| WANT TO: |
Downloadable documents on this page are in PDF format. Download Acrobat Reader to view them.
Security Articles & Links
First Paragraph: In the first installment of this series we introduced the reader to web application security issues and stressed the significance of input validation. In the second installment, several categories of web application vulnerabilities were discussed and methods for locating these vulnerabilities were outlined. In this third and final article we will be investigating session security issues and cookies, buffer overflows and logic flaws, and providing links to further resources for the web application penetration tester. Comments: The final article in a three part series on penetration testing discusses more advance topics such as session security, over flows and logic flaws. An extensive list of web resources and tools is also provided for further study. Author: Jody Melbourne and David Jorm Publisher: SecurityFocus Issue/Date: August 20, 2003 URL: http://www.securityfocus.com/infocus/1722 Penetration Testing for Web Applications (Part Two) First Paragraph: Our first article in this series covered user interaction with Web applications and explored the various methods of HTTP input that are most commonly utilized by developers. In this second installment we will be expanding upon issues of input validation - how developers routinely, through a lack of proper input sanity and validity checking, expose their back-end systems to server-side code-injection and SQL-injection attacks. We will also investigate the client-side problems associated with poor input-validation such as cross-site scripting attacks. Comments: The second article in a series on penetration testing focuses specifically on input validation. Why is input validation important? How can input be manipulated and systems exploited where input validation is not present? The authors present various examples of injections some of which are likely to apply to your web application. Author: Jody Melbourne and David Jorm Publisher: SecurityFocus Issue/Date: July 3, 2003 URL: http://www.securityfocus.com/infocus/1709 First Paragraph: Web applications are becoming more prevalent and increasingly more sophisticated, and as such they are critical to almost all major online businesses. As with most security issues involving client/server communications, Web application vulnerabilities generally stem from improper handling of client requests and/or a lack of input validation checking on the part of the developer. Comments: A basic understanding of web application architecture is essential to the successful penetration testing of any web applications. In the first article of a series on penetration testing, security testing experts break down the important aspects of a web application as it applies to penetration testing. Learn the means through which data is exchanged between the user and the backend including specific techniques and tools for deconstructing your web application for penetration testing. Author: Jody Melbourne and David Jorm Publisher: SecurityFocus Issue/Date: June 16, 2003 URL: http://www.securityfocus.com/infocus/1704 The Ten Most Critical Web Application Security Vulnerabilities First Paragraph: The Open Web Application Project (OWASP) is dedicated to helping organizations understand and improve the security of their web applications and web services. This list was created to focus government and industry on the most serious of the vulnerabilities. Web application security vulnerabilities are highly exploitable and the consequences of an attack can be devastating. These vulnerabilities represent an equivalent magnitude of risk as network security problems, and should be given the same degree of attention. Comments: The OWASP top ten list highlights the most commonly overlooked and dangerous flaws in web applications. In addition to providing detailed descriptions of each issue, the list provides methods that can be used to detect whether or not your application is vulnerable as well as your to protect yourself. Examples and references for each vulnerability are provided. Author: N/A Publisher: OWASP Issue/Date: January 13, 2003 URL: http://www.owasp.org/images/8/85/OWASP_Top_Ten.ppt Web Application and Databases Security First Paragraph: Internet web sites are increasingly using web applications to access database systems for information retrieval, transactions and publication. These Internet web applications are commonly being used for e-commerce, e-banking, and e-government to purchase goods, make reservations, pay taxes, enroll in classes, retrieve academic transcripts, acquire account balances and pay bills, to name a few. In order to provide these Internet services many are connecting their security sensitive information stored in databases directly to the Internet. Comments: This article delivers an overview of Website security layers. It shows you where you need to test for vulnerability and offers some common - and uncommon - solutions. Author: Darrell E. Landrum Publisher: SANS Institute Issue/Date: April 2, 2001 URL: http://www.giac.org/practical/gsec/Darrell_Landrum_GSEC.pdf SANS Top-20 Internet Security Attack Targets (2006 Annual Update) First Paragraph: Six years ago, the SANS Institute and the National Infrastructure Protection Center (NIPC) at the FBI released a document summarizing the Ten Most Critical Internet Security Vulnerabilities. Thousands of organizations relied on that list, and on the expanded Top-20 lists that followed in succeeding years, to prioritize their efforts so they could close the most dangerous holes first. The vulnerable services that led to worms like Blaster, Slammer, and Code Red have been on SANS Top20 lists. Comments: This article is a good starting point for assessing how secure a system is. It provides a description of vulnerability points , and describes the systems that are most susceptible. Author: NA Publisher: SANS Institute Resources Issue/Date: November, 2006 URL: http://www.sans.org/top20/ How Internet Cookies Work First Paragraph: Internet cookies are incredibly simple, but they are one of those things that have taken on a life of their own. Cookies started receiving tremendous media attention starting in February 2000 because of Internet privacy concerns, and the debate still rages. Comments: Cookies have had a big impact on the Web - and on the press. This article separates the fact from the fiction related to this highly misunderstood technology. Author: Marshall Brain Publisher: How Stuff Works Issue/Date:NA URL: http://www.howstuffworks.com/cookie.htm How Firewalls Work First Paragraph: If you have been using the Internet for any length of time, and especially if you work at a larger company and browse the Web while you are at work, you have probably heard the term firewall used. For example, you often hear people in companies say things like, "I can not use that site because they will not let it through the firewall." Comments: Firewalls can be a troublesome issue for testers. Find out how they work in this article. Author: Jeff Tyson Publisher: How Stuff Works Issue/Date: NA URL: http://www.howstuffworks.com/firewall.htm The Strange Tale of Denial of Service Attacks Against grc.com First Paragraph: I believe you will be as fascinated and concerned as I am by the findings of my post-attack forensic analysis, and the results of my subsequent infiltration into the networks and technologies being used by some of the Internet's most active hackers. Comments: Steve Gibson offers a great story about a distributed denial of service (DDoS) against his company site and how he went about coping with the attached through his own post-attack forensic analysis. The story describing the technical nature of the attack specifically as well as the security vulnerability we are exposed to by using the Internet as a whole, is educational and entertaining to read. Author: Steve Gibson Publisher: Gibson Research Corporation Issue/Date: NA URL: http://www.crime-research.org/library/grcdos.pdf Networks use 'honeypots' to catch an online thief First Paragraph: If you want to break into a house, why spend time prying open the front door if the back door is wide open? Same goes when breaking into computer networks. Most networks and servers are set up with configuration errors that are well known to hackers, who can download free tools that will scan many different networks looking for those easy-open entry points. No genius-level code manipulation or high IQ is needed. Comments: Here's another look at the use of honey pots. This article is an overview including a few recommendations for software to help get you started. Also shown are links to related stories and other related websites. Author: Matthew Schwartz
Publisher: cnn.com Issue/Date: April 4, 2001 URL: http://www.cnn.com/2001/TECH/internet/04/04/trap.a.thief.idg/ How Secure Are You? First Paragraph: In this customer-centric world of instant access and continuous connections, E-business initiatives that outpace security considerations are heading for disaster. Comments: Although absolute protection may be unattainable, better levels of security programs and commitments will go a long way to protect the company. Author: Susan Breidenbach Publisher: InformationWeek Issue/Date: August 21, 2000 URL: http://www.informationweek.com/ The Use of Honeypots and Packet Sniffers for Intrusion Detection First Paragraph: Within the realm of computer security, a honeypot is a computer system designed to capture all traffic and activity directed to the system. While honeypots can be set up to perform simple network services in conjunction with capturing network traffic, most are designed strictly as a "lure" for would-be attackers. Comments: Honeypots are often used to detect security breaks in Websites - but not without controversy. This article examines both sides of the controversy. Some consider honeypots to be a form of entrapment; others believe honeypots are valuable and necessary due to the sophistication of today's hackers. Author: Michael Sink Publisher: Global Information Assurance Certification Issue/Date: April 15, 2001 URL: http://www.giac.org/practical/gsec/Michael_Sink_GSEC.pdf |
|
| Back Top |
Subscribe in a reader 
Follow us on Twitter 
Find us on Facebook 
Read our Blog 
Read our Whitepapers 
Read our Magazine