To commemorate this site turning 10 I've created a list of my top 10 thought provoking/innovate posts that people who haven't been following this site may be unaware of. The Cross-site Scripting FAQ (2001) In 2001 someone informed me of this new threat involving the injection of HTML/Javascript into a site's response...
I am very pleased to announce that the WASC Threat Classification v2 is finally out the door. This project has by far been one of the most challenging, intellectually stimulating projects I've had the chance to work on. I have included the official announcement below. "The Web Application Security Consortium (WASC) is...
"The open-source ESAPI WAF is a departure from commercial, network-based firewalls, as well as ModSecurity's free WAF, says Arshan Dabirsiaghi, developer of the ESAPI WAF and director of research for Aspect Security. Dabirsiaghi will roll out the WAF at the OWASP Conference in Washington, D.C., in November. "WAFs today are deployed as...
Michael Kirchner and Wolfgang Neudorfer have published 3 advisories in various Web Application Firewall products. Artofdefence Hyperguard Web Application Firewal (Remote Denial of Service) http://www.h4ck1nb3rg.at/wafs/advisory_artofdefence_hyperguard_200907.txt phion airlock Web Application Firewall (Remote Denial of Service via Management Interface (unauthenticated) and Command Execution) http://www.h4ck1nb3rg.at/wafs/advisory_phion_airlock_200907.txt radware AppWall Web Application Firewall (Source code disclosure on management...
Ryan Barnett has posted an entry on identifying sessions lacking HTTPOnly and secure cookie flags on modsecurity. "In a previous post I showed how you can use both ModSecurity and Apache together to identify/modify SessionIDs that are missing the HTTPOnly flag. I received some feedback where people were asking how to accomplish...
The author of modsecurity Ivan Ristic has decided to leave Breach Security, the company that retains the rights for modsecurity. I interviewed Ivan in 2006 about the sale of Mod_security who eased concerns that it will remain open source. Based on email conversations with him he will not be leaving the appfirewall...
If you're not familiar with web application attacks, we covered them in detail in a previous column, available here. Also, the Open Web Application Security Project (OWASP) has an abundance of Web application security educational information available on its Web site, including the top 10 most prevalent web application attacks. Combating web...
Andre Gironda has posted an interesting take on 'what web application security really is'. I agree with some of his points however one in particular I'm going to have to disagree with and that related to using Web application firewalls. For many years I've been anti Web application firewall and as a...
"A traditional firewall is commonly employed to restrict Web site access to Ports 80 and 443, used for HTTP and Secure Sockets Layer communications, respectively. However, such a device does very little to deter attacks that come over these connections. URL query string manipulations including SQL injection, modification of cookie values, tampering...
Michelle Davidson writes "SearchSoftwareQuality.com recently posted an article on clarifications made to requirement 6.6 of the PCI Data Security Standard and explains the options companies have to comply with it. Jeremiah Grossman and other app sec experts were interviewed for the article . Below is the information." I don't usually link to...
Ivan Ristic has posted his thoughts on the web application firewall market. While Ivan works for a vendor he has been working on mod_security for years and is extremely knowledgeable on the subject. I also interviewed Ivan back in 2006. "There is a long-running tradition in the web application firewall space; every...
"Armorlogic, the Danish web application firewall provider, announces Profenseā¢ Base, the only automated web application firewall available for free. And there is no catch. Free means free for commercial as well as non-commercial use, without time limitation." "ISO images and software licenses are available from www.armorlogic.com." I've never heard of this company...
This is off topic but I'm selling some application firewall domain names. If you're interested please ping me via the contact form. Serious offers only. Domains * www.webappfirewall.com * www.webappfirewall.net * www.webappfirewall.org
"A Web Application Firewall (WAF), though still evolving, is crucial for strong application layer defense. Unfortunately, HTTP is a stateless protocol, and session management is addressed at the application layer and not at the protocol layer. It is possible to bridge WAF and session objects on the .NET platform to build a...
"Ivan Ristic explains what's hot about the new release Interview ModSecurity is an open source web application firewall that runs as an Apache module, and version 2.0 offers many new features and improvements. Federico Biancuzzi interviewed Ivan Ristic to discuss the new logging system, events tracking and correlation, filtering AJAX or AFLAX...
The Web Application Security Consortium is pleased to announce v1.0 of The Web Application Firewall Evaluation Criteria. WAFEC is a result of a collaboration between web application firewall vendors and independent security professionals to create a comprehensive, vendor-neutral, web application firewall evaluation criteria.
Ivan Ristic Writes "ModSecurity 1.9 FINAL has been released. It is available for immediate download from: http://www.modsecurity.org/download/ After more than a year in development, ModSecurity 1.9 introduces a number of changes that further increase usefulness of this web application security tool. Changes (since 1.8) ------------------- Major enhancements include: * A brand new...
Microsoft has finally released a tool that helps secure your IIS machine. This new tool helps patch, and lockdown IIS from well known holes, as well as helping protect itself from unknown holes. Download it below (NOTE: This is also added to our patch section of this site.) IIS Lockdown Tool
