CGISecurity Logo
  • Request for Comments

    Welcome to the RFC section of this site. I have collected a few RFC’s that I thought may be useful to some people. No I haven’t read all of these I have a life 🙂 If I have left out something contact us to let us know RFC 1867: Form-based File Upload in HTML RFC…

  • Our Security Advisories

    8/2006 Multiple RSS Readers Vulnerable I gave a presentation at 2006 Blackhat Vegas about RSS and Atom Vulnerabilities. At this talk I released a list of vulnerable readers along with a whitepaper. Link: SharpReader Atom Feed Script HTML Injection Vulnerability Link: RSSReader RSS Feeds Atom Feed Multiple HTML Injection Vulnerabilities Link: RSSOwl Atom Feed Script…

  • Web Security Documentation Library

    This page provides a list of every paper in our library. The newer items will be at the top. If you are searching for a specific advisory or paper use our search engine on the upper right hand corner! Safely Investigating Malicious JavaScript – Arbor Networks Exploiting the XmlHttpRequest object in IE Part 2 –…

  • Web Application Penetration Testing

    This section provides information for penetration testers. Some of this content is in other sections of this website already (The library). I just created this page as a quick reference. Please, if you feel I that I’ve missed a important link or document (Or you just feel like chatting 🙂 Email Me. The best way…

  • Article: Be aware of SOA application security issues

    "Extensible Markup Language (XML), Web services, and service-oriented architecture (SOA) are the latest craze in the software development world. These buzzwords burn particularly bright in large enterprises with hundreds or thousands of systems that were developed independently. If these disparate systems can be made to work together using open standards, a tremendous amount of time,…

  • Identifying browsed pages behind SSL via packet size monitoring

    The following article was posted to The Web Security Mailing List earlier today. "Recently, the world saw The Pirate Bay offering SSL encryption on their server. This means that your ISP won’t know anymore which torrent you are downloading, right? Wrong. HTTPS is quite useless for protecting static and public content. By static, I do…

  • CGISecurity FAQ

    1. What is CGISecurity? CGISecurity was founded in 2000 making it the oldest application security news site on the web. It focuses on the aspects required to secure your site from the ground up. 2. When is your next advisory coming out? d I’ve decided to stop releasing advisories. That is all. 3. Is your…

  • Phishing and Security

    Below are a list of phishing resources that I’ve gathered that I’ve decided to stick in one central location. If I’m missing a link please let me know by filling out our Contact Form. Sites: Anti-Phishing Working Group "Our mission is to provide a resource for information on the problem and solutions for phishing and…

  • Microsoft URLscan Web Application Firewall (WAF)

    URL Scan is a plug into IIS that allows for request based filtering (Not signature based) of incoming requests. By enabling some of these filters it is possible to prevent exploitation of known, or new unpublished vulnerabilities. Additional information on ‘Web Application Firewalls’ can be answered at our What is a Web Application Firewall FAQ…

  • Mod Security Web Application Firewall (WAF)

    ModSecurity is a plug-in module to the Apache webserver that allows for request based filtering of incoming requests. By enabling some of these filters it is possible to prevent exploitation of known, or new unpublished vulnerabilities. ModSecurity also supports Signature based rules which allows you to write your own custom signatures. Ivan Ristic the author…

  • AJAX (Asynchronous Javascript and XML) Security

    Last Update: June 28th News Is Web 2.0 Safe? Developers warned to secure AJAX design (4/4/07) Web 2.0 Apps Vulnerable to Attack (4/4/07) The security risk in Web 2.0 Ajax Security Vulnerabilities Could Pose Serious Risk, foxnews Worm wriggles through Yahoo mail flaw JavaScript Worm Targets Yahoo AJAX Experts Tackle Security, Other Issues AJAX Security…

  • Web 2.0 (Really Simple Syndication) RSS, Atom, and Feed Security and Hacking

    Below is a collection of resources that I’ve gathered that I’ve decided to stick in one central location. If I’m missing a link please let me know by filling out our Contact Form. Articles Vulnerability Scanning Web 2.0 Client-Side Components 08/08/06 Microsoft Team RSS Blog discusses more RSS Risks Feed Injection In Web 2.0: Hacking…

  • Web service (XML-RPC,SOAP, SOA) security documentation

    Specifications: Specification: Web Services Security (WS-Security) (PDF) (HTML) Web Services Glossary, W3C Working Draft 14 November 2002 Web Services Security (WS-Security) Version 1.0, April 5, 2002 (PDF) Web Services Specifications Web Services Security Kerberos Binding (PDF) Web Services Security XrML Token Binding (PDF) Web Services Architecture Requirements,  01 April 2002 Misc: Microsoft .NET Web Services…

  • This page contains references to things CGISecurity.com has been involved with. * http://www.webappsec.org I co founded the Web Application Security Consortium with Jeremiah Grossman in 2004. * http://www.webappsec.org/lists/websecurity/ I am the lead moderator for ‘The Web Security Mailing List’. * www.net-security.org/article.php?id=91 This is an article I helped review content for, including making some changes, and…

  • Coming soon

    You’ve reached a section that isn’t completed yet. If you have any comments or suggestions for this section Contact us!

  • Privacy Policy

    We reserve the right to monitor your activity on this site. If you have concerns or questions please contact us.

  • Insecure Mag #18 published

    Insecure magazine #18 was just released. Here are a list of some of the articles within it. Network and information security in Europe today Browser security: bolt it on, then build it in Passive network security analysis with NetworkMiner Lynis – an introduction to UNIX system auditing Windows driver vulnerabilities: the METHOD_NEITHER odyssey Removing software…

  • The Cross-Site Request Forgery (CSRF/XSRF) FAQ

    By Robert Auger v1.62 (Last Modified: 4/28/10) About What is Cross Site Request Forgery? Who discovered CSRF? What can be done with CSRF? Is CSRF and Cross-site Scripting the same thing? What are common ways to perform a CSRF attack? Is this vulnerability limited to browsers? Can applications using only POST be vulnerable? How do…

  • Security Books

  • CGISecurity Advertising

    I am currently offering advertising for the following Product and Service categories. These ads will appear in the Sponsored Ad box on the right, and/or under the left menu. * Job Postings by recruiters * Web Application Firewall Products * Educational Institutions * Security Scanning Products * Conference Vendors * Database Security Products * Web…

  • My Resume

    If you want a copy of my resume please submit a request using the form below.

  • Web Application Security Security Services

    Concerned about vulnerabilities in your website such as Cross site scripting (XSS), SQL Injection, or Cross-site Request Forgery? We offer the following professional services to help identify these and other common web application vulnerabilities. – Web Application Review – External Black Box Penetration Testing – White Box Security Assessment – Security Architecture Review – Security…

  • Links

    Good reading: http://www.w3.org/Security/Faq/ Best Overall paper on WWW security issues. www.webappsec.org The web application security consortium (WASC) homepage. They are starting some really exciting projects so be sure to check it out. http://www.cert.org/tech_tips/cgi_metacharacters.html Paper on Removing Meta-characters from User Supplied Data in CGI Scripts. Understanding Malicious Content Mitigation for Web Developers Good paper on XSS…

  • Contact Us

    Found a bug or have some feedback? Let us know by filling out the form below. I can also be found on irc.freenode.net in #webappsec .

  • About

    I created this website in 2000 to provide information on web security issues, making CGISecurity.com the oldest application security site on the internet. Since then this site has expanded to cover Database Security, Web Server security, Web Application Security, HTTP, Web Services Security, and more. Some features of this site include bringing our users up…