Topics

Tags

Favorite Links

Translate

Security Books

Archives

Recent entries...

Announcing SecTemplates.com release #4: Vulnerability Management Program Release Pack 1.0

Announcing SecTemplates.com release #3: Bug bounty program pack 1.0

Announcing SecTemplates.com release #2: External penetration testing program pack 1.0

Announcing SecTemplates.com and the incident response program pack 1.0

20 years of CGISecurity: What appsec looked like in the year 2000

My experience coleading purple team

oAuth nightmares talk

Extensive IOS hacking guide released by Security Innovation

Presentation: Problems you'll face when building a software security program

Google's intentions are good, but implementation leave MORE users vulnerable to hacking than before

Twitter

Sponsored Ads

Sponsored Ads

The Web Security Mailing List

Web Security Documentation Library

This page provides a list of every paper in our library. The newer items will be at the top.

If you are searching for a specific advisory or paper use our search engine on the upper right hand corner!

Safely Investigating Malicious JavaScript
- Arbor Networks

Exploiting the XmlHttpRequest object in IE Part 2
- Amit Klein

Web Application Footprinting & Assessment with MSN Search Tricks, 2005
- Shreeraj Shah

Exploiting the XmlHttpRequest object in IE - Referrer spoofing, and a lot more..., By Amit Klein, September 2005
- Amit Klein

NTLM HTTP Authentication (and possibly other connection-oriented HTTP authentication and authorization protocols) is insecure by design, July 18th 2005

- Amit Klein

HTTP Request Smuggling, 2005 (PDF)
- WatchFire

Common Security Problems in the Code of Dynamic Web Applications
- Sverre H. Huseby

The Insecure Indexing Vulnerability: Attacks Against Local Search Engines, February 28th 2005
- Amit Klein

The 80/20 Rule for Web Application Security - Increase your security without touching the source code, January 31st 2005
- Jeremiah Grossman

Stopping Automated Attack Tools, April 2005
- Gunter Ollmann

Secure programmer: Call components safely How you handle calls and returns is as important as which components you call, Dec 16 2004
- David A. Wheeler

Web Application Security Consortium: Threat Classification, (PDF) 2004
- Web Application Security Consortium (WASC)

Web Application Exposure to Risk: Raising Awareness to Build Confidence and Improve Security, 2004
- NTOBJECTives

Blind XPath Injection, (PDF) 2004
- SanctumInc

Divide and Conquer - HTTP Response Splitting, Web Cache Poisoning Attacks, (PDF) 2004
- SanctumInc

A Corsaire Whitepaper: Cookie Path Best Practice, 2004 (PDF)
- Corsaire

A Corsaire Whitepaper: Application Denial of Service (DoS) Attacks, 2004 (PDF)
- Corsaire

A Corsaire White Paper: Secure Development Framework, 2004 (PDF)
- Corsaire

SQL Injection Signatures Evasion (HTML)
- Impervia

Divide and Conquer: HTTP Response Splitting, Web Cache Poisoing Attacks, and Related Topics (PDF)
- Sanctuminc

Securing Apache: Step By Step, SANS GIAC - GCUX Practical Assignment (HTML) (ZIP)
- Ryan C. Barnett

LDAP Injection: Are your web applications vulnerable?, July 28th 2003 (Remote Copy)
- SPI LABS

Why HTTPS is not web security, 2001 (HTML)
- par Yann Berthier

(more) Advanced SQL Injection, (PDF)
- ngssoftware

HMAP: A technique and Tool For Remote Identification of HTTP Servers, (PDF)
- Dustin William Lee

CRLF Injection, (TXT)
- Ulf Harnhammar

Advanced SQL Injection in SQL Server Applications, (PDF)
- ngssoftware

The Evolution of Cross-Site Scripting Attacks, 2002 (PDF)
- www.idefense.com

Secure Coding Practices for Microsoft .NET Applications, 2003 (PDF)
- Sanctum

Improving Web Application Security: Threats and Countermeasures, June 2003 (PDF) (6.7 Megs)
- Microsoft

IBM WebSphere V5.0 Security: WebSphere Handbook Series, 2002 (PDF)(9 megs)
- IBM

IIS Security and Programming Countermeasures, 2003 (PDF)
- Jason Coombs

Application Security Assessments: Advice on Assessing your Custom Application, 2002 (HTML)
- Gunter Ollmann

URL Encoded Attacks: Attacks using the common web browser , 2002 (HTML)
- Gunter Ollmann

Custom HTML Authentication:Best Practices on Securing Custom HTML Authentication Procedures, 2002 (HTML)
- Gunter Ollmann

Web Based Session Management: Best Practices in Managing HTTP Based Client Sessions, 2003 (HTML)
- Gunter Ollmann

Polymorphic Shellcodes vs Application IDSs, 01/21/2002 (PDF)
- www.ngsec.com

Protection against exploitation of Stack and Heap Overflows, April 11th 2003 (PDF)
- Yinrong Haung

Security in the Microsoft .NET Framework: An Analysis by Foundstone, Inc (PDF)
- Foundstone
Best practices for input validation with Active Server Pages (HTML)
- Jerry Connolly

Prevention of the OWASP top 10 in Perl (HTML)
- Daniel Goscomb/www.dcode.net

A brief introduction to secure scripting (PDF)
- www.dcode.net

Session Fixation Vulnerability in Web-based Applications v1.0, December 2002 (PDF)
- ACROS Security

A Comparison between Java and ActiveX Security, 10th October 1997 (HTML)
- David Hopwood

David A. Wheeler's Java Security Tutorial, April 24th, 200 (PDF) PowerPoint (PPT)
- David A. Wheeler

eWeb Application Disassembly with ODBC Error Messages (DOC)
- David Litchfield

Cross-Site Tracing (XST), January 20th 2003 (PDF)
- Jeremiah Grossman

Weaving a Web of Trust 1997 (HTML)
- Rohit Khare and Adam Rifkin

TCP Port 80 - HyperText Transfer Protocol (HTTP) Header Exploitation, Sept 11th 2002 (HTML)
- William Bellamy Jr.

Securing dynamic Web content, Sept 2002 (PDF)
-Tom Syroid

The Future of Web Server Security, Date Unknown (PDF)
- Yona Hollander, PHD
NOTE: This paper has been posted for its information base only, and we in no way promote or support the products mentioned within.

Web Application Security, September 2000 (PDF)
- Eran Reshef/Izhar Bar-Gad

Threat Profiling Microsoft SQL Server, July 20th 2002 (PDF)
- David Litchfield

Web Application Security, 2000 (PDF)
- Eran Reshef

Protecting Web-Based Applications: A META Security Group White Paper, 2002 (PDF)
- Meta Security Group

Internet Application Security, 1999 (PDF)
- Eran Reshef

Anatomy Of A Web Application: Security Consideration, July 2001 (PDF)
- Sanctum/Steve Pettit

Manipulating SQL Server Using SQL Injection, 2002 (PDF)
- Cesar Cerrudo

Introduction to Database and Application Worms, 2002 (PDF)
- www.appsecinc.com (Remote Copy)

Secure Scripting (Local Copy)(PDF)
- Dan Goscomb (Remote Copy)

Search Engines: The Ignored Threat , February 5, 2001 (HTML)
- Paul Heely

Abusing poor programming techniques in webserver scripts V 1.0, 7/23/01 (HTML)
- roses-labs.com

Security Issues in Perl Scripts (HTML)
- Jordan Dimov

Secure Programming in PHP, January 30, 2002 (HTML)
- Thomas Oertli

CGI/Perl Taint Mode FAQ, June 3rd, 1998 (HTML)
- Gunther Birznieks

Web Application Security, July 17th 2002 (PDF) (XSS and SQL Injection Remote Copy)
- Patrice Neff (Local Copy)

Trusted Paths for Browsers: An Open-Source Solution to Web Spoofing, February 4th 2002 (PDF)
- Zishuang (Eileen) Ye, Sean Smith Darthmouth College

OWASP Building Secure Web Applications and Web Services, June 2002 (PDF) (HTML)
- OWASP (UPDATED SEP 22nd 2002)

Server Based Worms, (PDF)
- sanctuminc

Developing Secure Web Applications, June 2002 (PDF)
- Amit Klein, Izhar Bar-Gad/sanctuminc

Hacking Web Applications Using Cookie Poisoning, 2002 (PDF)
- Amit Klein/sanctuminc

Web Application Forensics: The Uncharted Territory, 2002 (PDF)
- Ory Segal/sanctuminc
Note: This paper has been posted for its information base only, and we in no way promote or support the products mentioned within.

Potential Strategies for High Speed Active Worms: A Worst Case Analysis, March 24th 2002(PDF)
- Nicholas Weaver/U.C. Berkeley BRASS Group

Assessing IIS Configuration Remotely (Low Level IIS Application Assessment), Febuary 28th 2002(PDF)
- David Litchfield/ngssoftware

Guidelines on Securing Public Web Servers, Febuary 2002(PDF)
- Miles Tracy, Wayne Jansen, Mark Mcllarnon, NIST

[Bypassing javaScript Filters - the Flash! Attack], June 5th 2002(Html) (PDF)
- Obscure EyeonSecurity (HTML Remote Copy)

Against the System: Rise of the Robots, 2001 (TXT)
- Michal Zalewski/Bindview

SQL Insertion, January 2001 (HTML)
- Haroon Meer Sensepost

Security Design Patterns Part 1 v1.4, 11/12/2001 (HTML) (PDF)
- Sasha Romanosky

Cross Site Scripting Vulnerabilities, 2001 (PDF)
- Jason Refail CERT Coordination Center

J2EE and .Net security v1.2, 2/12/02 (PDF)
- Ger Mulcahy

Hackproofing Oracle Application Server: A Guide to Securing Oracle 9, 10th January 2002 (PDF)
- David Litchfield (Remote Copy)

Sql Injection Are Your Web Applications Vulnerable?, 2002 (PDF)
- Spidynamics (Remote Copy)

Best Practices For Secure Development v4.03, Oct 2001 (PDF)
- Razvan Peteanu

Security Standards: Sensitive Web- based Applications (HTML)
- Simson Garfinkel and Gene Spafford, O'Reilly & Associates, 1997.

Detecting CGI Script Abuse, Jul 15th 2000 (PDF)
- Advosys Consulting (Remote Copy)

Writing Secure Web Applications ,Aug 2001(PDF)
- Advosys Consulting (Remote Copy)

Preventing HTML form tampering , Aug 2001 (PDF)
- Advosys Consulting (Remote Copy)

A Study in Scarlet: Exploiting Common Vulnerabilities in PHP Applications (TXT) (Spanish) (French)
"A reprint of reminisces from the Blackhat Briefings Asia 2001"
- Shaun Clowes, SecureReality

A Lab engineers check list for writing secure Unix code , Rev.3C 5/23/96 (TXT)
- O'Reilly & Associates

Protecting sensitive data in memory , February 2001 (HTML)
- John Viega

Placing Backdoors Through Firewalls v1.5 (TXT)
- van Hauser / THC

The Future Of Internet Worms , July 2001 (PDF)
- Jose Nazario, Jeremy Anderson, Rick Wash, and Chris Connelly

The HTML Form Protocal Attack Version 1.1, 08/18/2001 (PDF)
- Joehen Topf

Brute-Force Exploitation of Web Application Session IDs, November 1, 2001 (PDF)
- David Endler iDefense

SQL Injection/Insertion Attacks , November 2001 (TXT)
- Roelof Temmingh / Haroon Meer , SensePost

Exploiting and Protecting Oracle Version 1.5, 2001 (PDF)
- pentest (REMOTE COPY)

Paper to Explore Revealing Clear Text Passwords from the Oracle SGA, 2001 (PDF)
- pentest (REMOTE COPY)

Some Of Our Papers

Email Archives may allow Distributed Attacks against users and Web servers, October 2001 (TXT)
- www.cgisecurity.com

Fingerprinting Port 80 Attacks: A look into web server, and web application attack signatures. , November 2001 (TXT)
- www.cgisecurity.com

Header Based Exploitation: Web Statistical Software Threats, January 2002 (TXT)
- www.cgisecurity.com

Fingerprinting Port 80 Attacks: A look into web server, and web application attack signatures: Part Two., March 2002
- www.cgisecurity.com

Anatomy of the Web Application Worm, March 2002
- www.cgisecurity.com

The Cross Site Scripting FAQ, May 2002
- www.cgisecurity.com

The Cross Site Request Forgery FAQ
- www.cgisecurity.com

Comments

You can follow this conversation by subscribing to the comment feed for this post.

All Comments are Moderated and will be delayed!

Post a comment