-
Weaning the Web off of Session Cookies Making Digest Authentication Viable
Timothy D. Morgan has published an excellent paper describing How UI limitations hinder adoption of HTTP based authentication How UI behaviors are/can be abused pertaining to HTTP auth Observations on Cookie limitations Proposals for browser vendors to allow for more widescale adoption of HTTP based auth such as digest From the paper "In this paper,…
-
Socket Capable Browser Plug-ins Result In Transparent Proxy Abuse
For over a year in my spare time I've been working on a abuse case against transparent proxies at my employer, and have just released my latest paper '"Socket Capable Browser Plugins Result In Transparent Proxy Abuse". When certain transparent proxy architectures are in use an attacker can achieve a partial Same Origin Policy Bypass…
-
Crafting a Security RFP
"Creating RFPs for security solutions and processing the responses is not an easy task. Having responded to a fair number of such RFPs, I found that many of them are created hastily, and don’t allow the issuer to benefit from quality responses. Here's my list of the top 10 mistakes organizations make when crafting a…
-
Building a Web Application Security Program, Part 8: Putting It All Together
"Whew! This is our final post in this series on Building a Web Application Security Program (Part 1, Part 2, Part 3, Part 4, Part 5, Part 6, Part 7), and it’s time to put all the pieces together. Here are our guidelines for designing a program that meets the needs of your particular organization.…
-
Article: Security Assessment of the Internet Protocol
The following was sent to the Full Disclosure mailing list last yesterday. "In August 2008 the UK CPNI (United Kingdom's Centre for the Protection ofNational Infrastructure) published the document "Security Assessment of theInternet Protocol". The motivation of the aforementioned document isexplained in the Preface of the document itself. (The paper is availableat: http://www.cpni.gov.uk/Docs/InternetProtocol.pdf ) Once…
-
MD5 considered harmful today: Creating a rogue CA certificate
UPDATE: I’ve added a link to the presentation slides and some other sites providing coverage of this. The following paper was published today at the CCC conference by Alexander Sotirov, Marc Stevens, Jacob Appelbaum, Arjen Lenstra, David Molnar, Dag Arne Osvik, and Benne de Weger. “We have identified a vulnerability in the Internet Public Key…
-
Software [In]security: Software Security Top 10 Surprises
"Using the software security framework introduced in October (A Software Security Framework: Working Towards a Realistic Maturity Model), we interviewed nine executives running top software security programs in order to gather real data from real programs. Our goal is to create a maturity model based on these data, and we're busy working on that (stay…
-
Oracle Forensics Part 7: Using the Oracle System Change Number in Forensic Investigations
David Litchfield has published a new tool and paper on forensics on Oracle Databases. From his email to the Websecurity mailing list. "I've just posted a new tool and paper for Oracle forensics. The tool, orablock, allows a forensic investigator to dump data from a "cold" Oracle data file – i.e. there's no need to…
-
Article: What the NSA thinks of .NET 2.0 Security
Romain Guacher to the SC-L mailing list that the NSA has published a massive 298 page unclassified document on .NET 2.0 security. From the introduction. "The purpose of this document is to inform administrators responsible for systems andnetwork security about the configurable security features available in the .NET Framework.To place some of the configuration options…
-
Whitepaper: Bypassing ASP .NET “ValidateRequest” for Script Injection Attacks
Richard Brain has published a whitepaper on bypassing .NET XSS protection. "The Microsoft .NET framework comes with a request validation feature, configurable by the ValidateRequest [1] setting. ValidateRequest has been a feature of ASP.NET since version 1.1. This feature consists of a series of filters, designed to prevent classic web input validation attacks such as…
-
Affiliate Programs Vulnerable to Cross-site Request Forgery Fraud
Intro The following describes a long-standing and common implementation flaw in online affiliate programs allowing for fraud. For those unfamiliar with affiliate programs, they provide a way for companies to allow 3rd parties/website owners to direct traffic to their site in exchange for a share of the profits of user purchases. Most view affiliate programs…
-
Breaking the Bank (Vulnerabilities in Numeric Processing within Financial Applications)
"This paper draws attention to how the use of common programming APIs and practices could lead to flaws in the processing of numeric data, which could in-turn allow attackers to manipulate the outcome of transactions or otherwise interfere with the accuracy of calculations. It discusses the technical vulnerabilities typically observed in both the validation and…
-
Paper: The Extended HTML Form attack revisited
"HTML forms (i.e. <form>) are one of the features in HTTP that allows users to send data to HTTP servers. An often overlooked feature is that due to the nature of HTTP, the web browser has no way of identifying between an HTTP server and one that is not an HTTP server. Therefore web browsers…
-
Article: Quick tips for Web application security
"A traditional firewall is commonly employed to restrict Web site access to Ports 80 and 443, used for HTTP and Secure Sockets Layer communications, respectively. However, such a device does very little to deter attacks that come over these connections. URL query string manipulations including SQL injection, modification of cookie values, tampering of form field…
-
Whitepaper: Access through access by Brett Moore, attacking Microsoft Access
Brett Moore has published a great document on how to SQL Inject applications utilizing Microsoft Access. He discusses default tablenames, sandboxing, reading local files and more. There aren't many good papers on attacking MS Access and this is WELL worth the read. From the paper ""MS Access is commonly thought of as the little brother…
-
The essentials of Web application threat modeling
"A critical part of Web application security is mapping out what's at risk — a process called threat modelling. The term "threat" modelling is actually a misnomer. It's more like "vulnerability" or "risk" modelling, since we're technically looking at weaknesses and their consequences — not the actual indication of intent to cause disruption (a threat).…
-
IIS7 short Security Guide by Chris Weber
Chris Weber has a great writup of the new security changes in IIS7. Here are a few article section highlights * Integrated request processing pipeline and WCF * ASP.NET Integration * Request filtering (replaces URLScan) * IIS7 URL Authorization He even has a nice checklist at the bottom. Guide Link: http://chrisweber.wordpress.com/2007/09/19/iis7-security-guide-for-application-reviews/
-
The new security disclosure landscape
Rain Forest Puppy has written an article on vuln disclosure discussing ethics. "simply put: NO MATTER YOUR INTENTIONS, LOOKING FOR SECURITY VULNERABILITIES IN THIRD-PARTY WEB SITES (without permission) IS ILLEGAL PER THE LAWS OF YOUR COUNTRY. Period. That statement is so important, I will repeat it: NO MATTER YOUR INTENTIONS, LOOKING FOR SECURITY VULNERABILITIES IN…
-
MS Access SQL Injection Cheat Sheet
UPDATED: It appears the site has expired and no mirror exists. 🙁 daath writes in to tell us about his SQL Injection cheat sheet. "I wrote a MS Access SQL Injection Cheat Sheet. You can find it here : http://www.webapptest.org/ms-access-sql-injection-cheat-sheet-EN.html" SQL Injection Cheat Sheet Link: http://www.webapptest.org/ms-access-sql-injection-cheat-sheet-EN.html
-
Uninformed Journal Release Announcement: Volume 8
"Uninformed is pleased to announce the release of its eighth volume. This volume includes 6 articles on a variety of topics:" Real-time Steganography with RTP PatchGuard Reloaded: A Brief Analysis of PatchGuard Version 3 Getting out of Jail: Escaping Internet Explorer Protected Mode OS X Kernel-mode Exploitation in a Weekend A Catalog of Windows Local…
-
10 tips for securing Apache
"Even with Apache's focus on producing a secure product, the Web server can still be vulnerable to any number of attacks if you fail to take some security precautions as you build your server. In this article, Scott Lowe provides you with 10 tips that will help you keep your Apache Web server protected from…
-
Raising the bar: dynamic JavaScript obfuscation
"Couple of days ago one of our readers, Daniel Kluge, pointed us to a web page with some heavily obfuscated JavaScript code. The operation was typical and consisted of a compromised site that had an obfuscated iframe which pointed to the final web site serving various exploits. The obfuscation of the iframe was relatively simple…
-
Avoid the dangers of XPath injection
"As new technologies emerge and become well established so do threats against those technologies. Blind SQL injection attacks are a well know and recognized form of code injection attack, but there are many other forms, some not so well documented or understood. An emerging code injection attack is the XPath injection attack, which takes advantage…
-
Article: Java security: Is it getting worse?
" Java has long boasted a reputation for being a secure programming language. Lately, however, that reputation has come into question. Java has been accused of being susceptible to cross-site scripting (XSS) and other similar input attacks like SQL injection. Is the security of Java itself getting worse, or is the security of Web applications…
-
Paper: DNS Pinning and Web Proxies
"DNS-based attacks can be used to perform a partial breach of browser same origin restrictions in some situations, enabling a malicious web site to perform two-way interaction with a different domain. The attacks that are normally conceived against browser-based DNS pinning are capable of being resolved through additional safeguards within browsers. However, the same attacks…
Favorite Links
- Security Templates (New)
- The Web Application Security Consortium
- QA Security
- The Web Security Mailing List
- Romain Gaucher’s Blog
- Jeremiah Grossman’s Blog
Popular Pages
WASC Threat Classification
- Abuse of Functionality
- Application Misconfiguration
- Brute Force Attack
- Content Spoofing
- Credential/Session Prediction
- Denial of Service
- Directory Indexing
- Information Leakage
- Remote File Inclusion Attack
- Routing Detour Attack
- SOAP Array Abuse
- XML Attribute Blowup
- XML Injection
- XML External Entity Attack