Web Site Security - Articles

• Cross Site Scripting – The Underestimated Exploit
  Jacques Guillaumier, Acunetix, September 2007 - This article describes the Cross Site Scripting vulnerability, explains how it comes about and gives clear and offers a solution to prevent it. 
  
  
• Web Services - The Technology and its Security Concerns
  Jacques Guillaumier, Acunetix, May 2007 - This white paper examines the technology behind Web Services, how the system is made available to the user, and the way connections are made to back-end (and therefore sensitive) data. These different elements come together to make Web Services a portal for users to access data, but also provide different entry points which may be exploited for illegitimate purposes.
  
  
• Web Services - The Technology and its Security Concerns
  Jacques Guillaumier, Acunetix, May 2007 - This white paper examines the technology behind Web Services, how the system is made available to the user, and the way connections are made to back-end (and therefore sensitive) data. These different elements come together to make Web Services a portal for users to access data, but also provide different entry points which may be exploited for illegitimate purposes.
  
  
• Security's Top Five Priorities
  Dark Reading, May 2007 - What keeps you awake at night? For security professionals, the awake-at-night issues keep changing. Dark Reading have done some research on security professionals' current concerns, and those they foresee in the immediate future. The following is a synopsis of what they found.
  
  
• Web app exploits biggest hacking target in 2007
  SC Magazine, February 2007 - Remotely exploitable vulnerabilities will be the most widespread global threat vector this year due to the lack of effective security, according to an expert at global security vendor, Secure Computing.
  
  
• How safe is your business online?
  ITWales, December 2006 - Internet crime can seriously damage your business. Trust me, I've seen it happen. I've been a police officer for thirty years and for the last five, I have worked for the National High Tech Crime Unit, now part of SOCA, and Get Safe Online.
  
  
• Gartner: $2 Billion in E-Commerce Sales Lost Because of Security Fears
  eWeek, November 2006 - According to a Gartner survey, in 2006 alone, retailers lost almost $2 billion because of consumer security fears, with about one-half of those losses ($913 million) coming from people who avoided sites that seemed to be less secure and the rest (about $1 billion) came from consumers who were too afraid to conduct e-commerce business at all.
  
  
• Web application security audits
  security.itworld.com, September 2006 - In this article, James Gaskin discusses the importance of web application security: "Leaving your Web applications insecure makes no more sense than building a brick wall but using a gate made from chain link fencing."
  
  
• Security Watch: JavaScript plus AJAX equals trouble
  ZDNet Reviews, August 2006 - In this article, Robert Vamosi discusses AJAX and cross-site scripting attacks using JavaScript executed on the desktop browser.
  
  
• ID Theft - Name, Rank And Social Security Number
  SecurityPro News, July 2006 - Identity theft is the fastest growing crime in the U.S. The U.S. Secret Service has estimated that consumers nationwide lose $745 million to identity theft each year.
  
  
• Hackers have upper hand in fight against computer crime
  The Age, June 2006 - Computer hacker attacks on banks and other financial institutions increased by 300 per cent last year but the skills to fight them are in short supply, a report says.
  
  
• Keep your Web applications secure
  TechRepublic, May 2006 - Web-based applications are the portal of choice for mischief and illegal entrance to your organization's network. That's why you need to defend your network by arming yourself with the knowledge of how attacks occur-and learn how to fix the problem before someone finds holes in your network security armor.
  
  
• Five common Web application vulnerabilities
  SecurityFocus, April 2006 - This article looks at five common Web application attacks, primarily for PHP applications, and then presents a case study of a vulnerable Website that was found through Google and easily exploited.
  
  
• Are Network Security Devices Really Protecting your Web Applications?
  SecurityPark, March 2006 - Web Applications are delivering critical information to a growing number of employees and partners. Most organizations have already invested heavily in Network Security Devices, thus they often believe they are also protected at the application layer; in fact they are NOT... this article by by Eric Battistoni discusses the myths surrounding Network Security Devices and their ability, or lack of it, to protect against web application attacks.
  
  
• Domain Contamination
  Web application Security Consortium, February 2006 - This write-up by Amit Klein, describes an attack that exploits an inherent flaw of the client-side trust model in the context of cyber-squatting and domain hijacking, or in general, in the context of obtaining temporary ownership of a domain (or major parts of it, e.g. defacing the main page). Put simply, the idea explored is to force long term caching of malicious pages in order for them to still be in effect even when the domain returns to its rightful owner. Various attack vectors are discussed, as well as possible protection techniques. While previous works hinted at the possibility of such attack, it is worthwhile to discuss this attack in depth and to refute the common misconception that cyber-squatting, domain hijacking and similar attacks do not have long lasting effect.
  
  
• Web applications are easy targets
  Vnunet, January 2006 - Business software vendors are getting their security act together, but web apps remain a cause for concern. Tim Anderson writing for IT Week discusses security issues associated with web applications.
  
  
• SQL Injection Attacks, Easy To Prevent, But Apparently Still Ignored
  Sys-Con (BR), January 2006 - "You'd think that by now we'd have learned to lock down our code so as to prevent SQL injection attacks, but apparently this is not the case," Ben Forta explains what a SQL injection attack is and how to prevent it.
  
  
• Eight steps for integrating security into application development
  Computerworld, December 2005 - Article by Ruby Qurashi. "Most organizations spend a tremendous amount of resources, time and money to protect their network perimeters from Internet-borne threats and hackers. But no matter how good a defense may be, it usually falls short in addressing the vulnerabilities inside the network at the application layer."
  
  
• Google also a hacker ally
  SCMagazine, November 2005 - Article by Frank Washkuch Jr. " One of a PC user’s best friends – search engine superpower Google – could become an enemy tool if used by hackers, online security experts have warned."
  
  
• New Path Of Attack
  InformationWeek, November 2005 - Article by Thomas Claburn. "Just when patching showed progress against the worst security threats, cybercriminals shift their focus. A report on the 20 most-critical Internet security vulnerabilities for 2005, released last week by the SANS Institute in conjunction with government representatives from the United States and the United Kingdom, shows an unsettling shift. While most hacking between 1999 and 2004 targeted operating systems and Internet services on Web servers and E-mail servers, that changed this past year. Now, applications and network devices' operating systems have become the primary targets."
  
  
• Protect your Web site against path traversal attacks
  SearchSecurity.com, October 2005 - "Web servers generally are set up to restrict public access to a specific portion of the Web server's file system, typically called the "Web document root" directory. This directory contains the files intended for public access and any scripts necessary to provide Web application functionality." In this article, Michael Cobb describes what is known as a Directory or Path traversal attack. This occurs when an intruder manipulates a URL in such a way that the Web server executes or reveals the contents of a file anywhere on the server, including those lying outside the document root directory. Path traversal attacks take advantage of special-characters sequences in URL input parameters, cookies and HTTP request header.
  
  
• SQL Injection Attack and Defense
  SecurityDocs.com, September 2005 - Today many business houses, governments and society in general depend a great deal on web applications. Web applications are accessed using the Internet and so face risks associated with its use. These risks are evident with the increasing number of reported incidents on web security sites. All our important information assets are at risk with increased tendency of attackers breaking into computer systems. This paper by Sagar Joshi focuses on educating security professionals of the risks associated with this situation and aims to give a brief understanding of the various kinds of attacks that could be launched.
  
  
• Black Holes: Emerging Web app security devices and products bring source code vulnerabilities to light
  SearchSecurity.com, September 2005 - "Are your Web applications secure? Online businesses apps, which are wide open at port 80, put that question to the test daily." In this article, James Foster points out that if companies don't lock down their web apps, security risks will increase as corporate dependency on Internet and intranet applications rises, along with site complexity, language depth and overall functionality.
  
  
• An Applications View on Security
  eWeek, December 2004 - "The only completely secure application is one that accepts no input from the outside and offers no access to data." Security must be built into applications from the lowest level upward. Peter Coffee points out that even though a current application may be securely designed, an earlier version—perhaps accessible in a poorly secured archive—may give an attacker all the information needed to overcome that improvement.
  
  
• Don't let development pressures cut short security testing procedures, warn experts
  ComputerWeekly.com, November 2004 - Security vulnerabilities discovered on online bank Cahoot and Morgan Stanley's credit card website, which were remedied by the companies as soon as they were discovered, had left customers' personal data accessible on the internet. This incident raised questions over the priority organisations give to testing when they roll out or upgrade internet services. In his article, Bill Goodwin discusses how the Vulnerabilities could have been prevented.
  
  
• Ten questions to ask about application security systems
  Computerworld, November 2004 - "Robust application security is necessary to ensure Web site availability and to protect sensitive customer and corporate data and application-enabled revenue." However, there's growing confusion about what constitutes application security and how it's achieved. In this article, Abhishek Chauhan presents 10 questions to help you evaluate whether a product delivers true application protection.
  
  
• Google Hacking Mini Guide
  Johnny.ihackstuff.com, May 2004 - "Described by some as the best personal productivity tool since the word processor, Google's search engine has been embraced by the masses as an incredibly useful tool. However hackers, identity thieves and even terrorists can also leverage Google as a personal productivity tool. The Google Hacking Mini Guide by Johnny Long, outlines the more harmful applications of the Google search engine, techniques that have collectively been termed "Google hacking". In his article he aims to educate web administrators and the security community in the hopes of eventually stopping this form of information leakage.

Articles on Website Security

White Papers on Web security