-
XSS (Cross Site Scripting) Prevention Cheat Sheet
"This article provides a simple positive model for preventing XSS using output escaping/encoding properly. While there are a huge number of XSS attack vectors, following a few simple rules can completely defend against this serious attack. These rules apply to all the different varieties of XSS. Both reflected and stored XSS can be addressed by…
-
Blackhat 2006 RSS Security Talk Video Available
In 2006 I gave a talk on hacking RSS feeds, and feed readers. I stumbled upon the video for blackhat 2006 by accident the other day and thought it was worth posting. Video: http://media.blackhat.com/bh-usa-06/video/2006_BlackHat_Vegas-V36-Auger_and_Sima-0day_subscriptions.mp4Slides: http://www.cgisecurity.com/papers/RSS-Security.pptPaper: http://www.cgisecurity.com/papers/HackingFeeds.pdf
-
Facebook Fixes User Email Address Leakage
"Previously, when people typed in a legitimate e-mail address on Facebook's password reset page they got a message either saying that their password had been reset or that an e-mail with instructions on how to reset the password had been sent to their e-mail account, thus providing verification that the e-mail address is legitimate. When…
-
The Safe Math Library
"The Safe C Library implements a subset of the functions defined in the ISO TR24731 specification which is designed to provide alternative functions for the C Library (as defined in ISO/IEC 9899:1999) that promotes safer, more secure programming in C. To recap: The Safe C Library (available for download here) provides bound checking memory and…
-
Protect Your Site With URL Rewriting
Bryan Sullivan over at Microsoft has published a lengthy article on the advantages of URL writing to prevent certain types of attacks. "Tim Berners-Lee once famously wrote that "cool URIs don't change." His opinion was that broken hyperlinks erode user confidence in an application and that URIs should be designed in such a way that…
-
Putting Vulnerabilities in Perspective
"AppSec Notes complains that Netflix has not fixed all of their CSRF vulnerabilities. You can no longer access account information, billing information, change shipping address, or anything of value, but you can still add movies to someone’s queue. This apparently still bothers the author who has a note of annoyance that Netflix hasn’t completely fixed…
-
Application Security Vendors Need Help With Reporting
I've been reading web application vulnerability reports from tools and services for 6-7 years and found that 99% of these reports are geared towards security engineers or system administrators. Many of the reports I see focus on The type of flaw and what it its impact is The URL affected Links to references and additional…
-
The security industry needs to re-align its training expectations for QA
I've been involved in the security community for over 10 years and have worked for small, medium, andlarge companies. I have also worked in Quality Assurance and base my comments here on my experiences being a QA tester, and speaking with them as an outsider. I've seen advice in articles, and conferences discussing the need…
-
Microsoft’s SDL and the CWE/SANS Top 25
"Bryan here. The security community has been buzzing since SANS and MITRE’s joint announcement earlier this month of their list of the Top 25 Most Dangerous Programming Errors. Now, I don’t want to get into a debate in this blog about whether this new list will become the new de facto standard for analyzing security…
-
A run down of the major security mailing lists
Here's a run down of the main mailing lists that I follow. While most of these are known in the security industry, many people who frequent this site are from various backgrounds and may find this list useful. Bugtraq: "BugTraq is a full disclosure moderated mailing list for the *detailed* discussion and announcement of computer…
-
Microsoft Open Sources Web Sandbox
Sacha Writes "Microsoft has announced plans to release the code of its Web Sandbox project under the open source Apache Software License. The Web Sandbox project aims to mitigate some of the security risks that are associated with building Web mashups that mix in untrusted content from third-party sources. The task of isolating untrusted code…
-
Security metrics on flaws detected during architectural review?
I recently attended a private event where there was a talk on security metrics. Security metrics can be used to determine if action x is reducing risk y. Software security metrics typically involve counting the number of defects discovered over time to see if things are getting better. Most of these metrics involve issues discovered…
-
CWE & SANS TOP 25 Most Dangerous Programming Errors
“Most of the vulnerabilities that hackers exploit to attack Web sites and corporate servers are usually the result of common and well-understood programming errors. A list of 25 of the most serious such coding errors is scheduled to be released later today by a group of 30 high-profile organizations, including Microsoft, Symantec, the U.S. Department…
-
CWE & SANS TOP 25 Most Dangerous Programming Errors
“Most of the vulnerabilities that hackers exploit to attack Web sites and corporate servers are usually the result of common and well-understood programming errors. A list of 25 of the most serious such coding errors is scheduled to be released later today by a group of 30 high-profile organizations, including Microsoft, Symantec, the U.S. Department…
-
Facebook, MySpace, Digg, and Ning Discuss Their Architectures
"Facebook, MySpace, Digg and Ning recently shared their trials and tribulations at the QCon conference in San Francisco, California. Dan Farino, chief systems architect at MySpace.com, said his site started with a very small architecture and scaled out. He focused on monitoring and administration on a Windows network and the challenge of keeping the system…
-
Software [In]security: Software Security Top 10 Surprises
"Using the software security framework introduced in October (A Software Security Framework: Working Towards a Realistic Maturity Model), we interviewed nine executives running top software security programs in order to gather real data from real programs. Our goal is to create a maturity model based on these data, and we're busy working on that (stay…
-
Interview: Robert Seacord on the CERT C Secure Coding Standard
"Robert C. Seacord and David Chisnall discuss the CERT C Secure Coding standard, developing C standards, and the future of the language and its offshoots. I recently had the opportunity to interview Robert Seacord, author of the recently-published The CERT C Secure Coding Standard. Robert has been deeply involved with C and UNIX for longer…
-
Unicode attacks and test cases: IDN and IRI display, normalization and anti-spoofing
"Internationalized Resource Identifiers (IRI’s) are a new take on the old URI (Uniform Resource Identifier), which through RFC 3986 restricted domain names to a subset of ASCII characters – mainly lower and upper case letters, numbers, and some punctuation. IRI’s were forecasted many years ago by Martin Dürst and Michel Suignard, and formalized in RFC…
-
XMLHttpRequest will be more secure in the future
"Some of the most recent iterations of the XHR specifications at w3c have made some excellent security choices that will lock down the JavaScript HTTPOnly edge-case exposure vectors. The latest editorial draft of the XHR w3c spec http://dev.w3.org/2006/webapi/XMLHttpRequest/ • prevents creating set-cookie/2 headers via setRequestHeader() in a case insensitive way. (but XHR is free to…
-
Executing scripts with non-english characters
There is a write up at Coding Insecurity on filtering non ascii characters to prevent XSS attacks. "I have been working on a medium-sized development project lately and, came across a peculiar phenomenon where I could execute scripts on a page without the use of less-than (<) or greater-than (>) symbols. Instead I used double-byte…
-
Budgeting for Web Application Security
Jeremiah has published an entry on budgeting for web application security in your company. "“Budgeting” is a word I’ve been hearing a lot of questions about recently, which is another data point demonstrating that Web application security and software security are increasingly becoming a top of mind issue. The challenge that many security professionals face…
-
Microsoft publishes uber patch to address 28 vulnerabilities
"Microsoft Corp. today patched 28 vulnerabilities, nearly all of them marked "critical," in the biggest batch of fixes it has issued since it switched to a regular monthly update schedule more than five years ago. Of the 28 bugs quashed today, Microsoft ranked 23 of them critical, the top rating in its four-step scoring system.…
-
Article: What the NSA thinks of .NET 2.0 Security
Romain Guacher to the SC-L mailing list that the NSA has published a massive 298 page unclassified document on .NET 2.0 security. From the introduction. "The purpose of this document is to inform administrators responsible for systems andnetwork security about the configurable security features available in the .NET Framework.To place some of the configuration options…
-
Protecting a Web Application Against Attacks Through HTML Shared Files
A new whitepaper ‘Protecting a Web Application Against Attacks Through HTML Shared Files’ discusses the risks of user uploaded HTML files. You’ll notice this paper claims to have a ‘patent pending’ for the concept of splitting user uploaded files to another domain with a unique identifiers. "Many Web applications have a file-sharing feature that allows…
-
Whitepaper: Bypassing ASP .NET “ValidateRequest” for Script Injection Attacks
Richard Brain has published a whitepaper on bypassing .NET XSS protection. "The Microsoft .NET framework comes with a request validation feature, configurable by the ValidateRequest [1] setting. ValidateRequest has been a feature of ASP.NET since version 1.1. This feature consists of a series of filters, designed to prevent classic web input validation attacks such as…
Favorite Links
- Security Templates (New)
- The Web Application Security Consortium
- QA Security
- The Web Security Mailing List
- Romain Gaucher’s Blog
- Jeremiah Grossman’s Blog
Popular Pages
WASC Threat Classification
- Abuse of Functionality
- Application Misconfiguration
- Brute Force Attack
- Content Spoofing
- Credential/Session Prediction
- Denial of Service
- Directory Indexing
- Information Leakage
- Remote File Inclusion Attack
- Routing Detour Attack
- SOAP Array Abuse
- XML Attribute Blowup
- XML Injection
- XML External Entity Attack