-
WSFuzzer 1.5 has been released
Andres Andreu writes "WSFuzzer version 1.5 has been released. It is a pen testing tool that audits HTTP based SOAP targets. Details are available at http://www.neurofuzz.com/modules/software/wsfuzzer.php
-
Paros 3.2.10 released
A new version of Paros Proxy has been released. "We wrote a program called "Paros" for people who need to evaluate the security of their web applications. It is free of charge and completely written in Java. Through Paros's proxy nature, all HTTP and HTTPS data between server and client, including cookies and form fields,…
-
New Open Source Web Application Scanner Released (Oedipus)
800m800m Writes "Oedipus is an open source web application security analysis and testing suite written in Ruby by Pentration Testers for Penetration Testers. It is capable of parsing different types of log files off-line and identifying security vulnerabilities. Using the analyzed information, Oedipus can dynamically test web sites for application and web server vulnerabilities. The…
-
Uninformed Online Zine #3 Released
A online zine called 'uninformed' has just released issue #3. I gotta say it's worth checking out. Below is the list of the table of contents. * Bypassing PatchGuard on Windows x64 * Windows Kernel-mode Payload Fundamentals * Analyzing Common Binary Parser Mistakes * Attacking NTLM with Precomputed Hashtables * Linux Improvised Userland Scheduler Virus…
-
PAPER: Preventing Http Session Fixation Attacks
Zinho Writes "I've published the final research about Http Session Fixation covering the most known attacks and how to prevent them. The paper is written from a web developer point of view and shows various techniques to be safe from fixation and hijacking." Paper Link: Preventing Http Session Fixation Attacks (Paper)
-
ModSecurity 1.9 FINAL has been released
Ivan Ristic Writes "ModSecurity 1.9 FINAL has been released. It is available for immediate download from: http://www.modsecurity.org/download/ After more than a year in development, ModSecurity 1.9 introduces a number of changes that further increase usefulness of this web application security tool. Changes (since 1.8) ——————- Major enhancements include: * A brand new audit logging subsystem…
-
Web Application Security Consortium (WASC) releases ‘Threat Classifications’ document
WASC has released a web security 'Threat Classifications' document that attempts to help clarify some of the terms used in web security (such as xss, session fixation, insufficient authorization, etc…). Additional information can be found at the link below. http://www.webappsec.org/threat.html
-
Web Application Security Consortium group formed
A new web security group called The Web Application Security Consortium announced itself today. This group will release documents, and form projects to help address some of the issues in web security. The first release by this group is the "Web Security Glossary", a index of all common terminology involving web application security. " The…
-
Microsoft released Ebook on web security
Microsoft has released a massive 919 page ebook covering everything from how to lock down your web server, web services, web applications, and web application servers. This book is worth a read and I highly recommend it. Improving Web Application Security: Threats and Countermeasures, June 2003 (PDF) (6.7 Meg)
-
IIS LockDown Tool released
Microsoft has finally released a tool that helpssecure your IIS machine. This new tool helps patch,and lockdown IIS from well known holes, as well as helping protect itself from unknown holes.Download it below(NOTE: This is also added to our patch section of this site.)IIS Lockdown Tool
Favorite Links
- Security Templates (New)
- The Web Application Security Consortium
- QA Security
- The Web Security Mailing List
- Romain Gaucher’s Blog
- Jeremiah Grossman’s Blog
Popular Pages
WASC Threat Classification
- Abuse of Functionality
- Application Misconfiguration
- Brute Force Attack
- Content Spoofing
- Credential/Session Prediction
- Denial of Service
- Directory Indexing
- Information Leakage
- Remote File Inclusion Attack
- Routing Detour Attack
- SOAP Array Abuse
- XML Attribute Blowup
- XML Injection
- XML External Entity Attack