Last 50 'Articles' Tagged Posts

Weaning the Web off of Session Cookies Making Digest Authentication Viable

Timothy D. Morgan has published an excellent paper describing How UI limitations hinder adoption of HTTP based authentication How UI behaviors are/can be abused pertaining to HTTP auth Observations on Cookie limitations Proposals for browser vendors to allow for more widescale adoption of HTTP based auth such as digest From the paper...

Socket Capable Browser Plug-ins Result In Transparent Proxy Abuse

For over a year in my spare time I've been working on a abuse case against transparent proxies at my employer, and have just released my latest paper '"Socket Capable Browser Plugins Result In Transparent Proxy Abuse". When certain transparent proxy architectures are in use an attacker can achieve a partial Same...

Crafting a Security RFP

"Creating RFPs for security solutions and processing the responses is not an easy task. Having responded to a fair number of such RFPs, I found that many of them are created hastily, and don’t allow the issuer to benefit from quality responses. Here's my list of the top 10 mistakes organizations make...

Building a Web Application Security Program, Part 8: Putting It All Together

"Whew! This is our final post in this series on Building a Web Application Security Program (Part 1, Part 2, Part 3, Part 4, Part 5, Part 6, Part 7), and it’s time to put all the pieces together. Here are our guidelines for designing a program that meets the needs of...

Article: Security Assessment of the Internet Protocol

The following was sent to the Full Disclosure mailing list last yesterday. "In August 2008 the UK CPNI (United Kingdom's Centre for the Protection of National Infrastructure) published the document "Security Assessment of the Internet Protocol". The motivation of the aforementioned document is explained in the Preface of the document itself. (The...

MD5 considered harmful today: Creating a rogue CA certificate

UPDATE: I've added a link to the presentation slides and some other sites providing coverage of this. The following paper was published today at the CCC conference by Alexander Sotirov, Marc Stevens, Jacob Appelbaum, Arjen Lenstra, David Molnar, Dag Arne Osvik, and Benne de Weger. "We have identified a vulnerability in the...

Software [In]security: Software Security Top 10 Surprises

"Using the software security framework introduced in October (A Software Security Framework: Working Towards a Realistic Maturity Model), we interviewed nine executives running top software security programs in order to gather real data from real programs. Our goal is to create a maturity model based on these data, and we're busy working...

Oracle Forensics Part 7: Using the Oracle System Change Number in Forensic Investigations

David Litchfield has published a new tool and paper on forensics on Oracle Databases. From his email to the Websecurity mailing list. "I've just posted a new tool and paper for Oracle forensics. The tool, orablock, allows a forensic investigator to dump data from a "cold" Oracle data file - i.e. there's...

Article: What the NSA thinks of .NET 2.0 Security

Romain Guacher to the SC-L mailing list that the NSA has published a massive 298 page unclassified document on .NET 2.0 security. From the introduction. "The purpose of this document is to inform administrators responsible for systems and network security about the configurable security features available in the .NET Framework. To place...

Whitepaper: Bypassing ASP .NET “ValidateRequest” for Script Injection Attacks

Richard Brain has published a whitepaper on bypassing .NET XSS protection. "The Microsoft .NET framework comes with a request validation feature, configurable by the ValidateRequest [1] setting. ValidateRequest has been a feature of ASP.NET since version 1.1. This feature consists of a series of filters, designed to prevent classic web input validation...

Affiliate Programs Vulnerable to Cross-site Request Forgery Fraud

Intro The following describes a long-standing and common implementation flaw in online affiliate programs allowing for fraud. For those unfamiliar with affiliate programs, they provide a way for companies to allow 3rd parties/website owners to direct traffic to their site in exchange for a share of the profits of user purchases. Most...

Breaking the Bank (Vulnerabilities in Numeric Processing within Financial Applications)

"This paper draws attention to how the use of common programming APIs and practices could lead to flaws in the processing of numeric data, which could in-turn allow attackers to manipulate the outcome of transactions or otherwise interfere with the accuracy of calculations. It discusses the technical vulnerabilities typically observed in both...

Paper: The Extended HTML Form attack revisited

"HTML forms (i.e. <form>) are one of the features in HTTP that allows users to send data to HTTP servers. An often overlooked feature is that due to the nature of HTTP, the web browser has no way of identifying between an HTTP server and one that is not an HTTP server....

Article: Quick tips for Web application security

"A traditional firewall is commonly employed to restrict Web site access to Ports 80 and 443, used for HTTP and Secure Sockets Layer communications, respectively. However, such a device does very little to deter attacks that come over these connections. URL query string manipulations including SQL injection, modification of cookie values, tampering...

Whitepaper: Access through access by Brett Moore, attacking Microsoft Access

Brett Moore has published a great document on how to SQL Inject applications utilizing Microsoft Access. He discusses default tablenames, sandboxing, reading local files and more. There aren't many good papers on attacking MS Access and this is WELL worth the read. From the paper ""MS Access is commonly thought of as...

The essentials of Web application threat modeling

"A critical part of Web application security is mapping out what's at risk -- a process called threat modelling. The term "threat" modelling is actually a misnomer. It's more like "vulnerability" or "risk" modelling, since we're technically looking at weaknesses and their consequences -- not the actual indication of intent to cause...

IIS7 short Security Guide by Chris Weber

Chris Weber has a great writup of the new security changes in IIS7. Here are a few article section highlights * Integrated request processing pipeline and WCF * ASP.NET Integration * Request filtering (replaces URLScan) * IIS7 URL Authorization He even has a nice checklist at the bottom. Guide Link: http://chrisweber.wordpress.com/2007/09/19/iis7-security-guide-for-application-reviews/

The new security disclosure landscape

Rain Forest Puppy has written an article on vuln disclosure discussing ethics. "simply put: NO MATTER YOUR INTENTIONS, LOOKING FOR SECURITY VULNERABILITIES IN THIRD-PARTY WEB SITES (without permission) IS ILLEGAL PER THE LAWS OF YOUR COUNTRY. Period. That statement is so important, I will repeat it: NO MATTER YOUR INTENTIONS, LOOKING FOR...

MS Access SQL Injection Cheat Sheet

UPDATED: It appears the site has expired and no mirror exists. :( daath writes in to tell us about his SQL Injection cheat sheet. "I wrote a MS Access SQL Injection Cheat Sheet. You can find it here : http://www.webapptest.org/ms-access-sql-injection-cheat-sheet-EN.html" SQL Injection Cheat Sheet Link: http://www.webapptest.org/ms-access-sql-injection-cheat-sheet-EN.html

Uninformed Journal Release Announcement: Volume 8

"Uninformed is pleased to announce the release of its eighth volume. This volume includes 6 articles on a variety of topics:" Real-time Steganography with RTP PatchGuard Reloaded: A Brief Analysis of PatchGuard Version 3 Getting out of Jail: Escaping Internet Explorer Protected Mode OS X Kernel-mode Exploitation in a Weekend A Catalog...

10 tips for securing Apache

"Even with Apache's focus on producing a secure product, the Web server can still be vulnerable to any number of attacks if you fail to take some security precautions as you build your server. In this article, Scott Lowe provides you with 10 tips that will help you keep your Apache Web...

Raising the bar: dynamic JavaScript obfuscation

"Couple of days ago one of our readers, Daniel Kluge, pointed us to a web page with some heavily obfuscated JavaScript code. The operation was typical and consisted of a compromised site that had an obfuscated iframe which pointed to the final web site serving various exploits. The obfuscation of the iframe...

Avoid the dangers of XPath injection

"As new technologies emerge and become well established so do threats against those technologies. Blind SQL injection attacks are a well know and recognized form of code injection attack, but there are many other forms, some not so well documented or understood. An emerging code injection attack is the XPath injection attack,...

Article: Java security: Is it getting worse?

" Java has long boasted a reputation for being a secure programming language. Lately, however, that reputation has come into question. Java has been accused of being susceptible to cross-site scripting (XSS) and other similar input attacks like SQL injection. Is the security of Java itself getting worse, or is the security...

Paper: DNS Pinning and Web Proxies

"DNS-based attacks can be used to perform a partial breach of browser same origin restrictions in some situations, enabling a malicious web site to perform two-way interaction with a different domain. The attacks that are normally conceived against browser-based DNS pinning are capable of being resolved through additional safeguards within browsers. However,...

Article: The business case for security frameworks

I've written a new article for The Web Application Security Consortium's Guest Article Project. From the paper "One of the reasons why vulnerabilities are still common-place is because new generations of developers are making the same mistakes. I don't put the majority of the blame on them because they may not know...

WASC-Articles: 'The Importance of Application Classification in Secure Application Development'

The Web Application Security Consortium is proud to present 'The Importance of Application Classification in Secure Application Development' by Rohit Sethi. In this article Rohit describes the importance of Application Classification during the secure development process. Article Link: http://www.webappsec.org/projects/articles/041607.shtml

Know your Enemy: Web Application Threats

A very long paper on web application security threats has been released by honeynet.org. If you're curious about web application security this document is a good place to start for the overall picture. "With the constant growth of the Internet, more and more web applications are being deployed. Web applications offer services...

Article: Healthy suspicion Web application security

"Every website owner needs to reckon with attackers who may try to misuse their site for spam, phishing or other purposes. Web applications which use PHP or other scripting languages are especially vulnerable. Familiarity with common security vulnerabilities and attack methods can, however, help you fend off the bad guys." Article Link:...

Read RSS and get hacked

Computerworld referenced some research that I had done on RSS Security in an article discussing how RSS and other web based feeds can be used as deployment vectors for malware. For those of you reading this entry coming from an RSS feed, no worries I haven't owned you as it wouldn't be...

Web Application Logic Exploitation

Marko writes " I wrote a small paper scratching the surface on logic vulnerabilities." "Most web application auditing papers have concentrated on things like SQL injection, Crosssite Scripting and similar attacks, that are more technical in nature. What I try to accomplish with this small paper and it's examples is to give...

Using Fuzzers in Software Testing: Identifying Application Risks

I've written a short blurb on my other site QASEC.com on why using fuzzers in QA can pay off. This is a new site focused on speaking to the various people involved in a development cycle using a language that they are familiar with in short to the point articles. "Fuzzers are...

CGISecurity Article: The Cross-Site Request Forgery FAQ

The Cross-site Request Forgery FAQ has been released to address some of the common questions and misconceptions regarding this commonly misunderstood web flaw. This paper serves as a living document for Cross-Site Request Forgery issues and will be updated as new information is discovered. If you have any suggestions or comments please...

Writing Software Security Test Cases: Putting security test cases into your test plan

Besides CGISecurity.com I'm involved with my other project QASec.com a new website aimed at teaching security throughout the development cycle with a heavy focus on security testing I've just written an article explaining how Quality Assurance Engineers can include security testing into their test plans. "Part of software testing involves replicating customer...

WASC-Announcement: Capturing and Exploiting Hidden Mail Servers

The Web Application Security Consortium is proud to present 'MX Injection: Capturing and Exploiting Hidden Mail Servers' written by Vicente Aguilera Diaz of Internet Security Auditors. In this article Vicente discusses how an attacker can inject additional commands into an online web mail application communicating with an IMAP/SMTP server. Article Link: http://www.webappsec.org/projects/articles/121106.shtml

Palisade Articles on Web Application Security

"Palisade is a monthly online magazine that focuses on application security. In each issue, we discuss topics of current interest in developing and using secure software." I stumbled upon this website by accident and it has quality articles worth checking out. Site Link: http://palisade.plynt.com/

Forging HTTP request headers with Flash

Amit Klein has written another fine paper involving using Flash to send http requests. "Flash player is a very popular browser add-on from Adobe (actually, Flash was invented by Macromedia, which was acquired by Adobe). This write-up covers mostly Flash 7 and Flash 8, together covering more than 94% of the Internet-enabled...

Misunderstanding Javascript injection: A paper on web application abuse via Javascript injection

UPDATED: 1/30/06 Response from Author "Just to inform you that the malicious code mentioned to you was actually partly research for the paper. If you take a look at the latest version (with lynx if you like), I now refer to the clipboard issue in issue 3 (this was introduced in 1.2.0...

XST Strikes Back (or perhaps "Return from the Proxy"...)

Amit Klein has written a new article entitled "XST Strikes Back (or perhaps "Return from the Proxy"...)". Whatever the final title may be it outlines how XST vulnerabilities can still exist when a proxy server is in front of the server that an attacker is wishing to launch the attack against. "About...

Malware Future Trends

Dancho Danchev has written an article outlining a few malware trend predictions that is worth checking out. If you're into that sort of thing I wrote an article on web Application Worms that you may also wish to check out. Article Link: http://www.astalavista.com/media/archive1/files/malwaretrends.pdf

Uninformed Online Zine #3 Released

A online zine called 'uninformed' has just released issue #3. I gotta say it's worth checking out. Below is the list of the table of contents. * Bypassing PatchGuard on Windows x64 * Windows Kernel-mode Payload Fundamentals * Analyzing Common Binary Parser Mistakes * Attacking NTLM with Precomputed Hashtables * Linux Improvised...

Top 7 PHP Security Blunders

Sitepoint has published an article covering the 7 most common vulnerability types applied to the PHP language as well as configuration options to futher lock down your environment. While I disagree with the structure/actual 7 the article is good and worth checking out. If you're lazy and just want the seven here...

"The Anatomy of Cross Site Scripting" Paper released

libox.net has released a cross site scripting paper which provides examples of bad php code, and also talks a little bit about automating an attack. Additional papers on XSS can be found in our Cross Site Scripting section. "Cross site scripting (XSS) flaws are a relatively common issue in web application security,...

"What is IIS Security?"

Joe Lima from Port80 Software Inc. has released an article on IIS Security fundamentals. What IIS Security?

Two new Blind SQL Injection papers released

This week two new papers on blind sql injection have been released. The first paper was released by Webcohort goes into detail on how to detect blind sql injection, and how to carry out an attack. The paper released by Spidynamic's "SPI Labs" covers similar information, but also contains example 'fixes' for...

Securing MySQL: step-by-step

Securityfocus.com has published "Securing MySQL: step-by-step" a guide to locking down your MySQL Server. "MySQL is one of the most popular databases on the Internet and it is often used in conjunction with PHP. Besides its undoubted advantages such as easy of use and relatively high performance, MySQL offers simple but very...

Penetration Testing for Web Applications (Part Three)

Securityfocus.com has released Penetration Testing for Web Applications (Part Three) which talks about Logic programming flaws, Session ID Issues, and mentions a few useful tools that are used for auditing web applications.

MRTG for Intrusion Detection with IIS 6

I found this interesting article on securityfocus which explains how to use mrtg (a popular traffic monitor tool) to monitor intrusion attempts against a IIS 6.0 machine. "But MRTG is also a very effective intrusion detection tool. The concept is simple: attacks often produce some kind of anomalous pattern and human brains...

Basic IIS Lockdown Using Scripts and Group Policy

"Microsoft Active Directory and Group Policy have a feature-rich set of tools and processes to help save an administrator time and energy in maintaining security within the domain. Locking down a server requires many steps to complete, and depending on the extent to which the server is locked down, it can take...

Microsoft released Ebook on web security

Microsoft has released a massive 919 page ebook covering everything from how to lock down your web server, web services, web applications, and web application servers. This book is worth a read and I highly recommend it. Improving Web Application Security: Threats and Countermeasures, June 2003 (PDF) (6.7 Meg)

IIS Security and Programming Countermeasures e-book released

Jason Coombs has released this 440 page e-book on IIS security, and secure programming. Worth a read if you run IIS on a production system.