"Robert C. Seacord and David Chisnall discuss the CERT C Secure Coding standard, developing C standards, and the future of the language and its offshoots.I recently had the opportunity to interview Robert Seacord, author of the recently-published The CERT C Secure Coding Standard. Robert has been deeply involved with C and...
"Internationalized Resource Identifiers (IRI’s) are a new take on the old URI (Uniform Resource Identifier), which through RFC 3986 restricted domain names to a subset of ASCII characters - mainly lower and upper case letters, numbers, and some punctuation. IRI’s were forecasted many years ago by Martin Dürst and Michel Suignard,...
"CAT.NET - Community Technology Preview CAT.NET is a managed code static analysis tool for finding security vulnerabilities. It's exactly the same tool we use internally to scan all of our Line of Business (LOB) applications; it runs as a Visual Studio plug-in or as a stand-alone application. It was engineered by...
The author of modsecurity Ivan Ristic has decided to leave Breach Security, the company that retains the rights for modsecurity. I interviewed Ivan in 2006 about the sale of Mod_security who eased concerns that it will remain open source. Based on email conversations with him he will not be leaving the...
There is a write up at Coding Insecurity on filtering non ascii characters to prevent XSS attacks."I have been working on a medium-sized development project lately and, came across a peculiar phenomenon where I could execute scripts on a page without the use of less-than (<) or greater-than (>) symbols. Instead...
Jeremiah has published an entry on budgeting for web application security in your company."“Budgeting” is a word I’ve been hearing a lot of questions about recently, which is another data point demonstrating that Web application security and software security are increasingly becoming a top of mind issue. The challenge that many...
Rafel Ivgi has published an extensive list of IE8 XSS filter evasions. "Aspect9 has discovered several vulnerabilities in Microsoft Windows Internet Explorer 8.0 Beta 2. This new version of Microsoft's famous browser includes new security improvements such as a Cross Site Scripting(XSS) filter. This version also includes a new object that...
Romain Guacher to the SC-L mailing list that the NSA has published a massive 298 page unclassified document on .NET 2.0 security. From the introduction."The purpose of this document is to inform administrators responsible for systems andnetwork security about the configurable security features available in the .NET Framework.To place some of...
"On Oct. 14, 2008, Microsoft added another piece of information to the bulletin summary to better help customers with their risk assessment process: the Exploitability Index. This section is a brief overview to explain how customers can integrate the Exploitability Index with the Severity Rating system into their own risk assessment...
"An operating system used in military fighter planes has raised the bar for system security as a new commercial offering, after receiving the highest security rating by a National Security Agency (NSA)-run certification program. Green Hills Software announced that its Integrity-178B operating system was certified as EAL6+ and that the company...
Microsoft has a blog entry on their mentality/process on banning certain API calls to improve their software's security. "Jeremy Dallman here with a quick note about a code sanitizing tool we are making available to support one of the SDL requirements – Remove all Banned APIs from your code. This requirement...
Michal Zalewski of google has posted a proposal on browser security enhancements to the whatwg mailing list. "I am posting here on the advice of Ian Hickson; I'm new to the list, so please forgive me if any of this brings up long-dismissed concepts; hopefully not.For a couple of months now,...
"This document defines a mechanism to enable client-side cross-site requests. Specifications that want to enable cross-site requests in an API they define can use the algorithms defined by this specification. If such an API is used on http://example.org resources, a resource on http://hello-world.example can opt in using the mechanism described by...
An anonymous user writes "In his previous blog post, Sacha provided an updated list of the asp.net control html encoding information. He now integrated the content into FXCop to help quickly identify spots in asp.net binaries that should be reviewed for XSS issues." Read more: http://blogs.msdn.com/sfaust/archive/2008/09/18/fxcop-htmlspotter-spotting-asp-net-xss-using-fxcop-and-html-encoding-document.aspx
Motley fool wrote an article blaming Yahoo! for the Palin Hack. Computerworld has pointed out Gmail, Yahoo, and Hotmail as being vulnerable as well. To be clear any site supporting answering of common questions as a way to restore account access is vulnerable. The issue is not that these sites are...
"ViewStateUserKey is not a completely effective mitigation against Cross-Site Request Forgery. It doesn't work for non post-backs (I.e. GET requests), and it doesn't work if the ViewState MAC is turned off. In several different places, we see a piece of advice repeated - use the ViewStateUserKey property to prevent One-Click Attacks....
Microsoft has posted an article on what real world XSS vulnerable code looks like in ASP.NET applications. Handy if you develop asp.net or audit it for issues. "From couple of weeks we have been seeing some XSS vulnerabilities in asp.net code. Today I wanted to show you guys some real world...
In addition to running CGISecurity I also participate heavily in The Web Application Security Consortium and its projects. I sent the following email to The Web Security Mailing List seeking participants for v2 of the WASC Threat Classification document. "I'm sending this email to the list seeking people to contribute towards...
"Last time we saw how to fix a cross site scripting (XSS) vulnerability. This time we look at how we can detect cross site scripting vulnerabilities using automated tools. Being the most common vulnerability found in web applications, it is very important to detect and mitigate XSS vulnerabilities early in development...
Bryan Sullivan from Microsoft has posted an article on SDL use to secure web applications. "The Security Development Lifecycle (SDL) team recently released details of the SDL process that has been so successful in helping to make Microsoft products more secure. You can find these documents at microsoft.com/sdl. As you read...
Sacha Faust has just published a grid mapping which asp.net controls automatically perform html entity output encoding when used. Link: http://blogs.msdn.com/sfaust/archive/2008/09/02/which-asp-net-controls-automatically-encodes.aspx Grid: http://blogs.msdn.com/sfaust/attachment/8918996.ashx
"The next version of Adobe Flash Player will offer a variety of new features and enhancements as well as some changes to the current behavior of Flash Player. Some of these changes may require existing content to be updated to comply with stricter security rules. Other changes introduce new abilities that...
Generally, browsers stop cross-site communication by following the "same-origin policy". This rule is pretty simple: if your site has a different origin - protocol, domain, and port don't all match - you aren't allowed to access information from or send requests to the other site. Without this simple rule, there would...
Intro The following describes a long-standing and common implementation flaw in online affiliate programs allowing for fraud. For those unfamiliar with affiliate programs, they provide a way for companies to allow 3rd parties/website owners to direct traffic to their site in exchange for a share of the profits of user purchases....
"All web applications allow some form of rich data, but that rich data has become a key part of Web 2.0. Data is "rich" if it allows markup, special characters, images, formatting, and other complex syntax. This richness allows users create new and innovative content and services. Unfortunately, richness affords attackers...
Microsoft has a decent article on security testing for CSRF worth checking out. "Tester Question: What is a cross-site request forgery attack? How do I test our website to see if it is vulnerable to this attack?" Article Link: http://msdn.microsoft.com/en-us/testing/cc664492.aspx
"On Tuesday, Microsoft issued new tools to assist Microsoft ASP and ASP.NET technologies against recent Web-based attacks. In April attackers went after Microsoft SQL sites by injecting malicious JavaScript onto legitimate sites. The JavaScript would direct a browser to a server hosting malicious software infecting the desktop with a variety of...
Andre Gironda has posted an interesting take on 'what web application security really is'. I agree with some of his points however one in particular I'm going to have to disagree with and that related to using Web application firewalls. For many years I've been anti Web application firewall and as...
Michelle Davidson writes "SearchSoftwareQuality.com recently posted an article on clarifications made to requirement 6.6 of the PCI Data Security Standard and explains the options companies have to comply with it. Jeremiah Grossman and other app sec experts were interviewed for the article . Below is the information." I don't usually link...
"For the last few years, Captcha, the Completely Automated Public Turing test to tell Computers and Humans Apart, has been one of our main lines of defense against the machines that want to impersonate us. Recently, though, the various most popular Captcha implementations have been cracked. Bots with character-recognition ability have...
"While software makers have taken steps to close the security holes, Web site owners continue to host older files created by older authoring programs that are vulnerable to cross-site scripting (XSS) attacks, Rich Cannings, information security engineer of search giant Google, told security professionals attending the conference on Wednesday. Using a...
"Microsoft unveiled two security features that will debut in the next version of its browser, Internet Explorer 8: the Safety Filter, which warns users of potentially malicious Web activity, and domain highlighting, which uses bold text to highlight the real domain of any Web site. The software giant stressed that the...
UPDATE Before reading on any further I want to prefix that the purpose of this post is to begin a discussion on the ways a website can communicate to a browser to instruct it of what its behavior should be on that site. The example below is a "sample implementation" and...
"One of the biggest, constant problems we've seen our enterprise customers deal with and we here at Microsoft have to also contend with is that of the XSS (Cross Site Scripting) bug. It's very common and unfortunately, still an issue we have to deal with in many web applications. Internally, the...
"Making it even easier to create secure applications out of the box is always a pleasure and with Rails 2.0 we’re doing it from a number of fronts. Most importantly, we now ship we a built-in mechanism for dealing with CRSF attacks. By including a special token in all forms and...
My friend Joren forwarded to me the ror security cheatsheet which is a great central resource for ruby on rails security issues. If you code or are going to perform an audit against an ror application be sure to check this out. Article Link: http://www.rorsecurity.info/ruby-on-rails-security-cheatsheet/
"Even with Apache's focus on producing a secure product, the Web server can still be vulnerable to any number of attacks if you fail to take some security precautions as you build your server. In this article, Scott Lowe provides you with 10 tips that will help you keep your Apache...
"Encryption support for configuration files was added to the .NET Framework beginning with version 2.0. The .NET Framework libraries include full support for controlling encryption and decryption in code. I include examples in both VB.NET and C# to demonstrate the encrypting and decryption of configuration file sections. Encrypting configuration data improves...
Gorka Vicente writes "HDIV 1.3 has just been released including Struts 2 support. HDIV is an open-source project that extends Struts ( Struts 1.x and Struts 2) behavior by adding web application level Security functionalities (Integrity, Confident iality of non editable data and Generic Validations of the Editable Data), maintaining the...
Bryan Sullivan has written an excellent article describing the various secure configuration options in .NET's Web.config file. If you write ASP.NET applications be sure to check this out. "Some enlightened software architects and developers are becoming educated on these threats to application security and are designing their Web-based applications with security...
"Web application fuzzing is a method of detecting a web application's vulnerabilities prior to deploying the application on a production system. Users of this approach send several malicious requests to the application and, based on the responses received, determine the application's security posture. Users also can apply fuzzing to perform tests...
The Cross-site Request Forgery FAQ has been released to address some of the common questions and misconceptions regarding this commonly misunderstood web flaw. This paper serves as a living document for Cross-Site Request Forgery issues and will be updated as new information is discovered. If you have any suggestions or comments...
"For defence in depth, developers may wish to use the Microsoft Anti-Cross Site Scripting Library to encode output. This library differs from most encoding libraries in that it uses the "principle of inclusions" technique to provide protection against XSS attacks. This approach works by first defining a valid or allowable set...
One of our readers 'J. Oquendo' "got bored" and wrote an article titled 'Securing LAMP and using ModSecurity as an IPS'. "Many times administrators often forget to do security checks from the ground up. They often will rely on simple methods of testing a machine. An NMAP scan here, a Metasploit...
A great article at ZDNet explaining how Vista + IE7 stopped the latest IE 0day from exploiting the machine. "The initial security warnings are hardly perfect. I've seen similar ActiveX opt-in dialog boxes for other built-in ActiveX components. How is an unsuspecting user supposed to know which one is safe and...
"With BrowserShield, Wang argues, many such attacks could be blocked. BrowserShield can be used as a framework that rewrites HTML pages to deny any attempt at executing harmful code on browsers. "We basically intercept the Web page, inject our logic and transform the page that is eventually rendered on the browser,"...
"Ajax is considered the next step in a progression towards the trumpeted, "Web 2.0." The purpose of this article is to introduce some of the security implications with modern Ajax web technologies. Though Ajax applications can be more difficult to test, security professionals already have most of relevant approaches and tools...
"I really have some good laughs when I tamper with cookies on my machine and watch the results when it is submitted back to the site. On the other hand, I don’t want any one to do the same to the cookies that I make! Cookies, most of the times, shouldn’t...
Zinho Writes "I've published the final research about Http Session Fixation covering the most known attacks and how to prevent them. The paper is written from a web developer point of view and shows various techniques to be safe from fixation and hijacking." Paper Link: Preventing Http Session Fixation Attacks (Paper)
