"Extensible Markup Language (XML), Web services, and service-oriented architecture (SOA) are the latest craze in the software development world. These buzzwords burn particularly bright in large enterprises with hundreds or thousands of systems that were developed independently. If these disparate systems can be made to work together using open standards, a tremendous amount of time,…

The following article was posted to The Web Security Mailing List earlier today. "Recently, the world saw The Pirate Bay offering SSL encryption on their server. This means that your ISP won’t know anymore which torrent you are downloading, right? Wrong. HTTPS is quite useless for protecting static and public content. By static, I do…

1. What is CGISecurity? CGISecurity was founded in 2000 making it the oldest application security news site on the web. It focuses on the aspects required to secure your site from the ground up. 2. When is your next advisory coming out? d I’ve decided to stop releasing advisories. That is all. 3. Is your…

Below are a list of phishing resources that I’ve gathered that I’ve decided to stick in one central location. If I’m missing a link please let me know by filling out our Contact Form. Sites: Anti-Phishing Working Group "Our mission is to provide a resource for information on the problem and solutions for phishing and…

URL Scan is a plug into IIS that allows for request based filtering (Not signature based) of incoming requests. By enabling some of these filters it is possible to prevent exploitation of known, or new unpublished vulnerabilities. Additional information on ‘Web Application Firewalls’ can be answered at our What is a Web Application Firewall FAQ…

ModSecurity is a plug-in module to the Apache webserver that allows for request based filtering of incoming requests. By enabling some of these filters it is possible to prevent exploitation of known, or new unpublished vulnerabilities. ModSecurity also supports Signature based rules which allows you to write your own custom signatures. Ivan Ristic the author…

Last Update: June 28th News Is Web 2.0 Safe? Developers warned to secure AJAX design (4/4/07) Web 2.0 Apps Vulnerable to Attack (4/4/07) The security risk in Web 2.0 Ajax Security Vulnerabilities Could Pose Serious Risk, foxnews Worm wriggles through Yahoo mail flaw JavaScript Worm Targets Yahoo AJAX Experts Tackle Security, Other Issues AJAX Security…

Below is a collection of resources that I’ve gathered that I’ve decided to stick in one central location. If I’m missing a link please let me know by filling out our Contact Form. Articles Vulnerability Scanning Web 2.0 Client-Side Components 08/08/06 Microsoft Team RSS Blog discusses more RSS Risks Feed Injection In Web 2.0: Hacking…

Specifications: Specification: Web Services Security (WS-Security) (PDF) (HTML) Web Services Glossary, W3C Working Draft 14 November 2002 Web Services Security (WS-Security) Version 1.0, April 5, 2002 (PDF) Web Services Specifications Web Services Security Kerberos Binding (PDF) Web Services Security XrML Token Binding (PDF) Web Services Architecture Requirements,  01 April 2002 Misc: Microsoft .NET Web Services…

This page contains references to things CGISecurity.com has been involved with. * http://www.webappsec.org I co founded the Web Application Security Consortium with Jeremiah Grossman in 2004. * http://www.webappsec.org/lists/websecurity/ I am the lead moderator for ‘The Web Security Mailing List’. * www.net-security.org/article.php?id=91 This is an article I helped review content for, including making some changes, and…

You’ve reached a section that isn’t completed yet. If you have any comments or suggestions for this section Contact us!