-
Browser Security: I Want A Website Active Content Policy File Standard!
UPDATE Before reading on any further I want to prefix that the purpose of this post is to begin a discussion on the ways a website can communicate to a browser to instruct it of what its behavior should be on that site. The example below is a "sample implementation" and isn’t meant to be…
-
5 amusing security vendor moments
This list was created based off of real security vendor interactions that I and a friend have experienced. 1.Customer: Have you had a security evaluation of your product? Vendor: Yes, Kevin Mitnick has performed a pen test against our product. (sorry kevin! 🙂 2. The vendor comes to your office and pitches you a presentation…
-
Cenzic Patent Case Worries Web Researchers, Vendors
"A patent infringement lawsuit recently filed by Cenzic against SPI Dynamics has Web application security companies and researchers on edge. If successful, the suit — which centers around Cenzic's patent on a Web application vulnerability scanning technology — could mean trouble for other scanner vendors, as well as researchers who develop scanning techniques. Cenzic, which…
-
Cenzic Patents the obvious: Fault Injection!
I monitor google news for anything application security related and found the following announced today by Cenzic. "the U.S. Patent and Trademark Office (PTO) has issued the company U.S. Patent No. 7,185,232, focused on fault injection technology, which is commonly used by most security assessment scanners." – Cenzic Cenzic is not the first application security…
-
5 Ways People Screw Up AJAX
I had noticed that not many articles existed on the negative aspects/implementation of ajax so came up with this top 5 list of things people screw up when using ajax. 1. No back button!: One of the most annoying things to a user is the inability to go backwards. They may visit a site, perform…
-
Ad networks tracking users without cookies
I read Jeremiah’s post about tracking users without cookies and had a conversation with him about it and how ad services companies could track users when cookies are not available. While the Basic auth method works it will only work with firefox since IE has disabled this ability after years of being abused by phishers/fraudsters.…
-
A Software Call To Arms: Where are source control repository security scanning tools?
<rant> We’ve heard of source code analysis tools, and blackbox scanning tools and they have value to help secure your application. Unfortunately they have a major downside, they require the discipline of using them. If your developers don’t run them they can still check in vulnerable code to your source code repository. For the past…
-
The bug disclosure debate continues
"Software makers are at the mercy of bug hunters when it comes to flaw disclosure, Mozilla’s security chief said Saturday. The software industry for years has pushed guidelines for vulnerability disclosure. Those "responsible disclosure" efforts have had some effect, but security researchers maintain control over the process, Mozilla security chief Window Snyder said in a…
-
Cross-site Request Forgery and Blackhat SEO
I research whitehat and blackhat SEO in my spare time (however not on this domain :), and was thinking about some additional uses for Cross-site Request forgery from the blackhat SEO perspective. * Publishing/Spamming links: People spamming forums with links is nothing new. By utilizing CSRF on the otherhand you could force a website user…
-
Backdooring UIML’s and Existing JavaScript Applications
One of the more interesting aspects of so called ‘Rich Internet Applications’ involves User Interface Markup Languages such as XUL (By Mozilla, been around awhile) and XAML/XBAP (.NET 3.0 the new kid on the block). Essentially these languages allow you to ‘paint’ buttons, menu bars, grids, forms, messageboxes, and other GUI components associated with HTML…
-
Wikipedia’s search engine will spell trouble for the SEO market
Wikipedia’s founder has announced a search engine allowing users to control the search results in a way similar to how digg works. I dabble in Search Engine Optimization (SEO) and I expect a huge shift if the other major search engines such as google and yahoo adopt similar models. Typically people will improve their rankings…
-
The lack of security enabled frameworks is why we’re vulnerable
We’ve been stating for years ‘developers need to learn to code securely’ sure this is great, however is essentially limited to skilled professionals. This isn’t to say we shouldn’t keep teaching however rather than simply focusing on those paying attention we should start babysitting the remaining majority. So how do you watch what a developer…
-
Application Security Predictions of 2007
Ok I know I’m a little early but here’s my yearly list of application security predictions. Admittedly I may be a year or two early on a few of them, however read them over and give them some thought. Rich Internet Applications (RIA) .net 3.0 WPF and Adobe Flex The next big buzzword is going…
-
Attacking Permalinks
Everyone has seen urls such as http://site/2006/02/02 and you know that there’s an application in the backend somewhere but figuring out how to attack those urls can be tricky. A few of you have probably tried attacking them by sending requests such as http://site/2006′>/02/02 and received a 404 page. I started thinking about this in…
-
Article: Challenges faced by automated web application security assessment tools
If you’re in the position of evaluating a web application security scanner, or use one to fulfill a compliance scanning requirement then you may want to check out an article I wrote describing some of the challenges these products face. Article Link: http://www.cgisecurity.com/articles/scannerchallenges.shtml
-
Flash + JS + crossdomain.xml = phun
I was browsing Jeremiah Grossman's Blog and found an interesting post talking about a file named crossdomain.xml and extended uses of it in regards to cross site scripting. In a nutshell there's this file called crossdomain.xml used by flash to say 'I am http://www.domainb.com and I will allow users of http://www.domaina.com to make requests to…
-
More fun with CSS history
There's been a big fuss that with CSS you can identify if someone has visited a certain link. I started to think about expanding this and came up with a neat little trick you can do involving online advertising. You run http://www.sitea.com and http://www.siteb.com and http://www.sitec.com are competitors of yours. Now you know these companies…
-
Top 5 signs you’ve selected a bad web application package
5. The vendor’s idea of a patch process involves you editing line X and replacing it with new code 4. The amount of total downloads is less than the application’s age 3. It isn’t running on the vendors homepage 2. The readme file states that you need to chmod a certain file or directory to…
-
Application Security Predictions For The Year 2006
In 2005 published application security vulnerabilities have exploded. If you're subscribed to mailing lists such as bugtraq you know just how often Cross Site Scripting, SQL Injection, or Remote Command Execution vulnerabilities are discovered and exploited. I've prepared a prediction outline for the year 2006 exclusively covering the threats that the web brings. Worms and…
Favorite Links
- Security Templates (New)
- The Web Application Security Consortium
- QA Security
- The Web Security Mailing List
- Romain Gaucher’s Blog
- Jeremiah Grossman’s Blog
Popular Pages
WASC Threat Classification
- Abuse of Functionality
- Application Misconfiguration
- Brute Force Attack
- Content Spoofing
- Credential/Session Prediction
- Denial of Service
- Directory Indexing
- Information Leakage
- Remote File Inclusion Attack
- Routing Detour Attack
- SOAP Array Abuse
- XML Attribute Blowup
- XML Injection
- XML External Entity Attack