"This article examines the dismal state of application-layer logging as observed from the authors� years of experience in performing source code security analysis on millions of lines of code. It argues that effective logging is often ignored in the push for application security and demonstrates how applications can benefit from a real-time...
Detect Your Web Application's Vulnerabilities Early with Ruby
"Web application fuzzing is a method of detecting a web application's vulnerabilities prior to deploying the application on a production system. Users of this approach send several malicious requests to the application and, based on the responses received, determine the application's security posture. Users also can apply fuzzing to perform tests on...
Know your Enemy: Web Application Threats
A very long paper on web application security threats has been released by honeynet.org. If you're curious about web application security this document is a good place to start for the overall picture. "With the constant growth of the Internet, more and more web applications are being deployed. Web applications offer services...
Cross-site Request Forgery and Blackhat SEO
I research whitehat and blackhat SEO in my spare time (however not on this domain :), and was thinking about some additional uses for Cross-site Request forgery from the blackhat SEO perspective. * Publishing/Spamming links: People spamming forums with links is nothing new. By utilizing CSRF on the otherhand you could force...
Article: Healthy suspicion Web application security
"Every website owner needs to reckon with attackers who may try to misuse their site for spam, phishing or other purposes. Web applications which use PHP or other scripting languages are especially vulnerable. Familiarity with common security vulnerabilities and attack methods can, however, help you fend off the bad guys." Article Link:...
Automated Scanners vs. Low-Hanging Fruit
Jeremiah Grossman (Whitehat Security) has typed up an entry on automated vulnerability scanning verses humans. If you're in the position to perform an assessment it's worth the read. Article Link: http://jeremiahgrossman.blogspot.com/2007/02/automated-scanners-vs-low-hanging-fruit.html
Read RSS and get hacked
Computerworld referenced some research that I had done on RSS Security in an article discussing how RSS and other web based feeds can be used as deployment vectors for malware. For those of you reading this entry coming from an RSS feed, no worries I haven't owned you as it wouldn't be...
Security expert: Make vendors liable for bad code
"many users, both at work and at home, aren't motivated to keep up with security because vulnerabilities are often unseen, leaving them unaware that they are risking their own operations -- and the larger global system of networks, Schneier said. "I think things are getting worse, not better," he said. To change...
Decoding Javascript Malware
One of the SANS guys drafted up a quick document on decoding Javascript malware providing four methods. Good read. Article Link: http://handlers.sans.org/dwesemann/decode/index.html
Stateful Web Application Firewalls with .NET
"A Web Application Firewall (WAF), though still evolving, is crucial for strong application layer defense. Unfortunately, HTTP is a stateless protocol, and session management is addressed at the application layer and not at the protocol layer. It is possible to bridge WAF and session objects on the .NET platform to build a...
Ambiguity In Ajax Lockdown Framework
An anonymous user writes "This draft sets focus on the complexities in ajax lockdown for client privacy.The framework is based on the concept of fusing ajax applications with direct web remoting.The stress is laid on the client server communication and t he main point of talk is encrypting the client data and...
My Visit to the RSA Conference
I really enjoyed going to the RSA conference this year and meeting up with some old friends and seeing some good talks. I only got to attend for two days one of which was for 'The Web Application Security Consortium' (I'm a co founder) get together (pictures available at the links below)....
Same-Origin Policy Part 1: Why we're stuck with things like XSS and XSRF/CSRF
"The last few years have seen a constant rise in vulnerabilities like cross-site scripting (XSS), HTTP response splitting, and cross-site request forgery (XSRF or CSRF). While the vectors and exploit of each of these vulnerability classes vary, they all have one common thread. Each of these vulnerabilities exploits trust shared between a...
AJAX Lockdown: A new concept of data privacy and security for AJAX-based Web applications using client-side data encryption
"AJAX is definitely taking Web applications to the next level in ease of use and desktop-like user interfaces. And it can even be used to create the secure, privacy-oriented Web applications that are so needed in today's Web world. AJAX is based on Web browsers endowed with powerful JavaScript engines. In this...
PHP Security From The Inside: An interview with Stefan Esser
"Stefan Esser is the founder of both the Hardened-PHP Project and the PHP Security Response Team (which he recently left). Federico Biancuzzi discussed with him how the PHP Security Response Team works, why he resigned from it, what features he plans to add to his own hardening patch, the interaction between Apache...
Web Application Logic Exploitation
Marko writes " I wrote a small paper scratching the surface on logic vulnerabilities." "Most web application auditing papers have concentrated on things like SQL injection, Crosssite Scripting and similar attacks, that are more technical in nature. What I try to accomplish with this small paper and it's examples is to give...
MySpace superworm creator sentenced to probation, community service
"The man responsible for unleashing what is believed to be the first self-propagating cross-site scripting worm has pleaded guilty in Los Angeles Superior Court to charges stemming from his most infamous hacking. Samy Kamkar, who was 19 when he unleashed the attack on MySpace.com in October 2005, was sentenced to three years...
CGISecurity Interview with Sullo the Author of Nikto
Nikto is a very popular open source web application security scanner. I emailed the author 'Chris Sullo' asking him about some of his plans, views, and other tool related questions. How long has Nikto been in development and how many people are actively working on it? Although I've had patches and updates...
Using Fuzzers in Software Testing: Identifying Application Risks
I've written a short blurb on my other site QASEC.com on why using fuzzers in QA can pay off. This is a new site focused on speaking to the various people involved in a development cycle using a language that they are familiar with in short to the point articles. "Fuzzers are...