-
Weaning the Web off of Session Cookies Making Digest Authentication Viable
Timothy D. Morgan has published an excellent paper describing How UI limitations hinder adoption of HTTP based authentication How UI behaviors are/can be abused pertaining to HTTP auth Observations on Cookie limitations Proposals for browser vendors to allow for more widescale adoption of HTTP based auth such as digest From the paper "In this paper,…
-
Socket Capable Browser Plug-ins Result In Transparent Proxy Abuse
For over a year in my spare time I've been working on a abuse case against transparent proxies at my employer, and have just released my latest paper '"Socket Capable Browser Plugins Result In Transparent Proxy Abuse". When certain transparent proxy architectures are in use an attacker can achieve a partial Same Origin Policy Bypass…
-
Crafting a Security RFP
"Creating RFPs for security solutions and processing the responses is not an easy task. Having responded to a fair number of such RFPs, I found that many of them are created hastily, and don’t allow the issuer to benefit from quality responses. Here's my list of the top 10 mistakes organizations make when crafting a…
-
Building a Web Application Security Program, Part 8: Putting It All Together
"Whew! This is our final post in this series on Building a Web Application Security Program (Part 1, Part 2, Part 3, Part 4, Part 5, Part 6, Part 7), and it’s time to put all the pieces together. Here are our guidelines for designing a program that meets the needs of your particular organization.…
-
Article: Security Assessment of the Internet Protocol
The following was sent to the Full Disclosure mailing list last yesterday. "In August 2008 the UK CPNI (United Kingdom's Centre for the Protection ofNational Infrastructure) published the document "Security Assessment of theInternet Protocol". The motivation of the aforementioned document isexplained in the Preface of the document itself. (The paper is availableat: http://www.cpni.gov.uk/Docs/InternetProtocol.pdf ) Once…
-
MD5 considered harmful today: Creating a rogue CA certificate
UPDATE: I’ve added a link to the presentation slides and some other sites providing coverage of this. The following paper was published today at the CCC conference by Alexander Sotirov, Marc Stevens, Jacob Appelbaum, Arjen Lenstra, David Molnar, Dag Arne Osvik, and Benne de Weger. “We have identified a vulnerability in the Internet Public Key…
-
Software [In]security: Software Security Top 10 Surprises
"Using the software security framework introduced in October (A Software Security Framework: Working Towards a Realistic Maturity Model), we interviewed nine executives running top software security programs in order to gather real data from real programs. Our goal is to create a maturity model based on these data, and we're busy working on that (stay…
-
Oracle Forensics Part 7: Using the Oracle System Change Number in Forensic Investigations
David Litchfield has published a new tool and paper on forensics on Oracle Databases. From his email to the Websecurity mailing list. "I've just posted a new tool and paper for Oracle forensics. The tool, orablock, allows a forensic investigator to dump data from a "cold" Oracle data file – i.e. there's no need to…
-
Article: What the NSA thinks of .NET 2.0 Security
Romain Guacher to the SC-L mailing list that the NSA has published a massive 298 page unclassified document on .NET 2.0 security. From the introduction. "The purpose of this document is to inform administrators responsible for systems andnetwork security about the configurable security features available in the .NET Framework.To place some of the configuration options…
-
Whitepaper: Bypassing ASP .NET “ValidateRequest” for Script Injection Attacks
Richard Brain has published a whitepaper on bypassing .NET XSS protection. "The Microsoft .NET framework comes with a request validation feature, configurable by the ValidateRequest [1] setting. ValidateRequest has been a feature of ASP.NET since version 1.1. This feature consists of a series of filters, designed to prevent classic web input validation attacks such as…
Recent Posts
Popular Pages
- Website Security
- Browser Security
- Phishing
- Web Security Questions
- Database Security
- Web Server Security
- Application Server Security
- Security Documentation
- Cross Site Scripting
- XSS
- Cross-site Request Forgery
- SQL Injection
- Web Services Security
- AJAX Security
- .NET Security
- Java Security
- XML Security
- Application Firewalls
- IIS Security
- Apache Security
- Oracle Security
- MySQL Security
- Microsoft SQL Server Security
- URL Scan
- Mod Security
- Penetration Testing
- Security News
WASC Threat Classification
- Abuse of Functionality
- Application Misconfiguration
- Brute Force Attack
- Content Spoofing
- Credential/Session Prediction
- Denial of Service
- Directory Indexing
- Information Leakage
- Remote File Inclusion Attack
- Routing Detour Attack
- SOAP Array Abuse
- XML Attribute Blowup
- XML Injection
- XML External Entity Attack