d

Web Application Security: The Complete Documentation

• This category contains 10 Papers
• The last paper was added on 2007-03-26 (YYYY-MM-DD)

80/20 Rule for Web Application Security (The)

Published on 2005-01-31, by Jeremiah Grossman , ©Web Application Security Consortium.

After performing hundreds of web security assessments you’re bound to encounter many frighteningly insecure websites. Websites so badly protected you could literally make off with the credit card numbers in a way reminiscent of the movie Gone in Sixty Seconds. On the other hand there are many websites frustratingly impervious to attack. What I’ll describe below are the subtle variations between the security "haves" and "have-nots". Using the age old "80/20 rule", we’ll look at a few techniques anyone can use to decrease the risk of their website being hacked. And to make it really easy you won’t have to alter a single line of code! But before jumping too far ahead lets first discuss the 80/20 rule.

Automatically hardening web applications using precise tainting

Published on 2005, by Anh Nguyen-Tuong, Salvatore Guarnieri, Doug Greene, Jeff Shirley, David Evans, ©Anh Nguyen-Tuong, Salvatore Guarnieri, Doug Greene, Jeff Shirley, David Evans.

Most web applications contain security vulnerabilities. The simple and natural ways of creating a web application are prone to SQL injection attacks and cross-site scripting attacks as well as other less common vulnerabilities. In response, many tools have been developed for detecting or mitigating common web application vulnerabilities. Existing techniques either require effort from the site developer or are prone to false positives. This paper presents a fully automated approach to securely hardening web applications. It is based on precisely tracking taintedness of data and checking specifically for dangerous content only in parts of commands and output that came from untrustworthy sources. Unlike previous work in which everything that is derived from tainted input is tainted, our approach precisely tracks taintedness within data values.

Building Secure Applications: Consistent Logging

Published on 2007-02-26, by Rohit Sethi and Nish Bhalla, ©SecurityFocus.

This article examines the dismal state of application-layer logging as observed from the authors’ years of experience in performing source code security analysis on millions of lines of code. It argues that effective logging is often ignored in the push for application security and demonstrates how applications can benefit from a real-time detection of attacks. An idea of a practical implementation is discussed, along with an examination of some of the associated risks and costs.

Bypass Testing of Web Applications

Published on 2005, by Jeff Offutt, Ye Wu, Xiaochen Du and Hong Huang, ©Jeff Offutt, Ye Wu, Xiaochen Du and Hong Huang.

Web software applications are increasingly being deployed in sensitive situations. Web applications are used to transmit, accept and store data that is personal, company confidential and sensitive. Input validation testing (IVT) checks user inputs to ensure that they conform to the program’s requirements, which is particularly important for software that relies on user inputs, including Web applications. A common technique in Web applications is to perform input validation on the client with scripting languages such as JavaScript. An insidious problem with client-side input validation is that end users can bypass this validation. Bypassing validation can reveal faults in the software, and can also break the security on Web applications, leading to unauthorized access to data, system failures, invalid purchases and entry of bogus data. We are developing a strategy called bypass testing to create IVT tests. This paper describes the strategy, defines specific rules and adequacy criteria for tests, describes a proof-of-concept automated tool, and presents initial empirical results from applying bypass testing.

Common Security Problems in the Code of Dynamic Web Applications

Published on 2005-06-01, by Sverre H. Huseby, ©Web Application Security Consortium..

The majority of occurring software security holes in web applications may be sorted into just two categories: Failure to deal with metacharacters, and authorization problems due to giving too much trust in input. This article gives several examples from both categories, and then adds some from other categories as well.

Defining a Set of Common Benchmarks Web Application Security

Published on 2005, by Benjamin Livshits, ©Benjamin Livshits.

A recent explosion in the number of security vulnerabilities being discovered every day motivated a great deal of interest in tools that attempt to address this problem. While buffer overruns have been plaguing C programs for years, application-level vulnerabilities such as SQL injections, cross-site scripting, and path traversal attacks have become increasingly common in the last year. Looking at a daily snapshot of Security- Focus vulnerabilities reveals that upwards of 60% of all exploits are due to application vulnerabilities such as the ones listed above.

Detect Your Web Application’s Vulnerabilities Early with Ruby

Published on 2007-01-29, by Shreeraj Shah, ©Jupitermedia Corporation.

Web application fuzzing is a method of detecting a web application’s vulnerabilities prior to deploying the application on a production system. Users of this approach send several malicious requests to the application and, based on the responses received, determine the application’s security posture. Users also can apply fuzzing to perform tests on several different attack vectors such as SQL, XPATH, and LDAP injection, and error handling.

Improving Web Application Security: Threats and Countermeasures

Published on 2003, by J.D. Meier, Alex Mackman, Michael Dunner, Srinath Vasireddy, Ray Escamilla and Anandha Murukan, ©Microsoft Corporation..

This guide helps you build hack-resilient applications. A hack-resilient application is one that reduces the likelihood of a successful attack and mitigates the extent of damage if an attack occurs. A hack-resilient application resides on a secure host (server) in a secure network and is developed using secure design and development guidelines.

Web application security must be addressed across the tiers and at multiple layers. A weakness in any tier or layer makes your application vulnerable to attack. Figure 1 shows the scope of the guide and the three-layered approach that it uses: securing the network, securing the host, and securing the application. It also shows the process called threat modeling, which provides a structure and rationale for the security process and allows you to evaluate security threats and identify appropriate countermeasures. If you do not know your threats, how can you secure your system?

Web Application Disassembly with ODBC Error Messages

Published on 2007, by David Litchfield, ©Next Generation Security Software Ltd..

This document describes how to subvert the security of a Microsoft Internet Information Web Server that feeds into a SQL database. The document assumes that the web application uses Active Server Pages technology with Active Data Objects (ADO), though the same techniques can be used with other technologies. The techniques discussed here can be used to disassemble the SQL database’s structure, by-pass login pages, and retrieve and modify data. This does assume that attackers can run arbitrary SQL queries, which unfortunately is all too common due to a lack of understanding, or even a complete ignorance of this problem and subsequent coding techniques in an ASP page.

Web Applications Security Tutorial

Published on 2003-09-21, by Jerry Berkman, ©Jerry Berkman.

According to Securitystats.com, April 3, 2003, http://www.securitystats.com/webdeface.asp:

• 75% of all web servers running MS IIS 5.0 are vulnerable to exploitation.
• Microsoft issued a security alert on March 17 2003 regarding a buffer overflow vulnerability which allows attackers to execute arbitrary code on Windows 2000 machines. (A recent Netcraft survey) found 767,721 IPs running IIS 5.0 and offering WebDAV and 273,496 IPs running IIS 5.0 with the protocol turned off.