Web-Form Submission Security
This paper will discuss automated attack methods against web sites utilizing "HTML Forms". An HTML Form is used on web sites requesting data from visitors. Traditionally web sites have been used as a limited medium whereby feedback and user information was requested by email or file uploads. It is now very common to see web sites allowing users to post messages, create accounts, enter information for processing, sign up for mailing lists, vote on topics, etc. All of these are examples of HTML Forms in use.
Read the Article
|
Real World XSS
For those of you who don't know the acronym, XSS stands for Cross-Site Scripting. It is the term that has been given to web pages that can be tricked into displaying web surfer supplied data capable of altering the page for the viewer. There are many many documents on the web detailing XSS and generalized book definitions of it, what I haven't seen is a practical approach and example usage of outside of the bounds of the few default examples usually given. I believe this has made people overlook XSS and not realize its true impact.
Read the Article
|
Reducing browser privileges
Corporate policy that disallows administrator access to desktop machines is still the best approach. However, political issues with "power users" or users in very decentralized networks continue to pose a problem. Additionally, administrators themselves who browse the web are still at risk. Reducing privileges of Internet-facing applications is one approach to reducing that risk.
Read the Article
|
Web Security Coding Tips
Great list of 15 tips to assist with web security!
Read the Article
|
URL Encoded Attacks - Attacks using the common web browser
This document aims to enlighten developers and security administrators on the issues associated with URL encoded attacks. It is also important to note that many of the encoding methods and security implications are applicable to any application accepting data from a client system.
Read the Article
|
Second-order Code Injection: Advanced Code Injection Techniques and Testing Procedures
In some cases it may be possible for an attacker to inject their malicious code into a data storage area that may be executed at a later date or time. Depending upon the nature of the application and the way the malicious data is stored or rendered, the attacker may be able to conduct a second-order code injection attack.
Read the Article
|
An Overview of Session Hijacking at the Network and Application Levels
The purpose of this paper is to discuss one particularly salient security threat that this creates: session hijacking. It is important to understand this threat and to make an effort to design networks and applications that will be less vulnerable to it. Sensitive user information is stored within each session that is created upon client authentication and hackers are willing to go to great lengths to steal it.
Read the Article
|
Application Firewalls: Dont Forget About Layer 7
I suggest that a web application firewall should exist in your information security toolkit to provide yet another layer of defense. A traditional firewall can be defined as "a means to control what is allowed across some point in a network as a mechanism to enforce policy". (SANS) What exactly is a web application firewall? This innovative technology is much more than a router with rules. It serves as a means to protect the application and its backend data store from malicious attack and inappropriate usage. While it is appropriate to allow a user to use your site, a user should not be allowed to abuse his or her privileges.
Read the Article
|
Authentication and Session Management on the Web
This paper looks at the security concerns specific to websites that have a secure area where users can login. For much of the paper we use the example of Acme Enterprises, a fictitious company that sells generic goods by mail order. The company already has a basic website that provides a catalogue of its products.
Read the Article
|
Domain Footprinting for Web Applications and Web Services
Performing web application or web services assessment with zero level knowledge for clients can be a daunting task for the web analyst. It is important to locate and footprint all critical domains running web applications or web services. This paper focuses on domain footprinting and discusses a complete approach to identify and footprint all possible domains running web applications or web services.
Read the Article
|
