CGISecurity Logo
  • Book Review of “Apache Security”

    By Robert Auger Author: Ivan Ristic Pages: 432 Publisher: O’Reilly (March 15, 2005) ISBN: 0596007248 Price: $34.95 Intro This book was written by Ivan Ristic, the author of the popular Apache web application firewall module mod_security. Naturally this book does discuss how to use mod_security to harden your system, but I’m happy to report it…

  • Challenges faced by automated web application security assessment tools

    Challenges faced by automated web application security assessment tools By Robert Auger (11/11/2006) Introduction There are many challenges that web application security scanners face that are widely known within the industry however may not be so obvious to someone evaluating a product. For starters if you think you can just download, install, and run a…

  • Anatomy of the Web Application Worm

    Disclaimer: This paper is meant for educational use only and should not be used to create, modify, orproduce anything that may damage, or could assist in damaging a computer or network. This paperis theoretical and was not written to give people ideas on creating internet worms, but insteadmake them aware of the dangers worms produce,…

  • Review of “Web Hacking: Attacks and defense”

    Review of “Web Hacking: Attacks and defense” By [email protected] Review Revision: 10/02 (Darn typo) Authors: Stuart McClure, Saumil Shah, and Shreeraj Shah Pages: 492 Publisher: Addison-Wesley ISBN: 0201761769 Price: $49.99 Listed although find most places charge $35.00 Summary: Web Application Hacking Intro I first heard of this book on amazon.com on a monday morning, and…

  • The Cross-Site Scripting (XSS) FAQ

    Original Document Location: http://www.cgisecurity.com/xss-faq.html Revised 8/03 Introduction What is Cross Site Scripting? What does XSS and CSS mean? What are the threats of Cross Site Scripting? What are some examples of cross site scripting attacks? Can you show me what cookie theft looks like? What can I do to protect myself as a vendor? What…

  • Insecure Magazine #19 Released

    In this issue. The future of AV: looking for the good while stopping the bad Eight holes in Windows login controls Extended validation and online security: EV SSL gets the green light Interview with Giles Hogben, an expert on identity and authentication technologies working at ENISA Web filtering in a Web 2.0 world RSA Conference…

  • Phishing and Security

    Below are a list of phishing resources that I’ve gathered that I’ve decided to stick in one central location. If I’m missing a link please let me know by filling out our Contact Form. Sites: Anti-Phishing Working Group "Our mission is to provide a resource for information on the problem and solutions for phishing and…

  • .NET (dotnet) Security

    Code Security and Cracking: Building Security Awareness in .NET Assemblies : Part 1 – Learn to break a .NET Assembly Building Security Awareness in .NET Assemblies : Part 2 – Learn to protect your .NET assemblies from being tampered Building Security Awareness in .NET Assemblies : Part 3 – Learn to break Strong Name .NET…

  • XML Security

    Misc: Guide to XML Web Services Security (PDF) Getting Started with XML Security, November – 28 – 2002 Enabling XML security: An introduction to XML encryption and XML signature, September 2001 Exploring XML Encryption, Part 1: Demonstrating the secure exchange of structured data, March 2002 Exploring XML Encryption, Part 2: Implement an XML Encryption engine,…

  • Java Security

    Sun stuff: Sun j2EE Building Biometric Authentication for J2EE, Web, and Enterprise Applications Sun Java 2 Platform Enterprise Edition Specification, v1.3 Java Security API Chronology of security-related bugs and issues, 11/19/02 Low Level Security in Java Java Security FAQ Java security articles: Patterns-Driven Security Design for J2EE Applications and Web Services Security Patterns for J2EE…

  • XUL Browser Overlay Demo

    "There is no Data, there is only XUL" How this POC works 1. Fires up a new window with my copy of browser.xul modified (This file is sitting on attacker.com) 2. Utilizes the XUL skin to emulate what your browser looks like (nothing more!). 3. Hooks certain js events in XUL skin to perform actions…

  • Application Firewalls

    Apache Mod_Security IIS URL Scan

  • Browser Security

    News Firefox Zero-Day Code Execution Hoax? Browser Cache: Goodies For Hackers, internetnews Microsoft Defends IE 7’s RSS Security Browser Security News (http://www.browsersecuritynews.com) eWeek Browser Security Section Tools, Downloads and Online Tools Online Browser Security Tester Jasons Browser Security Tests Internet Explorer High Encryption Pack Browser Fun Security Blog and tools Browser Vendor Websites (Get security…

  • BEA Weblogic Security

    Bea Documentation: Weblogic Vendor Page Official Vendor Security Advisories Introduction to WebLogic Security, BEA Managing WebLogic Security, BEA BEA WebLogic Security Framework: Working with Your Security Eco-System (PDF) WebLogic Server 7.0 Security,BEA WebLogic Web Services Security – A Look Under the Hood, BEA Programming WebLogic Security Locking Down a Production Environment Developing Security Providers for…

  • IBM Websphere Security

    IBM resources IBM WebSphere V5.0 Security: WebSphere Handbook Series, 2002 (PDF)(9 megs) (HTML) IBM WebSphere V4.0 Advanced Edition Security (PDF) (HTML) Security Cache properties: Websphere Application Server IBM Websphere Advisory information Known security issues Considerations when developing custom macros General security considerations Misc: WebSphere Production Administration and Security Cross Platform Security using IBM’s Webpshere; take…

  • Apache Tomcat Security

    Apache Links Tomcat Main Page Tomcat News Tomcat 3.3 CVS Tomcat 4.0 CVS Tomcat 5.0 CVS Misc: Tomcat Security Overview and Analysis Using Tomcat 4 Security Realms JSP Security for Limiting Access to Application-Internal URLs Book Excerpt: Tomcat: The Definitive Guide, Chapter 6 Tomcat Security (PDF) Tutorials: Configuring Tomcat and Apache With JK 1.2 O’Reilly…

  • Application Server Security

    Select your server below. * Websphere Security Page * Weblogic Security Page * Tomcat Security Page

  • Microsoft SQL Server Security

    Microsoft SQL server vendor links Microsoft SQL Server HomePage This page is up to date with bug fixes, and security updates. This is must have for all Microsoft SQL Server/MSDE administrators. Microsoft SQL Server Service pack 3a Needed to protect yourself from the slammer worm! SQL Server 2000 Security Tools"SQL Server 2000 security tools are…

  • MySQL Security

    MySQL vendor links MySQL Reference Manual – Making MySQL Secure Against Attackers MySQL Reference Manual – General Security Issues MySQL Support Forums http://forums.mysql.com MySQL Developer Website http://dev.mysql.com/ Misc Documentation Securing MySQL: step-by-step 08/28/2003 Secure MySQL Database Design 2/18/2003 mysql security – Several steps can be taken to secure the default mysql installation. 08/24/2000 Securing MySQL…

  • Database Security

    Select your server below. * Oracle Security * MySQL Security * Microsoft SQL Server Security Related Resources: Open database security & monitoring solutions (odsms.org)

  • Oracle Security

    Newer Papers Oracle Database Listener Security Guide (PDF) An Introduction to SQL Injection Attacks for Oracle Developers (PDF) Oracle Links: Oracle Technology network: Security Oracle Forums Oracle9iR2: Oracle9iR2 Security page Unbreakable: Oracle’s Commitment to Security (PDF) Oracle9iR2 Privacy Protections (PDF) Secure Configuration Guide for Oracle9iR2 (PDF) Oracle Database vs. IBM DB2 UDB: Focus on Security…

  • Frequently Asked Web Security Questions

    General Questions: About this website What is a False Positive? What is a False Negative? What is a secure site?" What is HTTP TRACE? How do I secure my site? What is a Hacker? What is a Security Fuzzer? Types of Vulnerabilities: What is Cross Site Request Forgery? What is a Command Execution Vulnerability? What…

  • Apache Security

    Apache documentation Apache Security tips (1.3) (2.0) (2.2) suEXEC Support httpd.apache.org/docs/ Download Apache: Main mirror download page How to Chroot apache: Apache chroot mini HOWTO (Note: not in english but provides commands that can be used) (HTML) Chrooting Apache2 howto, October 14th, 2003 (HTML) Misc: Securing Apache: Step By Step, SANS GIAC – GCUX Practical…

  • IIS Security

    Microsoft documentation: Main Microsoft Security Bulletin Page (A must) IIS Security FAQ HOW TO: Install and Use the IIS Security "What If" Tool What’s New in Internet Information Services 6.0 Internet Information Services FAQ Internet Information Services (IIS) Security, (Microsoft resources) Internet Information Server Resource Guide Microsoft Security Tool Kit Microsoft Windows NT 4.0 C2…

  • Webserver Security

    Select your server below. IIS Apache