-
Jason Taylor on Security Testing
Microsoft has a decent article on security testing for CSRF worth checking out. "Tester Question: What is a cross-site request forgery attack? How do I test our website to see if it is vulnerable to this attack?" Article Link: http://msdn.microsoft.com/en-us/testing/cc664492.aspx
-
Tools: Microsoft Announces Three Tools to help prevent SQL Injection
"On Tuesday, Microsoft issued new tools to assist Microsoft ASP and ASP.NET technologies against recent Web-based attacks. In April attackers went after Microsoft SQL sites by injecting malicious JavaScript onto legitimate sites. The JavaScript would direct a browser to a server hosting malicious software infecting the desktop with a variety of exploits. At the time…
-
My current stance on Web Application Firewalls
Andre Gironda has posted an interesting take on ‘what web application security really is’. I agree with some of his points however one in particular I’m going to have to disagree with and that related to using Web application firewalls. For many years I’ve been anti Web application firewall and as a general rule I…
-
PCI DSS compliance: Web application firewall or code review?
Michelle Davidson writes "SearchSoftwareQuality.com recently posted an article on clarifications made to requirement 6.6 of the PCI Data Security Standard and explains the options companies have to comply with it. Jeremiah Grossman and other app sec experts were interviewed for the article . Below is the information." I don't usually link to articles like these…
-
Are CAPTCHA’s dead?
"For the last few years, Captcha, the Completely Automated Public Turing test to tell Computers and Humans Apart, has been one of our main lines of defense against the machines that want to impersonate us. Recently, though, the various most popular Captcha implementations have been cracked. Bots with character-recognition ability have gotten pretty reliably good…
-
Web developers, fix thy Flash
"While software makers have taken steps to close the security holes, Web site owners continue to host older files created by older authoring programs that are vulnerable to cross-site scripting (XSS) attacks, Rich Cannings, information security engineer of search giant Google, told security professionals attending the conference on Wednesday. Using a specially-crafted Web address, an…
-
Browser makers focus on reducing malware and phishing
"Microsoft unveiled two security features that will debut in the next version of its browser, Internet Explorer 8: the Safety Filter, which warns users of potentially malicious Web activity, and domain highlighting, which uses bold text to highlight the real domain of any Web site. The software giant stressed that the features were part of…
-
Browser Security: I Want A Website Active Content Policy File Standard!
UPDATE Before reading on any further I want to prefix that the purpose of this post is to begin a discussion on the ways a website can communicate to a browser to instruct it of what its behavior should be on that site. The example below is a "sample implementation" and isn’t meant to be…
-
Visual Studio Plugin XSSDetect Available To Detect Cross-Site Scripting In Your Code
"One of the biggest, constant problems we've seen our enterprise customers deal with and we here at Microsoft have to also contend with is that of the XSS (Cross Site Scripting) bug. It's very common and unfortunately, still an issue we have to deal with in many web applications. Internally, the ACE Team has been…
-
Security details of the upcoming Rails 2.0 release
"Making it even easier to create secure applications out of the box is always a pleasure and with Rails 2.0 we’re doing it from a number of fronts. Most importantly, we now ship we a built-in mechanism for dealing with CRSF attacks. By including a special token in all forms and Ajax requests, you can…
-
Ruby on Rails Security Cheatsheet
My friend Joren forwarded to me the ror security cheatsheet which is a great central resource for ruby on rails security issues. If you code or are going to perform an audit against an ror application be sure to check this out. Article Link: http://www.rorsecurity.info/ruby-on-rails-security-cheatsheet/
-
10 tips for securing Apache
"Even with Apache's focus on producing a secure product, the Web server can still be vulnerable to any number of attacks if you fail to take some security precautions as you build your server. In this article, Scott Lowe provides you with 10 tips that will help you keep your Apache Web server protected from…
-
Encrypting .NET configuration files through code
"Encryption support for configuration files was added to the .NET Framework beginning with version 2.0. The .NET Framework libraries include full support for controlling encryption and decryption in code. I include examples in both VB.NET and C# to demonstrate the encrypting and decryption of configuration file sections. Encrypting configuration data improves application security by making…
-
HDIV: Struts 2 Security Plugin
Gorka Vicente writes "HDIV 1.3 has just been released including Struts 2 support. HDIV is an open-source project that extends Struts ( Struts 1.x and Struts 2) behavior by adding web application level Security functionalities (Integrity, Confident iality of non editable data and Generic Validations of the Editable Data), maintaining the API and Struts specif…
-
Debugging Application Security Vulnerabilities in Web.config Files
Bryan Sullivan has written an excellent article describing the various secure configuration options in .NET’s Web.config file. If you write ASP.NET applications be sure to check this out. "Some enlightened software architects and developers are becoming educated on these threats to application security and are designing their Web-based applications with security in mind. By "baking…
-
Detect Your Web Application’s Vulnerabilities Early with Ruby
"Web application fuzzing is a method of detecting a web application’s vulnerabilities prior to deploying the application on a production system. Users of this approach send several malicious requests to the application and, based on the responses received, determine the application’s security posture. Users also can apply fuzzing to perform tests on several different attack…
-
CGISecurity Article: The Cross-Site Request Forgery FAQ
The Cross-site Request Forgery FAQ has been released to address some of the common questions and misconceptions regarding this commonly misunderstood web flaw. This paper serves as a living document for Cross-Site Request Forgery issues and will be updated as new information is discovered. If you have any suggestions or comments please contact us. UPDATE:…
-
Microsoft Anti-Cross Site Scripting Library V1.5 is Released
"For defence in depth, developers may wish to use the Microsoft Anti-Cross Site Scripting Library to encode output. This library differs from most encoding libraries in that it uses the "principle of inclusions" technique to provide protection against XSS attacks. This approach works by first defining a valid or allowable set of characters, and encodes…
-
Mod Security as an IPS
One of our readers 'J. Oquendo' "got bored" and wrote an article titled 'Securing LAMP and using ModSecurity as an IPS'. "Many times administrators often forget to do security checks from the ground up. They often will rely on simple methods of testing a machine. An NMAP scan here, a Metasploit scan there… Let's build…
-
IE 7 plus Vista security measures stop latest IE 0day
A great article at ZDNet explaining how Vista + IE7 stopped the latest IE 0day from exploiting the machine. "The initial security warnings are hardly perfect. I've seen similar ActiveX opt-in dialog boxes for other built-in ActiveX components. How is an unsuspecting user supposed to know which one is safe and which is dangerous? And…
-
Microsoft Research Builds BrowserShield
"With BrowserShield, Wang argues, many such attacks could be blocked. BrowserShield can be used as a framework that rewrites HTML pages to deny any attempt at executing harmful code on browsers. "We basically intercept the Web page, inject our logic and transform the page that is eventually rendered on the browser," Wang said. "We're inserting…
-
Ajax Security Basics Article
"Ajax is considered the next step in a progression towards the trumpeted, "Web 2.0." The purpose of this article is to introduce some of the security implications with modern Ajax web technologies. Though Ajax applications can be more difficult to test, security professionals already have most of relevant approaches and tools needed. The authors will…
-
HttpSecureCookie, A Way to Encrypt Cookies with ASP.NET 2.0
"I really have some good laughs when I tamper with cookies on my machine and watch the results when it is submitted back to the site. On the other hand, I don’t want any one to do the same to the cookies that I make! Cookies, most of the times, shouldn’t be in plain text,…
-
PAPER: Preventing Http Session Fixation Attacks
Zinho Writes "I've published the final research about Http Session Fixation covering the most known attacks and how to prevent them. The paper is written from a web developer point of view and shows various techniques to be safe from fixation and hijacking." Paper Link: Preventing Http Session Fixation Attacks (Paper)
-
Two new Blind SQL Injection papers released
This week two new papers on blind sql injection have been released. The first paper was released by Webcohort goes into detail on how to detect blind sql injection, and how to carry out an attack. The paper released by Spidynamic's "SPI Labs" covers similar information, but also contains example 'fixes' for ASP.NET, and JSP…
Favorite Links
- Security Templates (New)
- The Web Application Security Consortium
- QA Security
- The Web Security Mailing List
- Romain Gaucher’s Blog
- Jeremiah Grossman’s Blog
Popular Pages
WASC Threat Classification
- Abuse of Functionality
- Application Misconfiguration
- Brute Force Attack
- Content Spoofing
- Credential/Session Prediction
- Denial of Service
- Directory Indexing
- Information Leakage
- Remote File Inclusion Attack
- Routing Detour Attack
- SOAP Array Abuse
- XML Attribute Blowup
- XML Injection
- XML External Entity Attack