shared Files

A new whitepaper 'Protecting a Web Application Against Attacks Through HTML Shared Files' discusses the risks of user uploaded HTML files. You'll notice this paper claims to have a 'patent pending' for the concept of splitting user uploaded files to another domain with a unique identifiers. "Many Web applications have a file-sharing...

Whitepaper: Bypassing ASP .NET “ValidateRequest” for Script Injection Attacks

Richard Brain has published a whitepaper on bypassing .NET XSS protection. "The Microsoft .NET framework comes with a request validation feature, configurable by the ValidateRequest [1] setting. ValidateRequest has been a feature of ASP.NET since version 1.1. This feature consists of a series of filters, designed to prevent classic web input validation...

Attacking PHP weak PRNGs: mt_srand and not so random numbers

Stefan Esser has written a great article on attacking php PRNG's. "PHP comes with two random number generators named rand() and mt_rand(). The first is just a wrapper around the libc rand() function and the second one is an implementation of the Mersenne Twister pseudo random number generator. Both of these algorithms...

Tools: Microsoft Announces Three Tools to help prevent SQL Injection

"On Tuesday, Microsoft issued new tools to assist Microsoft ASP and ASP.NET technologies against recent Web-based attacks. In April attackers went after Microsoft SQL sites by injecting malicious JavaScript onto legitimate sites. The JavaScript would direct a browser to a server hosting malicious software infecting the desktop with a variety of exploits....

PCI DSS compliance: Web application firewall or code review?

Michelle Davidson writes "SearchSoftwareQuality.com recently posted an article on clarifications made to requirement 6.6 of the PCI Data Security Standard and explains the options companies have to comply with it. Jeremiah Grossman and other app sec experts were interviewed for the article . Below is the information." I don't usually link to...

Developers at fault? SQL Injection attacks lead to wide-spread compromise of IIS servers

"There’s been a lot of noise and violent thrashing over the last couple days regarding a flaw that was originally believed to be a flaw in Microsoft’s IIS (Internet Information Server), but has since been pointed out as simply a well thought out SQL Injection attack. For those of you who aren’t...

Are CAPTCHA's dead?

"For the last few years, Captcha, the Completely Automated Public Turing test to tell Computers and Humans Apart, has been one of our main lines of defense against the machines that want to impersonate us. Recently, though, the various most popular Captcha implementations have been cracked. Bots with character-recognition ability have gotten...

Web developers, fix thy Flash

"While software makers have taken steps to close the security holes, Web site owners continue to host older files created by older authoring programs that are vulnerable to cross-site scripting (XSS) attacks, Rich Cannings, information security engineer of search giant Google, told security professionals attending the conference on Wednesday. Using a specially-crafted...

Introduction to Adobe AIR Security

AIR is an interesting technology merging the web and desktop based applications on the flash platform. Lucas Adamski from Adobe has published a very good article describing the platform and security concerns I'd advise checking out. While it remains to be seen if AIR is going to be the next big thing,...

Visual Studio Plugin XSSDetect Available To Detect Cross-Site Scripting In Your Code

"One of the biggest, constant problems we've seen our enterprise customers deal with and we here at Microsoft have to also contend with is that of the XSS (Cross Site Scripting) bug. It's very common and unfortunately, still an issue we have to deal with in many web applications. Internally, the ACE...

Security details of the upcoming Rails 2.0 release

"Making it even easier to create secure applications out of the box is always a pleasure and with Rails 2.0 we’re doing it from a number of fronts. Most importantly, we now ship we a built-in mechanism for dealing with CRSF attacks. By including a special token in all forms and Ajax...

Ruby on Rails Security Cheatsheet

My friend Joren forwarded to me the ror security cheatsheet which is a great central resource for ruby on rails security issues. If you code or are going to perform an audit against an ror application be sure to check this out. Article Link: http://www.rorsecurity.info/ruby-on-rails-security-cheatsheet/

New security flaw found in Microsoft's MFC library

"A new moderately critical vulnerability has been reported that affects two application programming interfaces (APIs) used in Windows XP. The flaw is in the MFC42 and MFC71 libraries that together handle searches across the Windows file system. These interfaces are used by applications that were developed using the Microsoft Foundation Classes libraries,...

Encrypting .NET configuration files through code

"Encryption support for configuration files was added to the .NET Framework beginning with version 2.0. The .NET Framework libraries include full support for controlling encryption and decryption in code. I include examples in both VB.NET and C# to demonstrate the encrypting and decryption of configuration file sections. Encrypting configuration data improves application...

SOAs 6 burning questions

"Traditional application security is "ineffective and unwieldy in a SOA" because identity and access rights -- including passwords and privileges -- vary widely among applications, West of Saugatuck Technology writes in a research paper released last year. Single sign-on has not proved scalable in large organizations and is complicated by privacy and...

HDIV: Struts 2 Security Plugin

Gorka Vicente writes "HDIV 1.3 has just been released including Struts 2 support. HDIV is an open-source project that extends Struts ( Struts 1.x and Struts 2) behavior by adding web application level Security functionalities (Integrity, Confident iality of non editable data and Generic Validations of the Editable Data), maintaining the API...

Article: Java security: Is it getting worse?

" Java has long boasted a reputation for being a secure programming language. Lately, however, that reputation has come into question. Java has been accused of being susceptible to cross-site scripting (XSS) and other similar input attacks like SQL injection. Is the security of Java itself getting worse, or is the security...

Incorrect configuration can open Web sites to application security attacks

Bryan Sullivan has just published Incorrect configuration can open Web sites to application security attacks the second half of Debugging Application Security Vulnerabilities in Web.config Files. I've worked with Bryan at SPI Dynamics and he's a really sharp guy. As a matter of fact I'm helping to peer review an ajax security...

Security Development Lifecycle (SDL) Banned Function Calls

Michael Howard has a very good article on bad API calls to use when developing c/c++ applications. "When the C runtime library (CRT) was first created about 25 years ago, the threats to computers were different; machines were not as interconnected as they are today, and attacks were not as prevalent. With...

Article: ASP Session Cookies

Paliside has published an article providing an introduction to cookies in ASP, how session state management works, and expiration handling. Article Link: http://palisade.plynt.com/issues/2007Feb/asp-session-cookies/

Building Secure Applications: Consistent Logging

"This article examines the dismal state of application-layer logging as observed from the authors� years of experience in performing source code security analysis on millions of lines of code. It argues that effective logging is often ignored in the push for application security and demonstrates how applications can benefit from a real-time...

Detect Your Web Application's Vulnerabilities Early with Ruby

"Web application fuzzing is a method of detecting a web application's vulnerabilities prior to deploying the application on a production system. Users of this approach send several malicious requests to the application and, based on the responses received, determine the application's security posture. Users also can apply fuzzing to perform tests on...

Stateful Web Application Firewalls with .NET

"A Web Application Firewall (WAF), though still evolving, is crucial for strong application layer defense. Unfortunately, HTTP is a stateless protocol, and session management is addressed at the application layer and not at the protocol layer. It is possible to bridge WAF and session objects on the .NET platform to build a...

Ambiguity In Ajax Lockdown Framework

An anonymous user writes "This draft sets focus on the complexities in ajax lockdown for client privacy.The framework is based on the concept of fusing ajax applications with direct web remoting.The stress is laid on the client server communication and t he main point of talk is encrypting the client data and...

AJAX Lockdown: A new concept of data privacy and security for AJAX-based Web applications using client-side data encryption

"AJAX is definitely taking Web applications to the next level in ease of use and desktop-like user interfaces. And it can even be used to create the secure, privacy-oriented Web applications that are so needed in today's Web world. AJAX is based on Web browsers endowed with powerful JavaScript engines. In this...

PHP Security From The Inside: An interview with Stefan Esser

"Stefan Esser is the founder of both the Hardened-PHP Project and the PHP Security Response Team (which he recently left). Federico Biancuzzi discussed with him how the PHP Security Response Team works, why he resigned from it, what features he plans to add to his own hardening patch, the interaction between Apache...

Exploiting JSON Framework : 7 Attack Shots

Aditya K Sood writes "This article define the layout of the exploiting factors of web attacks ie where the JSON framework is compromised.The article is consistent in explaining the pros of the web attack related to JSON." Article Link: http://www.zeroknock.metaeye.org/mlabs/expjson.html

CGISecurity Article: The Cross-Site Request Forgery FAQ

The Cross-site Request Forgery FAQ has been released to address some of the common questions and misconceptions regarding this commonly misunderstood web flaw. This paper serves as a living document for Cross-Site Request Forgery issues and will be updated as new information is discovered. If you have any suggestions or comments please...

Accessing Java Clients with the BeanShell

"Assessing the security of Java applications, and particularly client- server applications, can be a tedious process of modifying the code, compiling, deploying, testing and repeat. This becomes even more difficult when the source code to the application is not available. What security testers require is an easy means of interacting with the...

Ajax Security Basics Article

"Ajax is considered the next step in a progression towards the trumpeted, "Web 2.0." The purpose of this article is to introduce some of the security implications with modern Ajax web technologies. Though Ajax applications can be more difficult to test, security professionals already have most of relevant approaches and tools needed....

Ajax Storage: A Look at Flash Cookies and Internet Explorer Persistance

An Anonymous Employee Writes " Foundstone has an interesting write up on their site about Flash shared objects and other AJAX caching developments from a security angle. The Dojo JavaScript Framework already includes code to make use of this. These "cookies " can save larger amounts of data, can be accessed across...

HttpSecureCookie, A Way to Encrypt Cookies with ASP.NET 2.0

"I really have some good laughs when I tamper with cookies on my machine and watch the results when it is submitted back to the site. On the other hand, I don’t want any one to do the same to the cookies that I make! Cookies, most of the times, shouldn’t be...

Burton: Put Web Services Security on front burner

"Now that the WS-Security spec is "ready for prime time" and many security products are supporting it, organizations should start to develop a Web services security strategy, according to Anne Thomas Manes, a vice president and research director at Burton Group in Midvale, Utah. However, in her recent report, Web Services Security:...

Uninformed Online Zine #3 Released

A online zine called 'uninformed' has just released issue #3. I gotta say it's worth checking out. Below is the list of the table of contents. * Bypassing PatchGuard on Windows x64 * Windows Kernel-mode Payload Fundamentals * Analyzing Common Binary Parser Mistakes * Attacking NTLM with Precomputed Hashtables * Linux Improvised...

PAPER: Preventing Http Session Fixation Attacks

Zinho Writes "I've published the final research about Http Session Fixation covering the most known attacks and how to prevent them. The paper is written from a web developer point of view and shows various techniques to be safe from fixation and hijacking." Paper Link: Preventing Http Session Fixation Attacks (Paper)

Top 7 PHP Security Blunders

Sitepoint has published an article covering the 7 most common vulnerability types applied to the PHP language as well as configuration options to futher lock down your environment. While I disagree with the structure/actual 7 the article is good and worth checking out. If you're lazy and just want the seven here...

New Approach to .NET obfuscation

I found an interesting article on slashdot talking about a new technology that will further lockdown .NET applications. From this initial article this looks like a promising new technology. "One area of research is called "Program State Code Protection,” or PSCP, which means changing the code AS IT RUNS to make it...

Two new Blind SQL Injection papers released

This week two new papers on blind sql injection have been released. The first paper was released by Webcohort goes into detail on how to detect blind sql injection, and how to carry out an attack. The paper released by Spidynamic's "SPI Labs" covers similar information, but also contains example 'fixes' for...

Microsoft released Ebook on web security

Microsoft has released a massive 919 page ebook covering everything from how to lock down your web server, web services, web applications, and web application servers. This book is worth a read and I highly recommend it. Improving Web Application Security: Threats and Countermeasures, June 2003 (PDF) (6.7 Meg)

Article #2: "The Cross Site Scripting Faq"

Currently small informational tidbits about Cross Site Scripting holes exist but none really explain them to an average person or administrator. This FAQ was written to provide a better understanding of this emerging threat, and to give guidance on detection and prevention. This article also covers practicle examples of cookie theft, and...