-
My experience coleading purple team
I've been fortunate enough to manage a red team program for several years and since it's inception it has gone through many changes. What started out as adhoc engagements trying to see how far we could get/what problems we could find, turned into a mechanism to work more closely, and regularly with operations/it teams. More…
-
My experience with developer security training
I've been busy this past year which has resulted in almost no updates to this site. Consider this one of many rants/posts of my experience/s in the industry during this time. This post covers a topic I think many people implement poorly, which is security training targeting developers. How most people implement developer focused…
-
Improving ASP.NET Security with Visual Studio 2010 Code Analysis
Sacha Faust has published a great article on some of the security checking functionality in Visual Studio. From the article "Anyone doing ASP.NET development probably admits, openly or not, to introducing or stumbling upon a security issue at some point during their career. Developers are often pressured to deliver code as quickly as possible, and…
-
New Site Addressing Python Security
For you python developers out there, Craig Younkins sent the following to The Web Security Mailing List (which I moderate) this morning. "I'd like to invite you to a new community – http://www.pythonsecurity.org/ –which is now the central hub for security in Python. We're writing articleson security topics and how they pertain to Python, analyzing…
-
A reminder as to why using random salts is a good idea
I came across a post on stackoverflow that I felt was worth mentioning. The person was wanting to hash user passwords and implement per user salting. A response by Dave Sherohman provided a good overview as to why using random salts (instead of just using the user's username) is a good idea. If you've been…
-
Release of Strict Transport Security http module for ASP.NET.
Sacha Faust has published an IIS http module for the Strict Transport Security protocol. From his blog "I’ve been tackling the problem of users connecting to online services from untrusted network. At work we typically call this the “Startbucks” scenario where a user is connecting to a random wifi and accessing corporate data through online…
-
Announcement: WASC Threat Classification v2 is Out!
I am very pleased to announce that the WASC Threat Classification v2 is finally out the door. This project has by far been one of the most challenging, intellectually stimulating projects I've had the chance to work on. I have included the official announcement below. "The Web Application Security Consortium (WASC) is pleased to announce…
-
Adobe on Fuzzing Adobe Reader For Security Defects
Adobe has published an entry on their blog outlining how fuzzing plays a part in discovering security issues in their product prior to launching it. Its good to see a company such as Adobe publishing this information as its one of those things that is discussed frequently by the security community, however is rarely discussed…
-
Preventing Security Development Errors: Lessons Learned at Windows Live by Using ASP.NET MVC
Microsoft has published a paper on its ASP.NET MVC framework, how to use it, and how utilization of an SDL eliminates the potential to introduce vulnerabilities such as XSRF. From the paper "On the Microsoft platform, most Web applications are based on ASP.NET and the Microsoft®.NET Framework. ASP.NET MVC is a new framework based on…
-
Nozzle: A Defense Against Heap-spraying Code Injection Attacks
Microsoft has been working on a tool called 'Nozzle' to prevent the exploitation of heap spraying attacks and released a whitepaper describing the process. From the whitepaper. "Heap spraying is a new security attack that significantly increasesthe exploitability of existing memory corruption errors in type-unsafeapplications. With heap spraying, attackers leverage their ability toallocate arbitrary objects…
-
TLS negotiation flaw published
Steve Dispensa and Marsh Ray have published a paper describing a weakness in the TLS negotiation process. This is the same attack discussed on the IETF TLS list. From the whitepaper "Transport Layer Security (TLS, RFC 5246 and previous, including SSL v3 and previous) is subject to a number of serious man-in-the-middle (MITM) attacks related…
-
Microsoft’s Enhanced Mitigation Evaluation Toolkit adds protection to processes
Microsoft has published the Enhanced Mitigation Evaluation Toolkit. This toolkit allows you to specify a process to add the following forms of protection (without recompiling). SEHOP This mitigation performs Structured Exception Handling (SEH) chain validation and breaks SEH overwrite exploitation techniques. Take a look at the following SRD blog post for more information: http://blogs.technet.com/srd/archive/2009/02/02/preventing-the-exploitation-of-seh-overwrites-with-sehop.aspx. With…
-
Generic Remote File Inclusion Attack Detection
"A big challenge for identifying web application attacks is to detect malicious activity that cannot easily be spotted using using signatures. Remote file inclusion (RFI) is a popular technique used to attack web applications (especially php applications) from a remote server. RFI attacks are extremely dangerous as they allow a client to to force an…
-
Session Attacks and ASP.NET – Part 2
"In Session Attacks and ASP.NET – Part 1, I introduced one type of attack against the session called Session Fixation as well as ASP.NET’s session architecture and authentication architecture. In this post, I’ll delve into a couple specific attack scenarios, cover risk reduction, and countermeasures." Read: https://blogs.sans.org/appsecstreetfighter/2009/06/24/session-attacks-and-aspnet-part-2/
-
Microsoft bans Memcpy() in their SDL program
"Memcpy() and brethren, your days are numbered. At least in development shops that aspire to secure coding. Microsoft plans to formally banish the popular programming function that's been responsible for an untold number of security vulnerabilities over the years, not just in Windows but in countless other applications based on the C language. Effective later…
-
Gap Analysis of Application Security in Struts2/WebWork
"The purpose of this paper is to discover what features and capabilities, if any, the Struts2/WebWork(hereafter referred to simply as Struts2) development team could add to increase the security ofapplications built with Struts2. The version analyzed was version 2.1.6, which was the latest versionavailable when the project was started. The purpose of this research is…
-
Improving Security with URL Rewriting
"Most web application security experts frown on the practice of passing session or authentication tokens in a URL through the use of URL rewriting. Usually these tokens are passed between the server and the browser through HTTP cookies, but in cases where users configure their browsers to not accept cookies, this is impossible. Some web…
-
XSS (Cross Site Scripting) Prevention Cheat Sheet
"This article provides a simple positive model for preventing XSS using output escaping/encoding properly. While there are a huge number of XSS attack vectors, following a few simple rules can completely defend against this serious attack. These rules apply to all the different varieties of XSS. Both reflected and stored XSS can be addressed by…
-
The Safe Math Library
"The Safe C Library implements a subset of the functions defined in the ISO TR24731 specification which is designed to provide alternative functions for the C Library (as defined in ISO/IEC 9899:1999) that promotes safer, more secure programming in C. To recap: The Safe C Library (available for download here) provides bound checking memory and…
-
Protect Your Site With URL Rewriting
Bryan Sullivan over at Microsoft has published a lengthy article on the advantages of URL writing to prevent certain types of attacks. "Tim Berners-Lee once famously wrote that "cool URIs don't change." His opinion was that broken hyperlinks erode user confidence in an application and that URIs should be designed in such a way that…
-
CERT Advisory VU#435052: An Architectural Flaw Involving Transparent Proxies
For the past year in my spare time I've been researching a flaw involving transparent proxies and today CERT has published an advisory for this issue. If you have a vulnerable proxy on your intranet NOW is the time to patch (details of affected vendors in the cert advisory). QBIK New Zealand SmoothWall Squid Ziproxy…
-
The Multi-Principal OS Construction of the Gazelle Web Browser
I was reading slashdot and saw that Microsoft has released a paper outlining a new secure browser architecture. From the abstract "Web browsers originated as applications that people used to view static web sites sequentially. Asweb sites evolved into dynamic web applications composing content from various web sites, browsershave become multi-principal operating environments with resources…
-
The security industry needs to re-align its training expectations for QA
I've been involved in the security community for over 10 years and have worked for small, medium, andlarge companies. I have also worked in Quality Assurance and base my comments here on my experiences being a QA tester, and speaking with them as an outsider. I've seen advice in articles, and conferences discussing the need…
-
Microsoft Fixes Clickjacking in IE8?
"Microsoft has introduced a release client version of its latest browser, Internet Explorer 8 (IE8), and the new iteration of the application includes several security improvements, including a noteworthy attempt to address the emerging problem of clickjacking attacks. For those who don't recall, clickjacking is a relatively new technique — first detailed in mid-2008 by…
-
Security metrics on flaws detected during architectural review?
I recently attended a private event where there was a talk on security metrics. Security metrics can be used to determine if action x is reducing risk y. Software security metrics typically involve counting the number of defects discovered over time to see if things are getting better. Most of these metrics involve issues discovered…
Favorite Links
- Security Templates (New)
- The Web Application Security Consortium
- QA Security
- The Web Security Mailing List
- Romain Gaucher’s Blog
- Jeremiah Grossman’s Blog
Popular Pages
WASC Threat Classification
- Abuse of Functionality
- Application Misconfiguration
- Brute Force Attack
- Content Spoofing
- Credential/Session Prediction
- Denial of Service
- Directory Indexing
- Information Leakage
- Remote File Inclusion Attack
- Routing Detour Attack
- SOAP Array Abuse
- XML Attribute Blowup
- XML Injection
- XML External Entity Attack