Timothy D. Morgan has published an excellent paper describing How UI limitations hinder adoption of HTTP based authentication How UI behaviors are/can be abused pertaining to HTTP auth Observations on Cookie limitations Proposals for browser vendors to allow for more widescale adoption of HTTP based auth such as digest From the paper...
For over a year in my spare time I've been working on a abuse case against transparent proxies at my employer, and have just released my latest paper '"Socket Capable Browser Plugins Result In Transparent Proxy Abuse". When certain transparent proxy architectures are in use an attacker can achieve a partial Same...
"Creating RFPs for security solutions and processing the responses is not an easy task. Having responded to a fair number of such RFPs, I found that many of them are created hastily, and don’t allow the issuer to benefit from quality responses. Here's my list of the top 10 mistakes organizations make...
"Whew! This is our final post in this series on Building a Web Application Security Program (Part 1, Part 2, Part 3, Part 4, Part 5, Part 6, Part 7), and it’s time to put all the pieces together. Here are our guidelines for designing a program that meets the needs of...
The following was sent to the Full Disclosure mailing list last yesterday. "In August 2008 the UK CPNI (United Kingdom's Centre for the Protection of National Infrastructure) published the document "Security Assessment of the Internet Protocol". The motivation of the aforementioned document is explained in the Preface of the document itself. (The...
UPDATE: I've added a link to the presentation slides and some other sites providing coverage of this. The following paper was published today at the CCC conference by Alexander Sotirov, Marc Stevens, Jacob Appelbaum, Arjen Lenstra, David Molnar, Dag Arne Osvik, and Benne de Weger. "We have identified a vulnerability in the...
"Using the software security framework introduced in October (A Software Security Framework: Working Towards a Realistic Maturity Model), we interviewed nine executives running top software security programs in order to gather real data from real programs. Our goal is to create a maturity model based on these data, and we're busy working...
David Litchfield has published a new tool and paper on forensics on Oracle Databases. From his email to the Websecurity mailing list. "I've just posted a new tool and paper for Oracle forensics. The tool, orablock, allows a forensic investigator to dump data from a "cold" Oracle data file - i.e. there's...
Romain Guacher to the SC-L mailing list that the NSA has published a massive 298 page unclassified document on .NET 2.0 security. From the introduction. "The purpose of this document is to inform administrators responsible for systems and network security about the configurable security features available in the .NET Framework. To place...
Richard Brain has published a whitepaper on bypassing .NET XSS protection. "The Microsoft .NET framework comes with a request validation feature, configurable by the ValidateRequest [1] setting. ValidateRequest has been a feature of ASP.NET since version 1.1. This feature consists of a series of filters, designed to prevent classic web input validation...
Intro The following describes a long-standing and common implementation flaw in online affiliate programs allowing for fraud. For those unfamiliar with affiliate programs, they provide a way for companies to allow 3rd parties/website owners to direct traffic to their site in exchange for a share of the profits of user purchases. Most...
"This paper draws attention to how the use of common programming APIs and practices could lead to flaws in the processing of numeric data, which could in-turn allow attackers to manipulate the outcome of transactions or otherwise interfere with the accuracy of calculations. It discusses the technical vulnerabilities typically observed in both...
"HTML forms (i.e. <form>) are one of the features in HTTP that allows users to send data to HTTP servers. An often overlooked feature is that due to the nature of HTTP, the web browser has no way of identifying between an HTTP server and one that is not an HTTP server....
"A traditional firewall is commonly employed to restrict Web site access to Ports 80 and 443, used for HTTP and Secure Sockets Layer communications, respectively. However, such a device does very little to deter attacks that come over these connections. URL query string manipulations including SQL injection, modification of cookie values, tampering...
Brett Moore has published a great document on how to SQL Inject applications utilizing Microsoft Access. He discusses default tablenames, sandboxing, reading local files and more. There aren't many good papers on attacking MS Access and this is WELL worth the read. From the paper ""MS Access is commonly thought of as...
"A critical part of Web application security is mapping out what's at risk -- a process called threat modelling. The term "threat" modelling is actually a misnomer. It's more like "vulnerability" or "risk" modelling, since we're technically looking at weaknesses and their consequences -- not the actual indication of intent to cause...
Chris Weber has a great writup of the new security changes in IIS7. Here are a few article section highlights * Integrated request processing pipeline and WCF * ASP.NET Integration * Request filtering (replaces URLScan) * IIS7 URL Authorization He even has a nice checklist at the bottom. Guide Link: http://chrisweber.wordpress.com/2007/09/19/iis7-security-guide-for-application-reviews/
Rain Forest Puppy has written an article on vuln disclosure discussing ethics. "simply put: NO MATTER YOUR INTENTIONS, LOOKING FOR SECURITY VULNERABILITIES IN THIRD-PARTY WEB SITES (without permission) IS ILLEGAL PER THE LAWS OF YOUR COUNTRY. Period. That statement is so important, I will repeat it: NO MATTER YOUR INTENTIONS, LOOKING FOR...
UPDATED: It appears the site has expired and no mirror exists. :( daath writes in to tell us about his SQL Injection cheat sheet. "I wrote a MS Access SQL Injection Cheat Sheet. You can find it here : http://www.webapptest.org/ms-access-sql-injection-cheat-sheet-EN.html" SQL Injection Cheat Sheet Link: http://www.webapptest.org/ms-access-sql-injection-cheat-sheet-EN.html
"Uninformed is pleased to announce the release of its eighth volume. This volume includes 6 articles on a variety of topics:" Real-time Steganography with RTP PatchGuard Reloaded: A Brief Analysis of PatchGuard Version 3 Getting out of Jail: Escaping Internet Explorer Protected Mode OS X Kernel-mode Exploitation in a Weekend A Catalog...
"Even with Apache's focus on producing a secure product, the Web server can still be vulnerable to any number of attacks if you fail to take some security precautions as you build your server. In this article, Scott Lowe provides you with 10 tips that will help you keep your Apache Web...
"Couple of days ago one of our readers, Daniel Kluge, pointed us to a web page with some heavily obfuscated JavaScript code. The operation was typical and consisted of a compromised site that had an obfuscated iframe which pointed to the final web site serving various exploits. The obfuscation of the iframe...
"As new technologies emerge and become well established so do threats against those technologies. Blind SQL injection attacks are a well know and recognized form of code injection attack, but there are many other forms, some not so well documented or understood. An emerging code injection attack is the XPath injection attack,...
" Java has long boasted a reputation for being a secure programming language. Lately, however, that reputation has come into question. Java has been accused of being susceptible to cross-site scripting (XSS) and other similar input attacks like SQL injection. Is the security of Java itself getting worse, or is the security...
"DNS-based attacks can be used to perform a partial breach of browser same origin restrictions in some situations, enabling a malicious web site to perform two-way interaction with a different domain. The attacks that are normally conceived against browser-based DNS pinning are capable of being resolved through additional safeguards within browsers. However,...
I've written a new article for The Web Application Security Consortium's Guest Article Project. From the paper "One of the reasons why vulnerabilities are still common-place is because new generations of developers are making the same mistakes. I don't put the majority of the blame on them because they may not know...
The Web Application Security Consortium is proud to present 'The Importance of Application Classification in Secure Application Development' by Rohit Sethi. In this article Rohit describes the importance of Application Classification during the secure development process. Article Link: http://www.webappsec.org/projects/articles/041607.shtml
A very long paper on web application security threats has been released by honeynet.org. If you're curious about web application security this document is a good place to start for the overall picture. "With the constant growth of the Internet, more and more web applications are being deployed. Web applications offer services...
"Every website owner needs to reckon with attackers who may try to misuse their site for spam, phishing or other purposes. Web applications which use PHP or other scripting languages are especially vulnerable. Familiarity with common security vulnerabilities and attack methods can, however, help you fend off the bad guys." Article Link:...
Computerworld referenced some research that I had done on RSS Security in an article discussing how RSS and other web based feeds can be used as deployment vectors for malware. For those of you reading this entry coming from an RSS feed, no worries I haven't owned you as it wouldn't be...
Marko writes " I wrote a small paper scratching the surface on logic vulnerabilities." "Most web application auditing papers have concentrated on things like SQL injection, Crosssite Scripting and similar attacks, that are more technical in nature. What I try to accomplish with this small paper and it's examples is to give...
I've written a short blurb on my other site QASEC.com on why using fuzzers in QA can pay off. This is a new site focused on speaking to the various people involved in a development cycle using a language that they are familiar with in short to the point articles. "Fuzzers are...
The Cross-site Request Forgery FAQ has been released to address some of the common questions and misconceptions regarding this commonly misunderstood web flaw. This paper serves as a living document for Cross-Site Request Forgery issues and will be updated as new information is discovered. If you have any suggestions or comments please...
Besides CGISecurity.com I'm involved with my other project QASec.com a new website aimed at teaching security throughout the development cycle with a heavy focus on security testing I've just written an article explaining how Quality Assurance Engineers can include security testing into their test plans. "Part of software testing involves replicating customer...
The Web Application Security Consortium is proud to present 'MX Injection: Capturing and Exploiting Hidden Mail Servers' written by Vicente Aguilera Diaz of Internet Security Auditors. In this article Vicente discusses how an attacker can inject additional commands into an online web mail application communicating with an IMAP/SMTP server. Article Link: http://www.webappsec.org/projects/articles/121106.shtml
"Palisade is a monthly online magazine that focuses on application security. In each issue, we discuss topics of current interest in developing and using secure software." I stumbled upon this website by accident and it has quality articles worth checking out. Site Link: http://palisade.plynt.com/
Amit Klein has written another fine paper involving using Flash to send http requests. "Flash player is a very popular browser add-on from Adobe (actually, Flash was invented by Macromedia, which was acquired by Adobe). This write-up covers mostly Flash 7 and Flash 8, together covering more than 94% of the Internet-enabled...
UPDATED: 1/30/06 Response from Author "Just to inform you that the malicious code mentioned to you was actually partly research for the paper. If you take a look at the latest version (with lynx if you like), I now refer to the clipboard issue in issue 3 (this was introduced in 1.2.0...
Amit Klein has written a new article entitled "XST Strikes Back (or perhaps "Return from the Proxy"...)". Whatever the final title may be it outlines how XST vulnerabilities can still exist when a proxy server is in front of the server that an attacker is wishing to launch the attack against. "About...
Dancho Danchev has written an article outlining a few malware trend predictions that is worth checking out. If you're into that sort of thing I wrote an article on web Application Worms that you may also wish to check out. Article Link: http://www.astalavista.com/media/archive1/files/malwaretrends.pdf
A online zine called 'uninformed' has just released issue #3. I gotta say it's worth checking out. Below is the list of the table of contents. * Bypassing PatchGuard on Windows x64 * Windows Kernel-mode Payload Fundamentals * Analyzing Common Binary Parser Mistakes * Attacking NTLM with Precomputed Hashtables * Linux Improvised...
Sitepoint has published an article covering the 7 most common vulnerability types applied to the PHP language as well as configuration options to futher lock down your environment. While I disagree with the structure/actual 7 the article is good and worth checking out. If you're lazy and just want the seven here...
libox.net has released a cross site scripting paper which provides examples of bad php code, and also talks a little bit about automating an attack. Additional papers on XSS can be found in our Cross Site Scripting section. "Cross site scripting (XSS) flaws are a relatively common issue in web application security,...
Joe Lima from Port80 Software Inc. has released an article on IIS Security fundamentals. What IIS Security?
This week two new papers on blind sql injection have been released. The first paper was released by Webcohort goes into detail on how to detect blind sql injection, and how to carry out an attack. The paper released by Spidynamic's "SPI Labs" covers similar information, but also contains example 'fixes' for...
Securityfocus.com has published "Securing MySQL: step-by-step" a guide to locking down your MySQL Server. "MySQL is one of the most popular databases on the Internet and it is often used in conjunction with PHP. Besides its undoubted advantages such as easy of use and relatively high performance, MySQL offers simple but very...
Securityfocus.com has released Penetration Testing for Web Applications (Part Three) which talks about Logic programming flaws, Session ID Issues, and mentions a few useful tools that are used for auditing web applications.
I found this interesting article on securityfocus which explains how to use mrtg (a popular traffic monitor tool) to monitor intrusion attempts against a IIS 6.0 machine. "But MRTG is also a very effective intrusion detection tool. The concept is simple: attacks often produce some kind of anomalous pattern and human brains...
"Microsoft Active Directory and Group Policy have a feature-rich set of tools and processes to help save an administrator time and energy in maintaining security within the domain. Locking down a server requires many steps to complete, and depending on the extent to which the server is locked down, it can take...
Microsoft has released a massive 919 page ebook covering everything from how to lock down your web server, web services, web applications, and web application servers. This book is worth a read and I highly recommend it. Improving Web Application Security: Threats and Countermeasures, June 2003 (PDF) (6.7 Meg)
Jason Coombs has released this 440 page e-book on IIS security, and secure programming. Worth a read if you run IIS on a production system.
