Challenges faced by automated web application security assessment tools By Robert Auger (11/11/2006) Introduction There are many challenges that web application security scanners face that are widely known within the industry however may not be so obvious to someone evaluating a product. For starters if you think you can just download, install, and run a…

Disclaimer: This paper is meant for educational use only and should not be used to create, modify, orproduce anything that may damage, or could assist in damaging a computer or network. This paperis theoretical and was not written to give people ideas on creating internet worms, but insteadmake them aware of the dangers worms produce,…

Original Document Location: http://www.cgisecurity.com/xss-faq.html Revised 8/03 Introduction What is Cross Site Scripting? What does XSS and CSS mean? What are the threats of Cross Site Scripting? What are some examples of cross site scripting attacks? Can you show me what cookie theft looks like? What can I do to protect myself as a vendor? What…

In this issue. The future of AV: looking for the good while stopping the bad Eight holes in Windows login controls Extended validation and online security: EV SSL gets the green light Interview with Giles Hogben, an expert on identity and authentication technologies working at ENISA Web filtering in a Web 2.0 world RSA Conference…

Below are a list of phishing resources that I’ve gathered that I’ve decided to stick in one central location. If I’m missing a link please let me know by filling out our Contact Form. Sites: Anti-Phishing Working Group "Our mission is to provide a resource for information on the problem and solutions for phishing and…

Code Security and Cracking: Building Security Awareness in .NET Assemblies : Part 1 – Learn to break a .NET Assembly Building Security Awareness in .NET Assemblies : Part 2 – Learn to protect your .NET assemblies from being tampered Building Security Awareness in .NET Assemblies : Part 3 – Learn to break Strong Name .NET…

Misc: Guide to XML Web Services Security (PDF) Getting Started with XML Security, November – 28 – 2002 Enabling XML security: An introduction to XML encryption and XML signature, September 2001 Exploring XML Encryption, Part 1: Demonstrating the secure exchange of structured data, March 2002 Exploring XML Encryption, Part 2: Implement an XML Encryption engine,…

Sun stuff: Sun j2EE Building Biometric Authentication for J2EE, Web, and Enterprise Applications Sun Java 2 Platform Enterprise Edition Specification, v1.3 Java Security API Chronology of security-related bugs and issues, 11/19/02 Low Level Security in Java Java Security FAQ Java security articles: Patterns-Driven Security Design for J2EE Applications and Web Services Security Patterns for J2EE…

"There is no Data, there is only XUL" How this POC works 1. Fires up a new window with my copy of browser.xul modified (This file is sitting on attacker.com) 2. Utilizes the XUL skin to emulate what your browser looks like (nothing more!). 3. Hooks certain js events in XUL skin to perform actions…

Apache Mod_Security IIS URL Scan

News Firefox Zero-Day Code Execution Hoax? Browser Cache: Goodies For Hackers, internetnews Microsoft Defends IE 7’s RSS Security Browser Security News (http://www.browsersecuritynews.com) eWeek Browser Security Section Tools, Downloads and Online Tools Online Browser Security Tester Jasons Browser Security Tests Internet Explorer High Encryption Pack Browser Fun Security Blog and tools Browser Vendor Websites (Get security…

Bea Documentation: Weblogic Vendor Page Official Vendor Security Advisories Introduction to WebLogic Security, BEA Managing WebLogic Security, BEA BEA WebLogic Security Framework: Working with Your Security Eco-System (PDF) WebLogic Server 7.0 Security,BEA WebLogic Web Services Security – A Look Under the Hood, BEA Programming WebLogic Security Locking Down a Production Environment Developing Security Providers for…

IBM resources IBM WebSphere V5.0 Security: WebSphere Handbook Series, 2002 (PDF)(9 megs) (HTML) IBM WebSphere V4.0 Advanced Edition Security (PDF) (HTML) Security Cache properties: Websphere Application Server IBM Websphere Advisory information Known security issues Considerations when developing custom macros General security considerations Misc: WebSphere Production Administration and Security Cross Platform Security using IBM’s Webpshere; take…

Apache Links Tomcat Main Page Tomcat News Tomcat 3.3 CVS Tomcat 4.0 CVS Tomcat 5.0 CVS Misc: Tomcat Security Overview and Analysis Using Tomcat 4 Security Realms JSP Security for Limiting Access to Application-Internal URLs Book Excerpt: Tomcat: The Definitive Guide, Chapter 6 Tomcat Security (PDF) Tutorials: Configuring Tomcat and Apache With JK 1.2 O’Reilly…

Select your server below. * Websphere Security Page * Weblogic Security Page * Tomcat Security Page

Microsoft SQL server vendor links Microsoft SQL Server HomePage This page is up to date with bug fixes, and security updates. This is must have for all Microsoft SQL Server/MSDE administrators. Microsoft SQL Server Service pack 3a Needed to protect yourself from the slammer worm! SQL Server 2000 Security Tools"SQL Server 2000 security tools are…

MySQL vendor links MySQL Reference Manual – Making MySQL Secure Against Attackers MySQL Reference Manual – General Security Issues MySQL Support Forums http://forums.mysql.com MySQL Developer Website http://dev.mysql.com/ Misc Documentation Securing MySQL: step-by-step 08/28/2003 Secure MySQL Database Design 2/18/2003 mysql security – Several steps can be taken to secure the default mysql installation. 08/24/2000 Securing MySQL…

Select your server below. * Oracle Security * MySQL Security * Microsoft SQL Server Security Related Resources: Open database security & monitoring solutions (odsms.org)

Newer Papers Oracle Database Listener Security Guide (PDF) An Introduction to SQL Injection Attacks for Oracle Developers (PDF) Oracle Links: Oracle Technology network: Security Oracle Forums Oracle9iR2: Oracle9iR2 Security page Unbreakable: Oracle’s Commitment to Security (PDF) Oracle9iR2 Privacy Protections (PDF) Secure Configuration Guide for Oracle9iR2 (PDF) Oracle Database vs. IBM DB2 UDB: Focus on Security…

General Questions: About this website What is a False Positive? What is a False Negative? What is a secure site?" What is HTTP TRACE? How do I secure my site? What is a Hacker? What is a Security Fuzzer? Types of Vulnerabilities: What is Cross Site Request Forgery? What is a Command Execution Vulnerability? What…

Apache documentation Apache Security tips (1.3) (2.0) (2.2) suEXEC Support httpd.apache.org/docs/ Download Apache: Main mirror download page How to Chroot apache: Apache chroot mini HOWTO (Note: not in english but provides commands that can be used) (HTML) Chrooting Apache2 howto, October 14th, 2003 (HTML) Misc: Securing Apache: Step By Step, SANS GIAC – GCUX Practical…

Microsoft documentation: Main Microsoft Security Bulletin Page (A must) IIS Security FAQ HOW TO: Install and Use the IIS Security "What If" Tool What’s New in Internet Information Services 6.0 Internet Information Services FAQ Internet Information Services (IIS) Security, (Microsoft resources) Internet Information Server Resource Guide Microsoft Security Tool Kit Microsoft Windows NT 4.0 C2…

Select your server below. IIS Apache