Anurag Agarwals' Threat Modeling Blog

OWASP Top 10 Quiz

2011-07-31T15:03:00.001-04:00

We had recently developed a quiz to help an organization test their developer's knowledge of OWASP top 10. I thought it would be a good idea to make it public and let other organization use it for their development teams as well. This is a very basic quiz but I do plan to add different levels and more questions to it and bring randomness in the questions as well. I would greatly appreciate any

OWASP threat modeling project

2011-04-13T10:57:00.000-04:00

We are starting an OWASP threat modeling project to standardize a threat modeling approach which can be used by various companies. During the OWASP portugal summit I had a very meaningful and positive discussion on this topic and got support from a lot of people in the community. You can find out the results of the discussion at the OWASP Threat Modeling project page If you would like to join

Intellipass - A behavior based password lockout mechanism

2010-08-19T17:48:00.000-04:00

I am pleased to announce Intellipass (a behavior based password lockout mechanism). Most of the password lockout mechanism today are static, which means, they lock a user out after a certain number of incorrect password attempts. This feature is implemented to prevent brute force attempts against the login functionality. Even though this feature does what it’s supposed to, it has its own

Free Hands on Workshop on Web Application Security in New York City

2010-05-06T18:16:00.000-04:00

Ever wondered how a hacker hacks all these credit cards? Do you think hacking a website is difficult? What are the skills required to hack a website?ISSA NY Metro chapter is organizing a 3 hour workshop on web application security. This session will show you how easy it is to steal credit card numbers, SSN, etc by doing a SQL injection attack or how you can steal passwords, hijack a session

MyAppSecurity - Secure Your Applications

2010-05-05T20:21:00.000-04:00

As some of you know that I joined WhiteHat Security as a Director of Education Services since Dec 2007 to build their training division from scratch. Though it has been a very demanding job but it has been very satisfying too. I enjoyed working with various companies, training their developers and QA professionals and resolving their web application security issues. Through training, I not only

WASSEC Project Leader Change Announcement

2008-08-11T17:02:00.000-04:00

There is going to be a new project leader (Brian Shura : bshura73_at_gmail_dot_com) for WASSEC (Web Application Security Scanner Evaluation Criteria) as of today. The leadership change will help me free up some time to work on other projects.We've identified an excellent candidate who will take over WASSEC from where I left. I have already given him an overview of the project, its status and the

OWASP AppSec India Conference 2008

2008-06-19T02:31:00.000-04:00

OWASP Delhi Chapter is hosting a grand application security event in New Delhi, India. With a lot of Executives and business folks also attending the event, it clearly shows the attention web application security is getting in India and I am sure a lot of it could also be because India is one of the major offshore development hub for US projects and most of these companies sending projects

WASC OWASP Party @ Blackhat

2008-06-19T02:30:00.001-04:00

WASC-OWASP Party at BlackhatBlackhat Vegas is around the corner. Our WASC-OWASP party last year rocked with around 300 people showing up. There was a huge line outside the shadow bar and it was by far the best party at Blackhat last year. If you weren't able to make it last year, do not miss it this time. Get your wristband from breach's booth at Blackhat.Join the leading minds in web application

Web Application Security Summit

2008-04-15T14:48:00.000-04:00

SANS and WASC have organized a Web Application Security Summit in Vegas.Web Application Security SummitJeremiah Grossman, Summit Chairwith Robert “RSnake” Hansen, Gary McGraw, and Caleb SimaJune 2-3, 2008 • Paris Hotel & Casino • Las Vegas, NVOn June 2-3, Various Application Security folks working in the enterprises will share the lessons learned in their application security initiatives. Case

RSA Conference Pictures

2008-04-11T19:47:00.001-04:00

RSA Conference 2008 is almost over. As usual there were so many companies showcasing their products and services or in some cases just a little bit of fun like video games, rock climbing, etc.I personally think there were more companies talking about web application security then last year. We still need some more companies with secure SDLC solutions to come out there. In addition, there were

WASC meetup at RSA - pictures

2008-04-11T14:26:00.001-04:00

WASC meetup at RSA was a huge success. More then 100 people showed up and it was a lot of fun sharing ideas and experiences with our peers. I am posting some of the pictures I took below.Caleb Sima(HP), Robert Auger(WASC)Neil Daswani (Google), Robi papp (Accuvant)Pool was so much fun.Dawn Van Hoegaerdan (Whitehat Security), Jermiah Grossman, Rachel Miller (Shift Communiations)Dawn, James(

Malware installation attempt via phishing

2008-03-22T21:53:00.000-04:00

I got this email yesterday and it immediately caught my attention, maybe due to the recent news about malware being installed via legitimate website. Or maybe most of the previous phishing attempts were about stealing username/passwords. This one is about installing something on their machine (which i am sure is some sort of malware). This might be a shift in the approach and of course it makes a

WASC meetup at RSA

2008-03-06T21:13:00.000-05:00

RSA conference is around the corner and a lot of people from the webappsec field would be coming over to the conference. This is a perfect opportunity to meet with your peers. To facilitate that, WASC is organizing a meetup on April 9, 2008 12pm to 2pm. Whitehat Security has graciously accepted to sponsor the event. Please click on the image to see a larger version of the invite.Last year WASC

Certification for Web Application Security Professional

2008-02-21T14:15:00.002-05:00

Web Application Security Consortium and SANS has partnered together to define, train, test and certify the individuals. WASC is a leading web application security organization and SANS is a leader in training and certification. Together they have the subject matter expertise and process expertise to make this a huge success.Why do we need this certification?As more and more software is moving to

New IRS Scam via SMS messages

2008-01-29T17:29:00.000-05:00

I got a text message today which said likeFrom:TAX@internalrefunding.com------Message-----Subject: NOTICEYou have .30 IRS UNITS pending forrefunding, completethe form usingwww.internalrefunding.com ASAPMy first reaction was "What the f***" but then I started thinking "Could it be IRS?", if yes, then "Why send a SMS?"Then my paranoid mind started working and even though I haven't heard of a scam

IETF starts working on security requirements for HTTP

2008-01-23T21:48:00.000-05:00

Andre sent me a link on "Security Requirements for HTTP". It is exciting to see at least security issues of HTTP protocol are being addressed by IETF. This is a first draft and they are starting to identify the problems and will address them as a final part of this document.http://www.ietf.org/internet-drafts/draft-ietf-httpbis-security-properties-00.txtRecent IESG practice dictates that IETF

Do you have to fix XSS vulns to be PCI Compliant? ScanAlert Says No

2008-01-21T17:10:00.000-05:00

I was reading Jeremiah's blog about ScanAlert's Response - ScanAlert - XSS is not our problemI had blogged earlier about Should ScanAlert be revoked of their PCI Scanning abilities?The interesting thing here is that if Hacker Safe is not detecting XSS attacks and I can bet they would not be detecting SQL injection attacks as well. So, what part of web application attacks are they trying to detect

The Fortification Movie

2008-01-21T14:16:00.000-05:00

Last week i went to see the documentary by fortify on "The new face of Cybercrime". I went there thinking that it would be something that shows what cybercrime is all about and how bad guys are breaking into websites to steal credit card numbers, SSN, etc. and selling it on the black market to make money. Basically a visual representation of what we deal with, day in, day out. But it turned out

Calling all web hacks of 2007

2008-01-08T14:07:00.001-05:00

Jeremiah Grossman is trying to gather all the neat researches behind web hacks of 2007."The hardest part is collecting a rather complete list of references to vote on, they’re all over the place, so that’s the reason for this post. Below is what I’ve gathered so far, and if you know of others, please comment them in with the title and link and I’ll add them. In the next few days the list will be

Should ScanAlert be revoked of their PCI Scanning abilities?

2008-01-07T17:18:00.001-05:00

I was passed on this link today about "Hacker Safe Website gets hit by Hacker". For those who don't know, Hacker Safe is a service provided by Scan Alert (which is set to be acquired by McAfee). I am not going to go into the details of how safe are the sites displaying the logo "Hacker Safe". I don't even want to go into the details of what level of scanning services are provided by ScanAlert

AppSec 2007 pictures of breach party

2007-11-19T19:49:00.000-05:00

OWASP and WASC AppSec Conference is over and it was by far the best conference i have ever been to. I was able to meet up with so many fantastic people, some of them i have exchanged emails with before and was good to see them in person. The conference topics and the presentation were really good. It was also my first time moderating a panel and it was a great experience. With such a sensitive

Who are the real culprits for PCI compliance?

2007-11-07T14:50:00.000-05:00

There was an article in SearchSecurity today on TJX issue.Don't blame PCI DSS for TJX troubles, IT pros sayhttp://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1280854,00.html?track=sy160&asrc=RSS_RSS-10_160Here is an excerpt from the articleThe auditor said TJX passed a PCI DSS check-up, but that the auditor failed to notice some key problems."They had no network monitoring and

Panel discussion on Website Vulnerability Disclosure during AppSec Conference on Nov 15

2007-11-05T19:30:00.001-05:00

As most of you know that OWASP-WASC AppSec Conference is held in ebay between Nov12-Nov15 including the training sessions. There are very many exciting topics to look forward to in the conference and not to forget the vendor parties at the end of the day. One of the things i am excited about is the panel discussion on Website Vulnerability Disclosure (which i will be moderating). We have some

WASC meetup on Nov 8

2007-11-01T13:42:00.000-04:00

Its time for another WASC Meet-Up. As usual this will be an informal gathering. No agenda, slide-ware, or sponsors. Just some like minded people from the security industry getting together to share their stories over beer. Everyone is welcome and it should be a really fun time!Please RSVP by email ASAP, if you haven't done so already, so we can make the proper reservations: anurag dot agarwal at

OWASP & WASC AppSec 2007

2007-09-04T16:45:00.000-04:00

The OWASP/WASC Black Hat cocktail party was so successful it only made sense to join forces again, this for an upcoming conference. OWASP & WASC AppSec 2007 is scheduled for Nov 12 – 15 @ eBay campus in San Jose, California. This will be an entire conference dedicated to web application security and something not to be missed. In fact, we’re a little nervous because the venue might be able to fit

WASC Meetup at IT Security World Conference on Sep 17

2007-09-04T16:40:00.000-04:00

WASC is organizing another Meet-Up during the IT Security World Conference (Sep 17-18) in San Francisco @ O'Neills). As usual this will be an informal gathering. No agenda, slide-ware, or sponsors. Baysec is also organizing a meetup during that time and we are hoping to meet other security professionals from Bay Area. Everyone is welcome and it should be a really fun time!Please RSVP by email

WASC WASSEC Project - Update

2007-08-22T17:04:00.000-04:00

Thank you all for your patience. We have received an overwhelming response from the WASSEC (Web Application Security Scanner Evaluation Criteria) project. To proceed with the project please1. Please email wasc-wassec-subscribe@webappsec.org and reply to confirmation email.2. It is moderated subscription so every contributor has to be approved to send messages to the list.3. Once you are

WASC Announcement: 'WASSEC Project' Call for Participants

2007-08-13T21:49:00.000-04:00

WASC has announced a new project WASSEC (Web Application Security Scanner Evaluation Criteria). Currently WASC is seeking volunteers from various sections of the community including penetration testers, scanner vendors, security researchers and also end users to contribute to the project.A brief description of the projectThe Web Application Security Evaluation Criteria is a set of guidelines to

Did WebApp developers learn from Samy worm?

2007-08-12T17:17:00.000-04:00

At the Mozilla Pyjama party during Blackhat, Me and Jeremiah met up with Bubba Gump and he shared with us an interesting story on how he was able to do something similar like Samy worm on another social networking site. His story just goes to show that there are so many other websites which are still getting hacked the same way but either have no clue or are in a denial mode. We asked him to

My experience at BlackHat and DefCon

2007-08-12T16:47:00.000-04:00

I came back from blackhat and defcon last Sunday. I was there for the entire 9 days (combined blackhat and defcon) and when i came back, I realized why people said 9 days of Vegas are toooo long. It was my first time to Vegas so I didn’t see it earlier but now i have learnt my lesson. :)It had been a very enjoyable experience. Though the party really took off on Tuesday night when most of the

Reflection on Dinis Cruz

2007-07-02T13:58:00.000-04:00

In the last episode of reflection, we have someone who has become a pillar of OWASP. Dinis Cruz is a chief OWASP evangelist and a part of the OWASP board. At OWASP, he organizes events such as the OWASP Autumn of Code, delivers keynotes and advanced technical presentations on OWASP Conferences and leads the OWASP .Net Project where (amongst others) he created the tools: OWASP Report Generator,

Reflection on Cesar Cerrudo

2007-06-25T00:28:00.000-04:00

This week on reflection we have someone who has done a lot of database research and published several advisories and presented at Blackhat, CanSecWest and other conferences on database security. Cesar Cerrudo works for his own company “Argeniss” and has contributed a lot to some of the databases to be more secure today. He has also identified a lot of vulnerabilities in Microsoft Windows,

Reflection on Alex Stamos

2007-06-18T17:58:00.000-04:00

This week on reflection we have Alex Stamos from iSEC Partners Inc. Alex has been involved in webappsec for sometime now and has presented at Blackhat, ToorCon, OWASP, ISACA, etc. He is a founder and Vice President of Professional Services at iSEC. He is a leading researcher in the field of web application and web services security and is also a co-author of an upcoming book Hacking Exposed Web

Reflection on pdp

2007-06-11T00:23:00.000-04:00

This week on reflection we have Petko D Petkov (popularly known as pdp). pdp has been active in the webappsec community for sometime now. He has written many articles and published many tools. Two of his more popular tools are Attack API and Technika (firefox extension). He is also a co-author of the book XSS Exploits: Attacks and Defense. Recently he presented on Advanced Web Hacking Revealed in

WASC meetup in Blackhat USA 2007

2007-06-06T20:07:00.001-04:00

OWASP and WASC have joined hands to have a combined meetup at Blackhat USA 2007 in Las Vegas which was earlier planned as a WASC meetup. Breach Security has stepped forward to sponsor the event. Please click on the image to see a larger version of the invite. Come and join us for a drink and meet other like minded people from the industry. NOTE: Those who have already RSVPed need not to RSVP

Any java developers in bay area?

2007-06-05T14:21:00.000-04:00

Any java developers in bay area who are interested in working together on some of the research ideas i have in web application security.Most of the development would be in java. Knowledge of javascript is a plus. Knowledge of webapp security field is optional.Interested? contact me on anurag.agarwal@yahoo.com

Reflection on Saumil Shah

2007-06-04T16:04:00.000-04:00

This week on reflection we have Saumil Shah from net-square Solutions. Saumil has been involed in webappsec community for a long time and is a regular presenter at Blackhat. He focuses on researching vulnerabilities with various e-commerce and web based application systems, system architecture for Net-Square's tools and products, and developing short term training programmes. He specializes in

Reflection on Stefano Di Paola

2007-05-28T14:35:00.000-04:00

This week on reflection we have Stefano Di Paola who caught everyone’s attention through his paper Subverting Ajax which talked about acrobat reader plugin vulnerability and javascript prototype exploit. Those of you who remember, there was a lot of commotion on WASC mailing list at the beginning of this year. Tons of emails going back and forth on a vulnerability which was identified in acrobat

WASC Meetup at Black Hat (USA 2007)

2007-05-25T17:47:00.000-04:00

For the third year in a row WASC will be organizing a web application security meet-up during the BlackHat USA (2007) conference. There's going to be a lot of webappsec presentations and people in attendance, likely more than ever, so it's a good opportunity for those in the community to get together and share some food and drinks. This email will serve as a way to gauge the level of

Reflection on ryan barnett

2007-05-21T14:13:00.000-04:00

This week on reflection we have Ryan Barnett from breach security. Ryan is a well respected figure in web application security and is well known for his book “Preventing Web Attacks with Apache”. He is a faculty member for SANS institute and a WASC officer. He is also the Project Lead for the Center for Internet Security Apache Benchmark Project. Ryan has a passion for web application security

Reflection on Caleb Sima

2007-05-15T01:19:00.000-04:00

This week on reflection we have caleb sima from SPI dynamics. He is the co-founder and CTO of SPI dynamics. He has been involved with internet security since its very early age and is widely respected in the industry. He is often quoted in various magazines and is called upon for his expert opinions. Caleb’s story tells us we can be what we want to be if only we put our minds to it and channel

Phishing using google ads

2007-05-14T01:14:00.000-04:00

I received an interesting phishing email today. Whenever I receive any such email I hover my mouse over the link to see the actual url behind the link. In this particular case, it caught my attention. It was pointing to google.com. I was a little bit surprised then I copied the actual url behind the link separately to see where is it pointing. Be careful before you click on the url.Here is a copy

Reading cookies from the server using Java

2007-05-07T01:06:00.000-04:00

Last two posts have been about running TRACE on the host server.Running TRACE on the server using Java from within the browser Part 1http://myappsecurity.blogspot.com/2007/04/using-java-from-within-browsers.htmlRunning TRACE on the server using Java from within the browser Part 2http://myappsecurity.blogspot.com/2007/05/running-trace-on-server-using-java-from.htmlIn this post, we will see how to

Running TRACE on the server using Java from within the browser Part 2

2007-05-07T01:01:00.000-04:00

In the previous post on running TRACE on the server using java from within the browser, the approach was using java.net.Socket. In this approach, we are using java.net.UrlConnectionThere are certain limitations with this approach1.If the TRACE is disabled on the server, firefox will give PrivilegeException2.It the HTTP is disabled on the web server then it will give PrivilegeException3.It will

Reflection on Bill Pennington

2007-05-06T22:55:00.000-04:00

This week on reflection, we have Bill Pennington from Whitehat Security. Bill had been involved in web application security for a long time and has performed numerous web application assessments and is currently involved in research and development at Whitehat Security. He has spoken at industry events like blackhat, ISSA LA and OWASP Silicon Valley chapter and has contributed to or co-authored

WASC meetup at JavaOne on May 10

2007-05-04T15:21:00.000-04:00

Alright guys!! WASC is having another meetup at JavaOne. From what i have heard this time we have a lot of people joining us. So come on and meet the guys and share a thought or two over a beerHere is a copy of the post from Jeremiah's BlogWASC is organizing a Meet-Up during the JavaOne Conference (May 8-11 @ San Francisco Moscone Center). As usual this will be an informal gathering. No agenda,

Using Java from within browser's javascript to exploit web application vulnerabilities Part 1

2007-04-30T17:25:00.000-04:00

Last weekend jeremiah showed me a code snippet where he was able to run TRACE method on a server using java from javascript. Though it was a little slow but it did the job. He asked me if there is a way to make it run faster. I did some work and using jdk1.4 API, I was able to get the job done a lot faster. I always knew that we can run java from javascript but it never crossed my mind that I can

Reflection on Andrew Van Der Stock

2007-04-30T02:32:00.000-04:00

This week on reflection we have Andrew Van der Stock. Andrew is very active in webappsec industry through OWASP and is involved in a lot of activities including OWASP top ten or OWASP Guide, etc. He has contributed a lot to webappsec field, more so in terms of research and awareness on securing the applications rather then exploiting them. He used to be based out of Australia and has recently

WASC Meetup - April 18 - pictures

2007-04-23T18:32:00.000-04:00

Sorry for the delay in this post. Last wednesday we had our WASC meetup in sunnyvale. Unfortunately the date coincided with OWASP san francisco chapter meeting and some infosec conference in toronto so we did not get as much attendance we expected but still some of us showed up. Jeremiah had already mentioned on his blog that everyone has to buy a beer for someone they havent met before. :)Before

Reflection on Nish Bhalla

2007-04-23T14:06:00.000-04:00

This week on reflection we have Nish Bhalla from SecurityCompass. Nish has been around the block for a long time and used to work for FoundStone before starting his own company. He is a specialist in product testing, code reviews, web application testing, host and network reviews. He has presented in various conferences, published articles, contributed and co-authored several books. He takes

Reflection on Ory Segal

2007-04-16T03:11:00.000-04:00

This week on reflection we have Ory Segal of Watchfire. Ory has been involved in the webappsec from its very early days. He has published several whitepapers, articles and advisories. He has contributed to security standards like WASC Threat Classification and WASC Firewall Evaluation Criteria. He has spoken at various conferences and security events and is very reputed amongst the web

WASC Meetup in bay area

2007-04-10T15:04:00.000-04:00

Its a beerfest guys. put it on your calendarNormally we hold WASC Meet-Ups during large conferences (RSA/ BlackHat) where a lot of web application security people are at same place at the same time. Around the S.F. Bay Area there's enough webappsec people that we we no longer need that excuse. So we're going to plan a WASC Meet-Up inviting those in the local community to drop by. It'll be an

Reflection on Chris Shiflett

2007-04-06T13:47:00.000-04:00

This week on reflection we have Chris Shiflett. One of the very few people who have been blogging on webappsec for a long time and I am sure is amongst the top 10 visited blog on web application security. His knowledge on web application security is tremendous and his blog is a goldmine for people who are looking to learn and understand various types of web application vulnerabilities and their

Reflection on Jeff Williams

2007-03-30T16:28:00.000-04:00

This week on reflection need no introduction. Jeff Williams, is one of the major contributors in webappsec community. He has written many whitepapers, spoken at many conferences including Secure Software Summit, OWASP conferences, ISSA InfoSec Conference, NSA High Confidence Software and Systems Conference (HCSS), JavaOne, National Computer Security Conference (NCSC), etc, written many tools

Reflection on Robert Auger

2007-03-23T01:15:00.000-04:00

This week on Reflection we have someone who has contributed to the webappsec community in many different ways. We all know Robert Auger through http://www.cgisecurity.com/. CGI Security is one of the very early website on the topic and has a wealth of information on web application security. Robert is also a Co-Founder of the Web Application Security Consortium and a founder and moderator of the

Reflection on Billy Hoffman

2007-03-17T03:04:00.000-04:00

This week on Reflection we have a very young guy from the webappsec field. Billy Hoffman is a lead security researcher for SPI dynamics where he works on discovering and automating web application vulnerabilities and improving their crawling technology. He has presented at a lot of conferences including (ToorCon, Black Hat, etc). Billy’s knowledge on Ajax is tremendous and he has written many

Reflection on Sheeraj Shah

2007-03-09T01:01:00.000-05:00

This week on Reflection we have another big contributor to webappsec field. Sheeraj Shah is a founder of Net Square Solutions where he performs consulting, training and R&D activities. He has done a lot of research on web application and web services security. Sheeraj started with web application security in mid 2000 when he was working on WebLogic application server and discovered some

Reflection on Ivan Ristic

2007-03-02T01:25:00.000-05:00

If we hear so much about web application firewalls and their role as a first line of defense in protecting our web applications, a large amount of credit has to go to Ivan Ristic. Ivan Ristic is the creator of ModSecurity (an open source web application firewall and intrusion detection/prevention engine). He started playing in the webappsec space sometime around 2002 and working seriously since

Separating actual urls hidden behind the link can help reduce phishing

2007-02-25T17:18:00.000-05:00

Lately i have been getting a lot of phishing emails in my inbox. Over the years yahoo has done a good job in redirecting those to spam folders. Of course every now and then one or two might slip through the cracks but its only until recently when i started getting a lot of phishing emails in my inbox. Emails for washington mutual, paypal, bank of america, etc. It didnt matter if i have an account

Reflection on Jeremiah Grossman

2007-02-23T02:14:00.000-05:00

Today’s personality is again well known for its contribution to the world of web application security. Jeremiah Grossman is an expert in webappsec and is a CTO and a co-founder of Whitehat Security. He is also a founding member of Web Application Security Consortium. Jeremiah started hacking around 1991-92 but it was only until 2000, he took it as a profession when he was working for yahoo where

Compliance - is it worth the money?

2007-02-20T03:07:00.000-05:00

While surfing through the net i found a posting on compliancehttp://bestsecurity.blogspot.com/2007/02/compliance-audit-is-not-substantive.htmlThough it was more of a ranting on the compliance but it certainly made me think my experience on PCI compliance.I do agree that compliance has a place in the industry. In my experience, had it not been for compliance, many companies have not paid attention

Reflection on RSnake

2007-02-15T13:45:00.000-05:00

If you have heard of XSS cheat sheet or http://ha.ckers.org/ then you already know him. His name is Robert Hansen or more popularly known as RSnake. If there is any mention of XSS, there is a big chance RSnake’s name or its cheat sheet is mentioned along with it. His contribution in the web application security awareness is legendary. On two of his many web sites (http://ha.ckers.org/ and http://

I dont want a product, I want a solution

2007-02-13T15:22:00.000-05:00

RSA Expo is over, and it was good to see a lot of Web application security products being showcased there. The awareness about Web application security is increasing, and a lot of companies are coming out with new products to protect Web applications. Such products include network and Web application firewalls, identity management, auditing tools, Web application security tools and encryption

Reflection on Amit Klein

2007-02-08T23:22:00.000-05:00

For those who are in the web application security field need no introduction to his name. He is an expert and by far one of the best in web application security space. He is one of the early starters of the field and has played a major role in the awareness of webappsec. His contribution ranges from not only identifying vulnerabilities and publishing them but also contributing towards standards

WASC meetup during RSA conference

2007-02-07T21:30:00.000-05:00

Today at WASC meetup, quite a lot of crowd turned out and it was fun meeting a lot of players from the application security field. Here are some of the pictures from the meetup. You will see people like Jeremiah Grossman, RSnake, Arian Evans (Whitehat), Billy Hoffman (SPI), Robert Auger (cgisecurity.net), etc You can view more pictures at Jeremiah's blog

Target password cracking - code explained

2007-01-30T19:36:00.000-05:00

This is the explanation of the source code from my last posting about targeted password cracking - Proof of concept ---- Start Code -----/******Global variables defined in this module ajax_request - To store the XMLHttpRequest object.autofill - This string will be used to send variations of password to detect the password policy and what other characters are allowed.success_response - This string

Targeted password cracking - Proof of concept

2007-01-30T04:08:00.000-05:00

This is a proof of concept to exploit the registration functionality of a website to build targeted password cracking engine. I am using Ajax to automatically detect the parameters which are submitted for a successful password and automatically resubmitting the modified passwords. Of course other technologies can be used for the same. I think I can safely assume that by now we all understand the

Sample Shopcart application

2007-01-28T14:51:00.000-05:00

In my experience i have seen a lot of developers being clueless about what application security is and how they unknowingly left a door open for the bad guys in their application. They don't have much idea about how application are open to these vulnerabililties (like XSS, SQL injection, session hijacking, etc), how they are exploited and what changes they need to make in their coding style to

XSS filter to protect from XSS attacks

2007-01-23T01:58:00.000-05:00

Here are the excerpts from the chilling effectGrossman, who founded his own research company, WhiteHat, claims XSS vulnerabilities can be found in 70 percent of websites. RSnake goes further. "I know Jeremiah says seven of 10. I'd say there's only one in 30 I come across where the XSS isn't totally obvious. I don't know of a company I couldn't break into [using XSS]."If you apply Grossman's

Ajax Sniffer - Prrof of concept

2007-01-17T04:05:00.000-05:00

NOTE - The original idea was discussed by Stefano Di Paola in his paper Subverting Ajax. I have simply created a working proof of concept of ajax based sniffer. I have taken the same files as I demonstrated in ajax worm PoC. You can see the demo at http://www.attacklabs.comLet’s take a look at how to create an ajax based sniffer.In order to create a sniffer we need to do two things1. Override the

Breaking the Same Origin barrier of Javascript

2007-01-10T02:49:00.000-05:00

NOTE: I dont want javascript to be executed so in the sample code below, you will see that i will remove the <> tags from the script element.Same Origin Policy of browsersOften times we have heard that Javascript cannot send requests to another domain. That is because of the same origin policy implemented in the browsers. The same origin policy of the browsers prevents document or script loading

Did you SEEC it yet?

2006-12-12T18:33:00.000-05:00

I am pleased to announce SEEC - An application security search engine. This search engine is powered by google and is application security specific. It is still in beta release. You can access it here - SEECWhy SEEC?well, SEC is short for security and SEEK means to find, hence SEEC (find within security)Please do leave your comments and feedback on what your thoughts are on SEEC. Also, few weeks

Survey on Application Security Vulnerability Assessment process

2006-12-06T15:33:00.000-05:00

Today jeremiah posted the third round of his monthly survey on web application security professionals. http://jeremiahgrossman.blogspot.com/2006/12/web-application-security-professionals.htmlThe results of the first two are available here[1] Nov. 2006http://jeremiahgrossman.blogspot.com/2006/11/web-application-security-professionals.html[2] Oct. 2006http://jeremiahgrossman.blogspot.com/2006/10/

Ajax Worm - Proof of Concept

2006-12-03T04:43:00.000-05:00

Few weeks ago I demonstrated a Proof of Concept of how easy it is to create an Ajax worm which hijacks a user session and redirects all the user activity through itself. The idea is simply to be able to control and monitor the user activity on a website by inserting the malicious script into the visiting user's session using XSS. I have been advocating for some time now, the extent of damage that

Correction - Comparison between Appscan and Webinspect

2006-11-20T14:07:00.000-05:00

In my last posting, i discussed about some of the difference between appscan and webinspect. Ory Segal from watchfire pointed out a few areas which could have been interpreted wrongly as well. I have made changes to the original post and i am posting it separately for those who have already read it or if it is stored in cache somewhere.View the actual attack during a scan session: Webinspect

Comparison between Appscan vs Webinspect

2006-11-03T14:23:00.000-05:00

Last month I got a chance to evaluate the two popular vulnerability assessment tools Webinspect and Appscan and I wanted to share my findings with others. As you will notice, currently I have published only few technical comparison I will add more to it sooner. This comparison is strictly between Appscan 6.5 and Webinspect 6.2. Both the companies have since come with a beta release of a new

Don't let your Web app help spammers

2006-10-26T14:25:00.000-04:00

We've all been plagued by unsolicited commercial email -- also known as spam. In fact, the Washington Post reported that spam may soon account for half of all U.S. email traffic. Lets look at ways on how we can protect our email address from the spammers. read the complete article here

How Ajax makes it easier to steal information from your clipboard

2006-10-11T13:37:00.000-04:00

Cut Copy Paste has always been an important part of our digital life. Developers, as well as regular users, can't live without it. Regular users use it routinely to copy and paste information such as passwords and credit card numbers from one form to another. Office employees use it all the time when creating documents. There's no denying our reliance on the Copy and Paste functionality of the

Taking the battle to the phishers

2006-10-08T16:47:00.000-04:00

"University of Illinois at Chicago is working with some financial institutions (he can't say which) on the anti-phishing agent, so there is commercial interest. "We'll be providing them complex code, user names, and passwords," he says. "And they will be able to see the phishing traffic" and disable it and track the phishers for eventual prosecution, for instance. "This would be really

Court OKs NSA wiretapping

2006-10-06T23:04:00.001-04:00

http://www.wired.com/news/wireservice/0,71911-0.html?tw=wn_technology_security_3"The Bush administration can continue its warrantless surveillance program while it appeals a judge's ruling that the program is unconstitutional, a federal appeals court ruled Wednesday.""The program monitors international phone calls and e-mails to or from the United States involving people the government suspects

Is Microsoft changing?

2006-10-06T23:04:00.000-04:00

http://wired.com/wired/archive/14.10/microsoft.htmlSomething different from security but if all the chief security architect could be as Ray Ozzie, 75% of the security attacks we are seeing today wont be possible at all.

How safe is “hacker safe”

2006-10-06T22:18:00.000-04:00

ID Thieves Turn Sights on Smaller E-BusinessesThis article raises so many questions but the biggest of them all is how effective are these sites which are providing this kind of “hacker safe” services and who is to verify what level of services they are providing. For all we know, it’s just a false sense of security as we found out in this case. The companies, who are totally not aware of what to

Google victim of click fraud

2006-10-06T21:56:00.000-04:00

This time it was google’s turn to play victim of click fraud.http://www.theregister.co.uk/2006/10/06/google_adsense_worm/

RE: Privacy group takes US to court over email spying

2006-10-06T21:54:00.000-04:00

post: http://www.theregister.co.uk/2006/10/06/eff_sues_us_govt/What I would like to know is if US govt. can state it for the record, that they are only using it to monitor terrorist communications and NOTHING ELSE. They have claimed that they are using it to track terrorist communications but I don’t know if they have said only terrorist communication and nothing else?

To open source or not to open source

2006-10-04T14:26:00.000-04:00

Yahoo allows outsiders to innovate on Yahoo e-mailYahoo has decided to open the underlying code of yahoo mail to outside programmers. Now this can be a good thing and a bad thing. Of course we will see a lot more applications built on top of yahoo mail, but then it is a also a nightmare from the security point of view. On one side, since the source code is allowed access they are more vulnerable

Taking passwords to the grave

2006-10-03T20:28:00.000-04:00

Interesting story on the passwords.http://news.com.com/Taking+passwords+to+the+grave/2100-1025_3-6118314.htmlit brings up an interesting twist to the whole password saga by raising a question, whether we should store them in our will. Though it has a valid reason but then isnt that against what we preach.