-
Attacking PHP weak PRNGs: mt_srand and not so random numbers
Stefan Esser has written a great article on attacking php PRNG’s. "PHP comes with two random number generators named rand() and mt_rand(). The first is just a wrapper around the libc rand() function and the second one is an implementation of the Mersenne Twister pseudo random number generator. Both of these algorithms are seeded by…
-
Tools: Microsoft Announces Three Tools to help prevent SQL Injection
"On Tuesday, Microsoft issued new tools to assist Microsoft ASP and ASP.NET technologies against recent Web-based attacks. In April attackers went after Microsoft SQL sites by injecting malicious JavaScript onto legitimate sites. The JavaScript would direct a browser to a server hosting malicious software infecting the desktop with a variety of exploits. At the time…
-
PCI DSS compliance: Web application firewall or code review?
Michelle Davidson writes "SearchSoftwareQuality.com recently posted an article on clarifications made to requirement 6.6 of the PCI Data Security Standard and explains the options companies have to comply with it. Jeremiah Grossman and other app sec experts were interviewed for the article . Below is the information." I don't usually link to articles like these…
-
Developers at fault? SQL Injection attacks lead to wide-spread compromise of IIS servers
"There’s been a lot of noise and violent thrashing over the last couple days regarding a flaw that was originally believed to be a flaw in Microsoft’s IIS (Internet Information Server), but has since been pointed out as simply a well thought out SQL Injection attack. For those of you who aren’t familiar with SQL…
-
Are CAPTCHA’s dead?
"For the last few years, Captcha, the Completely Automated Public Turing test to tell Computers and Humans Apart, has been one of our main lines of defense against the machines that want to impersonate us. Recently, though, the various most popular Captcha implementations have been cracked. Bots with character-recognition ability have gotten pretty reliably good…
-
Web developers, fix thy Flash
"While software makers have taken steps to close the security holes, Web site owners continue to host older files created by older authoring programs that are vulnerable to cross-site scripting (XSS) attacks, Rich Cannings, information security engineer of search giant Google, told security professionals attending the conference on Wednesday. Using a specially-crafted Web address, an…
-
Introduction to Adobe AIR Security
AIR is an interesting technology merging the web and desktop based applications on the flash platform. Lucas Adamski from Adobe has published a very good article describing the platform and security concerns I'd advise checking out. While it remains to be seen if AIR is going to be the next big thing, the concepts regarding…
-
Visual Studio Plugin XSSDetect Available To Detect Cross-Site Scripting In Your Code
"One of the biggest, constant problems we've seen our enterprise customers deal with and we here at Microsoft have to also contend with is that of the XSS (Cross Site Scripting) bug. It's very common and unfortunately, still an issue we have to deal with in many web applications. Internally, the ACE Team has been…
-
Security details of the upcoming Rails 2.0 release
"Making it even easier to create secure applications out of the box is always a pleasure and with Rails 2.0 we’re doing it from a number of fronts. Most importantly, we now ship we a built-in mechanism for dealing with CRSF attacks. By including a special token in all forms and Ajax requests, you can…
-
Ruby on Rails Security Cheatsheet
My friend Joren forwarded to me the ror security cheatsheet which is a great central resource for ruby on rails security issues. If you code or are going to perform an audit against an ror application be sure to check this out. Article Link: http://www.rorsecurity.info/ruby-on-rails-security-cheatsheet/
-
New security flaw found in Microsoft’s MFC library
"A new moderately critical vulnerability has been reported that affects two application programming interfaces (APIs) used in Windows XP. The flaw is in the MFC42 and MFC71 libraries that together handle searches across the Windows file system. These interfaces are used by applications that were developed using the Microsoft Foundation Classes libraries, an older set…
-
Encrypting .NET configuration files through code
"Encryption support for configuration files was added to the .NET Framework beginning with version 2.0. The .NET Framework libraries include full support for controlling encryption and decryption in code. I include examples in both VB.NET and C# to demonstrate the encrypting and decryption of configuration file sections. Encrypting configuration data improves application security by making…
-
SOAs 6 burning questions
"Traditional application security is "ineffective and unwieldy in a SOA" because identity and access rights — including passwords and privileges — vary widely among applications, West of Saugatuck Technology writes in a research paper released last year. Single sign-on has not proved scalable in large organizations and is complicated by privacy and competitive issues when…
-
HDIV: Struts 2 Security Plugin
Gorka Vicente writes "HDIV 1.3 has just been released including Struts 2 support. HDIV is an open-source project that extends Struts ( Struts 1.x and Struts 2) behavior by adding web application level Security functionalities (Integrity, Confident iality of non editable data and Generic Validations of the Editable Data), maintaining the API and Struts specif…
-
Article: Java security: Is it getting worse?
" Java has long boasted a reputation for being a secure programming language. Lately, however, that reputation has come into question. Java has been accused of being susceptible to cross-site scripting (XSS) and other similar input attacks like SQL injection. Is the security of Java itself getting worse, or is the security of Web applications…
-
Incorrect configuration can open Web sites to application security attacks
Bryan Sullivan has just published Incorrect configuration can open Web sites to application security attacks the second half of Debugging Application Security Vulnerabilities in Web.config Files. I’ve worked with Bryan at SPI Dynamics and he’s a really sharp guy. As a matter of fact I’m helping to peer review an ajax security book he is…
-
Security Development Lifecycle (SDL) Banned Function Calls
Michael Howard has a very good article on bad API calls to use when developing c/c++ applications. "When the C runtime library (CRT) was first created about 25 years ago, the threats to computers were different; machines were not as interconnected as they are today, and attacks were not as prevalent. With this in mind,…
-
Article: ASP Session Cookies
Paliside has published an article providing an introduction to cookies in ASP, how session state management works, and expiration handling. Article Link: http://palisade.plynt.com/issues/2007Feb/asp-session-cookies/
-
Building Secure Applications: Consistent Logging
"This article examines the dismal state of application-layer logging as observed from the authors� years of experience in performing source code security analysis on millions of lines of code. It argues that effective logging is often ignored in the push for application security and demonstrates how applications can benefit from a real-time detection of attacks.…
-
Detect Your Web Application’s Vulnerabilities Early with Ruby
"Web application fuzzing is a method of detecting a web application’s vulnerabilities prior to deploying the application on a production system. Users of this approach send several malicious requests to the application and, based on the responses received, determine the application’s security posture. Users also can apply fuzzing to perform tests on several different attack…
-
Stateful Web Application Firewalls with .NET
"A Web Application Firewall (WAF), though still evolving, is crucial for strong application layer defense. Unfortunately, HTTP is a stateless protocol, and session management is addressed at the application layer and not at the protocol layer. It is possible to bridge WAF and session objects on the .NET platform to build a stateful WAF (SWAF)."…
-
Ambiguity In Ajax Lockdown Framework
An anonymous user writes "This draft sets focus on the complexities in ajax lockdown for client privacy.The framework is based on the concept of fusing ajax applications with direct web remoting.The stress is laid on the client server communication and t he main point of talk is encrypting the client data and decrypting on the…
-
AJAX Lockdown: A new concept of data privacy and security for AJAX-based Web applications using client-side data encryption
"AJAX is definitely taking Web applications to the next level in ease of use and desktop-like user interfaces. And it can even be used to create the secure, privacy-oriented Web applications that are so needed in today’s Web world. AJAX is based on Web browsers endowed with powerful JavaScript engines. In this article I’ll explain…
-
PHP Security From The Inside: An interview with Stefan Esser
"Stefan Esser is the founder of both the Hardened-PHP Project and the PHP Security Response Team (which he recently left). Federico Biancuzzi discussed with him how the PHP Security Response Team works, why he resigned from it, what features he plans to add to his own hardening patch, the interaction between Apache and PHP, the…
-
Exploiting JSON Framework : 7 Attack Shots
Aditya K Sood writes "This article define the layout of the exploiting factors of web attacks ie where the JSON framework is compromised.The article is consistent in explaining the pros of the web attack related to JSON." Article Link: http://www.zeroknock.metaeye.org/mlabs/expjson.html
Favorite Links
- Security Templates (New)
- The Web Application Security Consortium
- QA Security
- The Web Security Mailing List
- Romain Gaucher’s Blog
- Jeremiah Grossman’s Blog
Popular Pages
WASC Threat Classification
- Abuse of Functionality
- Application Misconfiguration
- Brute Force Attack
- Content Spoofing
- Credential/Session Prediction
- Denial of Service
- Directory Indexing
- Information Leakage
- Remote File Inclusion Attack
- Routing Detour Attack
- SOAP Array Abuse
- XML Attribute Blowup
- XML Injection
- XML External Entity Attack