Lately i have been getting a lot of phishing emails in my inbox. Over the years yahoo has done a good job in redirecting those to spam folders. Of course every now and then one or two might slip through the cracks but its only until recently when i started getting a lot of phishing emails in my inbox. Emails for washington mutual, paypal, bank of america, etc. It didnt matter if i have an account with them or not. Luckily Over time i have developed a habit of dragging my mouse over the link to see what is the actual url behind the link. Sure enough, it was taking me to some other website instead of what was shown in the link. What surprises me most is that though phishers have been using the same old method of deceiving the users by making them click on fake urls, the industry is still trying to find all the possible means but not separating the actual url from the link.
Here is an example. I received this in my yahoo mail today. If you drag your mouse over the link, you will see the actual url is something else as mentioned in the link. (Be careful if you click on the url)
https://www.paypal.com/row/vst/id=11791677P5757633F
I know its an ongoing battle between the product managers and the security professionals on Where do you draw a line between a feature and the security. Allowing a user to click on a url is the basic feature of a html page. Html emails use the same feature which is exploited by the phishers and with a great success rate. The point i am trying to make here is email providers are spending a lot of money in creating a robust phishing detection mechanism but giving no attention to the urls. How hard it is to match the actual url with the text mentioned in the link. If it doesnt match then based on other criterias it can be marked as phishing email/spam. If they dont want to mark it as phishing emails, the least they can do is display the actual url separately from the link and let the user copy and paste it, if they want to. Its not a huge inconvenience to the user but at the same timeit can help reduce phishing attempts from the malicious people.
If a phishing url could be displayed like this,
https://www.paypal.com/row/vst/id=11791677P5757633F (http://reseller4.ultrawhb.com/~mrbouble/.public/login.html)
then at least the customer is not fooled and if he copies and pastes the wrong url then there is no solution to that.
Sunday, February 25, 2007
Friday, February 23, 2007
Reflection on Jeremiah Grossman
Today’s personality is again well known for its contribution to the world of web application security. Jeremiah Grossman is an expert in webappsec and is a CTO and a co-founder of Whitehat Security. He is also a founding member of Web Application Security Consortium. Jeremiah started hacking around 1991-92 but it was only until 2000, he took it as a profession when he was working for yahoo where he performed various web application security related activities. Over the years he has done a lot of web application security R&D and contributed to the community in various ways. He has spoken at numerous conferences, published a lot of articles, shared a lot of research ideas and made various other contributions including but not limited to Internet Security Apache Benchmark Group and Web Application Security Consortium. In his spare time he trains in Brazilian Jiu Jitsu and play australian rules football and his specialty is web application security, web development, Australian rules football and video game hacking.Jeremiah is based out of San Jose, CA and is only 29 years old and has spoken at numerous conferences all over the world including Black Hat, ISSA, ISACA, NASA, RSA, OWASP, AFITC, Stanford and many other industry events. His research, writings, and discoveries have featured in USA Today, VAR Business, NBC, ABC News (AU), ZDNet, eWeek, BetaNews, etc. Below is a compilation of most of his work, which by no means, covers his entire contribution.
Articles / Books:-
Ten Things You Should Know about Web Application Security
http://www.whitehatsec.com/downloads/WP10Things.pdf
The 80/20 Rule for Web Application Security
http://www.webappsec.org/projects/articles/013105.shtml
Chasing Vulnerabilities for Fun and Profit
http://www.whitehatsec.com/articles/chasing_vulnerabilities.shtml
Myth-Busting AJAX (In)Security
http://www.whitehatsec.com/home/resources/articles/files/myth_busting_ajax_insecurity.html
Myth-Busting Web Application Buffer Overflows
http://www.whitehatsec.com/articles/mythbusting_buffer_overflow.shtml
Pay Now or Pay Later: Obtaining ROI from Web Security
http://www.cunews.com/roundtable/WhiteHat3.pdf
Technology Alone Cannot Defeat Web Application Attacks
http://searchsoftwarequality.techtarget.com/tip/0,289483,sid92_gci1189767,00.html
Insecure Web Sites
http://www.varbusiness.com/showArticle.jhtml?articleID=18825528
Thwarting SQL Web Hacks
http://www.varbusiness.com/showArticle.jhtml?articleID=18841325
Top 5 Myths of Web Application Security
http://www.varbusiness.com/showArticle.jhtml?articleID=22104030
Web Application Security 101
http://www.whitehatsec.com/articles/webappsec101.pdf
What Phishers Know That You Don't
http://www.betanews.com/article/What_Phishers_Know_That_You_Dont/1114784531
Cross-Site Scripting Worms and Viruses
http://www.whitehatsec.com/downloads/WHXSSThreats.pdf
Top 10 Web Hack of 2006
http://www.whitehatsec.com/home/resources/presentations/files/whitehat_top_hacks_06_F.pdf
Most of the recent ones are listed here:
http://jeremiahgrossman.blogspot.com/2006/12/top-10-web-hacks-of-2006.html
Automated Scanner vs. The OWASP Top Ten
http://jeremiahgrossman.blogspot.com/2007/01/automated-scanner-vs-owasp-top-ten.html
He is also co-authoring a book on XSS to be released tentatively on March 1, 2007
Cross Site Scripting Attacks: XSS Exploits and Defense
He also wrote the foreword for two books:-
Preventing Web Attacks with Apache
http://www.amazon.com/Preventing-Attacks-Apache-Ryan-Barnett/dp/
Hacking Exposed Web Applications, Second Edition
http://www.amazon.com/Hacking-Exposed-Web-Applications-Second/dp/
Contributions:-
Presentations:-
Hacking Intranet Websites from the Outside (Session code: HT2-107)
http://news.thomasnet.com/companystory/506356
Hacking Intranet Websites from the outside - "JavaScript malware just got a lot more dangerous"
http://www.blackhat.com/html/bh-usa-06/bh-usa-06-speakers.html#Grossman
Phishing with super bait
http://www.blackhat.com/presentations/bh-usa-05/bh-us-05-grossman.pdf
Challenges of Automated Web Application Scanning
http://www.blackhat.com/presentations/bh-federal-03/bh-fed-03-grossman-up.pdf
Webserver Fingerprinting
http://www.whitehatsec.com/presentations/Black_Hat_Singapore_2002/BlackHat2002-Singapore.zip
The land that application security forgot
http://opensores.thebunker.net/pub/mirrors/blackhat/presentations/bh-europe-01/jeremiah-grossman/bh-europe-01-grossman.ppt
Hacking Intranet Websites from the Outside with JavaScript Malware Dang (CSI NetSec)
https://www.cmpevents.com/CSINS7/a.asp?option=C&V=11&SessID=4896
StillSecure, After all these years, Podcast #28
http://www.stillsecureafteralltheseyears.com/ashimmy/2007/01/episode_28_of_s.html
Cross-Site Tracing (XST)
http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf
Automated Scanners vs. Low-Hanging Fruit
http://jeremiahgrossman.blogspot.com/2007/02/automated-scanners-vs-low-hanging-fruit.html
Speaking engagements:-
Jeremiah Grossman TV interview with ABC News (AU)
http://www.youtube.com/watch?v=HPutgmAzgQA
ISSA NORCAL Systems Security Symposium 2004, Network Security Conference 2004 – Web Application Security Auditing
http://www.issa-sac.org/conferences/2004/presentations.php#
Black Hat 2006 - Hacking Intranet Websites from the Outside "JavaScript malware just got a lot more dangerous"
http://www.blackhat.com/html/bh-japan-06/bh-jp-06-en-speakers.html#Grossman
Black Hat 2005 - Phishing with Super Bait
http://www.blackhat.com/html/bh-usa-05/bh-usa-05-speakers.html#grossman
Black Hat USA 2004 - Panelist
http://www.blackhat.com/html/bh-usa-04/bh-usa-04-speakers.html
AITP Central Valley – Web Application Security http://www.whitehatsec.com/presentations/AITP_CentralValley_062004.pdf
ISSA Sacramento 2004 – Auditing Web Applications
http://www.issa-sac.org/conferences/2004/presentations.php#
Blackhat Seattle 2004
http://www.blackhat.com/presentations/bh-federal-03/bh-fed-03-grossman-up.pdf
BlackHat Windows 2003 – Hacking Web Applications Training Class, Detecting Web Application Attacks Presentation
http://www.blackhat.com/html/win-usa-03/train-bh-win-03-wh.html
Blackhat New Orleans 2002 – Web Application Security and Arsenal http://www.blackhat.com/presentations/win-usa-02/grossman-winsec2002.ppt
Blackhat Europe 2001 – Web Application Security http://www.blackhat.com/presentations/bh-europe-01/jeremiah-grossman/bh-europe-01-grossman.ppt
Air Force Information Technology Conference 2001, Web Application Security
http://www.whitehatsec.com/presentations/AFITC_2001/afitc_2001.ppt
DefCon Las Vegas 2001 – Web Application Security in Theory and Practice
http://www.whitehatsec.com/presentations/Defcon9_2001/defcon9_presentation2001.ppt
Speaker and Panelist for the Web Application Security Forum (Tokyo, Japan) - “WASC Activities and U.S. Web Application Security Trends”
http://www.whitehatsec.com/presentations/WASC_WASF_1.02.pdf
Blackhat Singapore 2002 – Web Server Fingerprinting - "A first look into web server fingerprinting"
http://www.blackhat.com/presentations/bh-asia-02/bh-asia-02-grossman.pdf
Podcast with ITRadio (Risky Business #1)
http://www.itradio.com.au/?p=6
Credit Union Information Security Conference Panelist 2004 http://www.cunews.com/infosec.htm
Washington Software Alliance 2003 / ISSA Pugeot Sound 2003 / Blackhat Federal 2003 / SuperCIO 2003 / NASA AMES 2003 – Challenges of Automated Web Application Scanning
http://www.whitehatsec.com/presentations/NASA_AMES_2003_v1.0.ppt
ISSA San Diego – Auditing Web Applications
http://www.whitehatsec.com/presentations/Auditing-Web%20Applications.pdf
ToorCon San Diego 2001 (Couldn’t find the url)
Proof of concepts:-
Intranet Hacking
http://jeremiahgrossman.blogspot.com/2006/09/video-hacking-intranet-websites-from.html
Browser Port Scanning without JavaScript
http://jeremiahgrossman.blogspot.com/2006/11/browser-port-scanning-without.html
Bypassing Mozilla Port Blocking
http://jeremiahgrossman.blogspot.com/2006/11/bypassing-mozilla-port-blocking.html
I know if you're logged-in, anywhere
http://jeremiahgrossman.blogspot.com/2006/12/i-know-if-youre-logged-in-anywhere.html
I know where you’ve been
http://jeremiahgrossman.blogspot.com/2006/08/i-know-where-youve-been.html
Goodbye Applet, Hello NAT'ed IP Address
http://jeremiahgrossman.blogspot.com/2007/01/goodbye-applet-hello-nated-ip-address.html
JavaScript Array Overwriting - Advanced Web Attack Techniques using GMail
http://jeremiahgrossman.blogspot.com/2006/01/advanced-web-attack-techniques-using.html
Tools written by him:-
WhiteHat Webserver Fingerprinter (no longer available)http://www.whitehatsec.com/presentations/Black_Hat_Singapore_2002/wh_webserver_fingerprinter.tgz
Scoring Tool CIS for the Apache Benchmark
http://www.cisecurity.org/bench_apache.html
WhiteHat Arsenal (no longer available)
Memberships:-
WASC Co-Founder
Blog:-
http://jeremiahgrossman.blogspot.com
Website:-
www.whitehatsec.com
Companies worked for:-
Amgen, Yahoo, WhiteHat
Email:-
jeremiah__at__whitehatsec__dot__com
He is a man of ideas and thinks differently from others. His blog is amongst the most followed blogs on information security. A must follow figure in web application security to stay current with emerging threats and news.
Last Week – RSnake
Next Week – Ivan Ristic
Tuesday, February 20, 2007
Compliance - is it worth the money?
While surfing through the net i found a posting on compliance
http://bestsecurity.blogspot.com/2007/02/compliance-audit-is-not-substantive.html
Though it was more of a ranting on the compliance but it certainly made me think my experience on PCI compliance.
I do agree that compliance has a place in the industry. In my experience, had it not been for compliance, many companies have not paid attention towards web application security at all. Unfortunately, many of the product managers or project managers (in big enterprises) still do not understand the issue of web application security (or should i say don't want to understand) and hence we see a lot of vulnerable applications out there. As for small and medium businesses, the sheer cost of securing web applications in itself makes them not go for the solutions. Compliance in a way is forcing them to do something about it. However, the problem starts from the governing agencies enforcing compliance. Take PCI compliance for example. It all started as a good idea to enforce companies to secure customer information but then they lost focus along the way. It is OK as long as you are making sure if the network and the applications aren't vulnerable but if you want to enforce a company to have source code audit by an independent third party, that is where it gets ridiculous.
What about companies who doesnt want to reveal their source code? what if it is proprietary software? Can I trust the company who is doing my source code audit, more importantly can I trust the person who is doing my source code audit? We have seen cases of hackersafe signing websites that they are safe from hackers and we have seen cases of bank's employees (who are the guardians of the customer information) selling the very customer information to the outside agencies. Who can I trust? Not to say what is the guarantee that the person doing the source code audit has enough knowledge of the language and more importantly where are the secure coding guidelines for us to follow?
The sheer cost of doing web application security compliance including black box testing, white box testing, source code analysis, web application firewall, etc, etc will run into hundreds of thousands of dollars (as we saw in RSA Conference) and not to mention the amount you have to pay for the auditors.
The other ugly side of compliance is auditing companies. For PCI compliance, there have been too many companies doing auditing for price ranging from $1000 to $13000. This confused me in the beginning and I started to ask questions about what is the value addition for that extra money and after doing a lot of research, I found out it's not about the value addition for the extra money, it's about saving your neck. When you can buy a compliance certificate for $1000 then why do you want to pay $13000. Of course, if you really are concerned about your security and want to do things the right way, then the price definitely will not be $1000.
I am sorry to say but compliance has become just another way for auditing companies to make money and the real message has gotten lost.
http://bestsecurity.blogspot.com/2007/02/compliance-audit-is-not-substantive.html
Though it was more of a ranting on the compliance but it certainly made me think my experience on PCI compliance.
I do agree that compliance has a place in the industry. In my experience, had it not been for compliance, many companies have not paid attention towards web application security at all. Unfortunately, many of the product managers or project managers (in big enterprises) still do not understand the issue of web application security (or should i say don't want to understand) and hence we see a lot of vulnerable applications out there. As for small and medium businesses, the sheer cost of securing web applications in itself makes them not go for the solutions. Compliance in a way is forcing them to do something about it. However, the problem starts from the governing agencies enforcing compliance. Take PCI compliance for example. It all started as a good idea to enforce companies to secure customer information but then they lost focus along the way. It is OK as long as you are making sure if the network and the applications aren't vulnerable but if you want to enforce a company to have source code audit by an independent third party, that is where it gets ridiculous.
What about companies who doesnt want to reveal their source code? what if it is proprietary software? Can I trust the company who is doing my source code audit, more importantly can I trust the person who is doing my source code audit? We have seen cases of hackersafe signing websites that they are safe from hackers and we have seen cases of bank's employees (who are the guardians of the customer information) selling the very customer information to the outside agencies. Who can I trust? Not to say what is the guarantee that the person doing the source code audit has enough knowledge of the language and more importantly where are the secure coding guidelines for us to follow?
The sheer cost of doing web application security compliance including black box testing, white box testing, source code analysis, web application firewall, etc, etc will run into hundreds of thousands of dollars (as we saw in RSA Conference) and not to mention the amount you have to pay for the auditors.
The other ugly side of compliance is auditing companies. For PCI compliance, there have been too many companies doing auditing for price ranging from $1000 to $13000. This confused me in the beginning and I started to ask questions about what is the value addition for that extra money and after doing a lot of research, I found out it's not about the value addition for the extra money, it's about saving your neck. When you can buy a compliance certificate for $1000 then why do you want to pay $13000. Of course, if you really are concerned about your security and want to do things the right way, then the price definitely will not be $1000.
I am sorry to say but compliance has become just another way for auditing companies to make money and the real message has gotten lost.
Thursday, February 15, 2007
Reflection on RSnake
If you have heard of XSS cheat sheet or http://ha.ckers.org/ then you already know him. His name is Robert Hansen or more popularly known as RSnake. If there is any mention of XSS, there is a big chance RSnake’s name or its cheat sheet is mentioned along with it. His contribution in the web application security awareness is legendary. On two of his many web sites (http://ha.ckers.org/ and http://sla.ckers.org/ ) you will find a wealth of information on various aspects of webappsec. His XSS cheat sheet is arguably the most referenced link in the webappsec space with 27000 hits in the month of January ’07 alone and http://ha.ckers.org/ has around 10,000 unique visitors per day (not counting the RSS feeds) making it probably the most followed blog in webappsec field. He has shared his technical expertise with a lot of industry professionals in their work including but not limited to working with Microsoft engineers to address XSS issue, Cloaking to Stop Scraping, and his discussion with the author of the chilling effect.
Looking at his past, he started hacking when he entered college, which was when the web applications were just getting started. In his words
"I'm a college dropout but was studying Computer Engineering. It was way too boring. They were dealing with the theoretical nuances of computers and outdated technology (Pascal pseudo-code on Macintosh assembler). At the same time that I was going to school, in my part time jobs I was doing in practice what my professors could only barely grasp from a theoretical perspective. This was pre-bubble and my parents and my teachers were telling me to get out there and make my millions. I took angel funding for a project, and everything seemed to be going well, but then the stock market crashed, investment money dried up and I learned a hard lesson. It was the day I closed up shop at my own company that I learned everything I need to know about business.
My first PERL script was a top100 list for webfringe.com (long gone now). I had a lot of people trying to hack it. It was a fun experiment that I finally gave up on due to time issues, but it gave me a lot of insight into how you can spoof traffic. Hackers have some of the most interesting traffic on the Internet. It's a pleasure to host security sites, because I get great visibility into the techniques and tools.”
RSnake is currently based out of California but is planning to move to Texas, US and start his own company SecTheory. In the WASC meetup I got a chance to meet with him, and for a person who is known and respected by the hackers and security professionals alike, he is very down to earth and with a good sense of humor, unlike a typical geek. Below are some of his contributions to the webappsec community. I say some because the information below does not represent all his work. Even he has lost track of some of his work over the years.
"I'm a college dropout but was studying Computer Engineering. It was way too boring. They were dealing with the theoretical nuances of computers and outdated technology (Pascal pseudo-code on Macintosh assembler). At the same time that I was going to school, in my part time jobs I was doing in practice what my professors could only barely grasp from a theoretical perspective. This was pre-bubble and my parents and my teachers were telling me to get out there and make my millions. I took angel funding for a project, and everything seemed to be going well, but then the stock market crashed, investment money dried up and I learned a hard lesson. It was the day I closed up shop at my own company that I learned everything I need to know about business.
My first PERL script was a top100 list for webfringe.com (long gone now). I had a lot of people trying to hack it. It was a fun experiment that I finally gave up on due to time issues, but it gave me a lot of insight into how you can spoof traffic. Hackers have some of the most interesting traffic on the Internet. It's a pleasure to host security sites, because I get great visibility into the techniques and tools.”
RSnake is currently based out of California but is planning to move to Texas, US and start his own company SecTheory. In the WASC meetup I got a chance to meet with him, and for a person who is known and respected by the hackers and security professionals alike, he is very down to earth and with a good sense of humor, unlike a typical geek. Below are some of his contributions to the webappsec community. I say some because the information below does not represent all his work. Even he has lost track of some of his work over the years.
Articles / Books
PGP Man in the Middle Attack
AcuTrust Entropy Attacks
Hardening HTAccess, Part One
Hardening HTAccess, Part Two
Hardening HTAccess, Part Three
Accessing Trillian Pro Remotely and Through an Encrypted Tunnel
Death By 1000 Cuts – a Case Study
http://ha.ckers.org/deathby1000cuts/
Is your money safe?
http://ha.ckers.org/old/
Electronic Commerce Insecurity
http://ha.ckers.org/old/10102002.shtml
Internet Mind Games
http://ha.ckers.org/old/07221998.shtml
Apache Information Disclosure Issues or, "How to detect cloaking"
http://www.secureseo.com/blog/2006/04_07_apache_information_disclosure_issues.html
He is also co-authoring a book on XSS to be released tentatively on March 1, 2007
Cross Site Scripting Attacks: XSS Exploits and Defense
Cross Site Scripting Attacks: XSS Exploits and Defense
Tools written by him:-
Fierce
http://ha.ckers.org/fierce/
MHTML framework
http://ha.ckers.org/weird/mhtml.zip
XSS fuzzer
http://ha.ckers.org/fuzzer/XSSFuzz.zip
Contributions:-
Lots of changes to browser technology over the years. Started a number of security sites, written hundreds of articles, dozens of tools and many sample PoC. He has also presented at Blackhat USA and Networld+Interop on a Security Information Management roundtable (couldn’t find the url)
Blogs:-
Web Application Security Blog
http://ha.ckers.org/
Snake Bytes
http://www.darkreading.com/blog.asp?blog_sectionid=403
Blogs:-
Web Application Security Blog
http://ha.ckers.org/
Snake Bytes
http://www.darkreading.com/blog.asp?blog_sectionid=403
Websites:-
He had started many security related sites, but these two are most popular
To discuss any aspect on web application security
http://sla.ckers.org
He had started many security related sites, but these two are most popular
To discuss any aspect on web application security
http://sla.ckers.org
Memberships:-
ISSA, CISSP, OWASP, WASC, IASCP. He is also working on something to certify web application security engineers.
ISSA, CISSP, OWASP, WASC, IASCP. He is also working on something to certify web application security engineers.
Companies worked for:-
He has worked for a major banner advertising company as an Information Specialist and for several start-up companies as Chief Operations Officer and Chief Security Officer. He is now starting his new company SecTheory - doing boutique web application and network security consulting.
Email:-
Email:-
We will see a lot more contribution from him as he is working on some very cool stuff and if you want to stay on top of webappsec then make http://ha.ckers.org/ as the first site you visit to. I wish him all the best in his new endeavor.
Last Week – Amit Klein
Next Week – Jeremiah Grossman
Tuesday, February 13, 2007
I dont want a product, I want a solution
RSA Expo is over, and it was good to see a lot of Web application security products being showcased there. The awareness about Web application security is increasing, and a lot of companies are coming out with new products to protect Web applications. Such products include network and Web application firewalls, identity management, auditing tools, Web application security tools and encryption tools. If there's a way your company can be hacked, there was a product to protect it.
read the entire article here
read the entire article here
Thursday, February 08, 2007
Reflection on Amit Klein
For those who are in the web application security field need no introduction to his name. He is an expert and by far one of the best in web application security space. He is one of the early starters of the field and has played a major role in the awareness of webappsec. His contribution ranges from not only identifying vulnerabilities and publishing them but also contributing towards standards like OWASP guide, WASC threat classification or web application firewall criteria. And those who are not aware should know he was the one who also contributed towards the solution for UXSS (pdf xss vulnerability). He is also a WASC (Web Application Security Consortium) officer and a board member and co-leads the WASC articles project.
Based out of Israel, he started back in 1997 with Perfecto Technologies (which later became Sanctum), mostly heading security research activities. Sanctum was later acquired by Watchfire in 2004 which is when he left Sanctum / Watchfire. He is currently a CTO of a security company.
Below you will find a list of his articles, contributions, presentations and other details.
Articles:-
A Refreshing Look at Redirection
http://www.securityfocus.com/archive/1/450418
Sending arbitrary HTTP requests with Flash 7/8 (+IE 6.0)
http://www.securityfocus.com/archive/1/443391
Under some conditions, it's possible to steal HTTP credentials using Flash
http://www.securityfocus.com/archive/1/443191
Forging HTTP request headers with Flash
http://www.securityfocus.com/archive/1/441014
IE + some popular forward proxy servers = XSS, defacement (browser cache
poisoning)
http://www.securityfocus.com/archive/1/434931
Path Insecurity
http://www.webappsec.org/lists/websecurity/archive/2006-03/msg00000.html
HTTP Response Smuggling
http://www.securityfocus.com/archive/1/425593
Domain Contamination
http://www.webappsec.org/projects/articles/020606.txt
XST Strikes Back
http://www.securityfocus.com/archive/1/423028
Exploiting the XmlHttpRequest object in IE - Referrer spoofing, and a
lot more...
http://www.securityfocus.com/archive/1/411585
Detecting and Preventing HTTP Response Splitting and HTTP Request
Smuggling Attacks at the TCP Level
http://www.securityfocus.com/archive/1/408135
NTLM HTTP Authentication is Insecure by Design
http://www.securityfocus.com/archive/1/405541
Can HTTP Request Smuggling be blocked by Web Application Firewalls
http://www.webappsec.org/lists/websecurity/archive/2005-06/msg00123.html
DOM Based Cross Site Scripting
http://www.webappsec.org/projects/articles/071105.html
Meanwhile, on the other side of the web server
http://www.itsecurity.com/security.htm?s=3957
HTTP Request Smuggling (with Chaim Linhart, Ronen Heled and Steve Orrin)
http://www.cgisecurity.com/lib/HTTP-Request-Smuggling.pdf
The Insecure Indexing Vulnerability - Attacks Against Local Search Engines
http://www.webappsec.org/projects/articles/022805-clean.html
Detecting and Testing HTTP Response Splitting Using a Browser
http://www.securityfocus.com/archive/107/378523
Blind XPath Injection
http://www.packetstormsecurity.org/papers/bypass/Blind_XPath_Injection_20040518.pdf
Divide and Conquer - HTTP Response Splitting, Web Cache Poisoning
Attacks, and Other Topics
http://www.packetstormsecurity.org/papers/general/whitepaper_httpresponse.pdf
Secure Coding Practices for Microsoft ASP.NET
http://www.cgisecurity.com/lib/WhitePaper_Secure_Coding_Practices_VSdotNET.pdf
XS(T) attack variants which can, in some cases, eliminate the need for TRACE
http://www.securityfocus.com/archive/107/308433
Cross Site Scripting Explained
http://crypto.stanford.edu/cs155/CSS.pdf
Hacking Web Applications Using Cookie Poisoning
http://www.cgisecurity.com/lib/CookiePoisoningByline.pdf
Contributions:-
OWASP guide to building secure web application
http://internap.dl.sourceforge.net/sourceforge/owasp/OWASPGuide2.0.1.pdf
WAFEC
http://www.webappsec.org/projects/wafec/
WASC's Threat Categorization (TC)
http://www.webappsec.org/projects/threat/
Co-lead the WASC articles project
http://www.webappsec.org/projects/articles/guidelines.shtml
Presentations:-
OWASP AppSec Europe Conference 2006 – “HTTP Message Splitting, Smuggling and Other Animals”
CERT 2002 Conference, August 2002 - "WWW Forensics"
FM'99 Congress, September 1999 - "A Perfect Verification: Combining Model Checking with Deductive Analysis to Verify Real-Life Software"
Memberships:-
Amit is WASC officer and board member.
Companies worked for:-
Sanctum, Cyota (RSA security)
Education:-
B. Sc. Mathematics and Physics
Email:-
aksecurity__at__gmail_dot_com
And this just doesn't end here, you will see a lot more coming from him. He is a must follow figure of the webappsec field.
Next Friday – Reflection on RSnake
Based out of Israel, he started back in 1997 with Perfecto Technologies (which later became Sanctum), mostly heading security research activities. Sanctum was later acquired by Watchfire in 2004 which is when he left Sanctum / Watchfire. He is currently a CTO of a security company.
Below you will find a list of his articles, contributions, presentations and other details.
Articles:-
A Refreshing Look at Redirection
http://www.securityfocus.com/archive/1/450418
Sending arbitrary HTTP requests with Flash 7/8 (+IE 6.0)
http://www.securityfocus.com/archive/1/443391
Under some conditions, it's possible to steal HTTP credentials using Flash
http://www.securityfocus.com/archive/1/443191
Forging HTTP request headers with Flash
http://www.securityfocus.com/archive/1/441014
IE + some popular forward proxy servers = XSS, defacement (browser cache
poisoning)
http://www.securityfocus.com/archive/1/434931
Path Insecurity
http://www.webappsec.org/lists/websecurity/archive/2006-03/msg00000.html
HTTP Response Smuggling
http://www.securityfocus.com/archive/1/425593
Domain Contamination
http://www.webappsec.org/projects/articles/020606.txt
XST Strikes Back
http://www.securityfocus.com/archive/1/423028
Exploiting the XmlHttpRequest object in IE - Referrer spoofing, and a
lot more...
http://www.securityfocus.com/archive/1/411585
Detecting and Preventing HTTP Response Splitting and HTTP Request
Smuggling Attacks at the TCP Level
http://www.securityfocus.com/archive/1/408135
NTLM HTTP Authentication is Insecure by Design
http://www.securityfocus.com/archive/1/405541
Can HTTP Request Smuggling be blocked by Web Application Firewalls
http://www.webappsec.org/lists/websecurity/archive/2005-06/msg00123.html
DOM Based Cross Site Scripting
http://www.webappsec.org/projects/articles/071105.html
Meanwhile, on the other side of the web server
http://www.itsecurity.com/security.htm?s=3957
HTTP Request Smuggling (with Chaim Linhart, Ronen Heled and Steve Orrin)
http://www.cgisecurity.com/lib/HTTP-Request-Smuggling.pdf
The Insecure Indexing Vulnerability - Attacks Against Local Search Engines
http://www.webappsec.org/projects/articles/022805-clean.html
Detecting and Testing HTTP Response Splitting Using a Browser
http://www.securityfocus.com/archive/107/378523
Blind XPath Injection
http://www.packetstormsecurity.org/papers/bypass/Blind_XPath_Injection_20040518.pdf
Divide and Conquer - HTTP Response Splitting, Web Cache Poisoning
Attacks, and Other Topics
http://www.packetstormsecurity.org/papers/general/whitepaper_httpresponse.pdf
Secure Coding Practices for Microsoft ASP.NET
http://www.cgisecurity.com/lib/WhitePaper_Secure_Coding_Practices_VSdotNET.pdf
XS(T) attack variants which can, in some cases, eliminate the need for TRACE
http://www.securityfocus.com/archive/107/308433
Cross Site Scripting Explained
http://crypto.stanford.edu/cs155/CSS.pdf
Hacking Web Applications Using Cookie Poisoning
http://www.cgisecurity.com/lib/CookiePoisoningByline.pdf
Contributions:-
OWASP guide to building secure web application
http://internap.dl.sourceforge.net/sourceforge/owasp/OWASPGuide2.0.1.pdf
WAFEC
http://www.webappsec.org/projects/wafec/
WASC's Threat Categorization (TC)
http://www.webappsec.org/projects/threat/
Co-lead the WASC articles project
http://www.webappsec.org/projects/articles/guidelines.shtml
Presentations:-
OWASP AppSec Europe Conference 2006 – “HTTP Message Splitting, Smuggling and Other Animals”
CERT 2002 Conference, August 2002 - "WWW Forensics"
FM'99 Congress, September 1999 - "A Perfect Verification: Combining Model Checking with Deductive Analysis to Verify Real-Life Software"
Memberships:-
Amit is WASC officer and board member.
Companies worked for:-
Sanctum, Cyota (RSA security)
Education:-
B. Sc. Mathematics and Physics
Email:-
aksecurity__at__gmail_dot_com
And this just doesn't end here, you will see a lot more coming from him. He is a must follow figure of the webappsec field.
Next Friday – Reflection on RSnake
Wednesday, February 07, 2007
WASC meetup during RSA conference
Today at WASC meetup, quite a lot of crowd turned out and it was fun meeting a lot of players from the application security field. Here are some of the pictures from the meetup. You will see people like Jeremiah Grossman, RSnake, Arian Evans (Whitehat), Billy Hoffman (SPI), Robert Auger (cgisecurity.net), etc
You can view more pictures at Jeremiah's blog