Whitepapers
An Executive Guide to Web Application Security
More and more companies are relying on Web-based applications to provide online services to their employees, to support e-commerce sales and to leverage portals, discussion boards and blogs that help staff better communicate with customers, partners and suppliers. However, as the number and complexity of Web applications have grown, so have the associated security risks. With increasing frequency, incidents of Web application breaches resulting in data theft are popping up as front-page news. And such attacks now have more serious consequences than ever before. In this paper we will explore the people, processes and technologies necessary to implement effective Web application security programs.
Register Now to Receive An Executive Guide to Web Application Security
Dangling Pointer
It is not unknown that a Dangling Pointer bug can be exploited for arbitrary remote code execution or for information leakage, but nonetheless many developers refer to it only as a quality problem, and even many security experts do not consider it to be a severe security issue. In reality, however, this problem is every bit as dangerous as buffer overflows. This paper will present instructions for researching and exploiting Dangling Pointer vulnerabilities, using a real case IIS vulnerability as an example.
Register Now to Receive Dangling Pointer
Overtaking Google Desktop
This paper describes an innovative attack methodology against Google Desktop which enables a malicious individual to achieve not only remote, persistent access to sensitive data, but full system control as well. In this paper Watchfire describes the methodology of attack and a valid use case. We include a description of the basic technique and some theoretical outcomes. Finally, we provide fix recommendations that are appropriate for Google Desktop, as well as for other Web based applications.
Register Now to Receive Overtaking Google Desktop
Watchfire Vantage Point
New research from the Hurwitz Group has identified that the one area of security has been overlooked for far too long is application security and organizations need to ensure that software applications do not contain vulnerabilities that hackers can exploit. But the imposition of new regulations and the increasing proportion of business applications that are web-enabled are more at risk from an outsider attack since these applications now form the perimeter of the enterprise. In this paper Hurwitz Group highlights the need to better manage application security and provides an overview of how Watchfire's AppScan can help address this critical and growing problem.
Register Now to Receive Watchfire Vantage Point
Testing Privilege Escalation in Web Applications
Privilege Escalation vulnerabilities in web applications have existed since the earliest days of web applications, yet since testing for them is such a complicated and tedious manual task, they are often overlooked in web application assessments. Privilege Escalation means exploiting a bug in an application in order to procure resources which are intended to be inaccessible, or accessible only to users with higher access privileges. This paper will examine Privilege Escalation issues in web applications, including highlighting horizontal and vertical examples, and how to automate the challenging process of testing for them.
Register Now to Receive Testing Privilege Escalation in Web Applications
Bentley-Watchfire® Survey of Online Privacy Practices in Higher Education
Because many colleges and universities now use the Internet to process electronic applications and other types of ecommerce transactions, privacy has emerged as an important risk management issue for higher education. This study represents a benchmark of online privacy practices in higher education, based on a survey of the top 236 doctoral universities and national liberal arts colleges from the 2004 U.S. News and World Report list of best colleges. The survey is based on a content analysis of online privacy notices, and Watchfire's WebXM™ Privacy module was used to assess whether or not these sites engaged in practices that may pose privacy risks. The automated audit focused on three types of privacy risks: privacy statement use, data collection forms and cookies.
Register Now to Receive Bentley-Watchfire® Survey of Online Privacy Practices in Higher Education
Web Risk Exposure - Don't Forget Your Intranet
Intranets are an efficient, effective way to communicate, store knowledge and generally boost employee productivity. But they are often loaded with confidential, sensitive and even inappropriate content that needs to be monitored and managed to mitigate risk. This paper will discuss the risks associated with the intranet and will provide best practices to help defend against threats.
Register Now to Receive Web Risk Exposure - Don't Forget Your Intranet
Web Application Security: Automated Scanning or Manual Penetration Testing?
As web applications become increasingly complex, tremendous amounts of sensitive data - including personal, medical and financial information - are exchanged, and stored. The consumer not only expects, but demands, security for this information. But securing a web application goes far beyond testing the application using manual processes, or by using automated systems and tools. It begins in the conceptual phase, by modeling the security risk introduced by the application as well as the countermeasures to be implemented. Security should be thought of as another quality vector of every application, analyzed and considered through every step of the application lifecycle. The purpose of this paper is to examine a few vulnerability detection methods - specifically comparing and contrasting manual penetration testing with automated scanning tools.
Register Now to Receive Web Application Security: Automated Scanning or Manual Penetration Testing?
Methodologies & Tools for Web Application Security Assessment
Web application security assessments are a crucial phase in the development lifecycle of any web application. The process of assessing a web application should be handled using the same approach as any other testing (e.g., Unit testing, Quality Assurance, etc.). A well-documented methodology should be followed carefully, and in most cases, the use of automated tools will speed up the process. This whitepaper suggests a methodology for web application security assessments, as well as an explanation on how to use automated tools for accelerating the assessment process.
Register Now to Receive Methodologies and Tools for Web Application Security Assessment
Cross-Site Scripting Explained
Cross-Site Scripting (XSS) is one of the most common application-level attacks that hackers use to sneak into web applications today. The goal of the XSS attack is to steal the user cookies, or any other sensitive information, which can identify the user with the website. With the token of the legitimate user at hand, the attacker can proceed to act as the user in his/her interaction with the site. This paper will discuss how traditional XSS attacks are performed, how to secure your site against these attacks and check if your site is protected.
Register Now to Receive Cross-Site Scripting Explained
Hacking Web Applications Using Cookie Poisoning
Cookie poisoning is a known technique mainly for achieving impersonation and breach of privacy through manipulation of session cookies, which maintain the identity of the user. By forging these cookies, an attacker can impersonate a valid user, and thus gain information and perform actions on behalf of the victim. The ability to forge such session cookies (or more generally, session tokens) stems from the fact that the tokens are not generated in a secure way.
In this paper, we explain why session management (and session management security) is a complex task. We describe how the tokens are generated for two commercial application engines. We then analyze the strength of each mechanism, explain its weakness and demonstrate how such weakness can be exploited to execute an impersonation/privacy breach attack. We discuss the feasibility of the attack and finally, we recommend an approach to session management which separates the security from the functionality - the latter is carried out by application engines, while the former should be provided by a dedicated application security product.
Register Now to Receive Hacking Web Applications Using Cookie Poisoning
Brown University 2005 E-Government Study
Brown University recently analyzed 71 U.S. federal government agency websites for quality and accessibility problems. To measure these problems, Brown used the quality and accessibility modules of Watchfire's WebXM platform.
Register Now to Receive Brown University 2005 E-Government Study
The Future of eGovernment (Forrester report)
Federal agencies, including the National Science Foundation, the Internal Revenue Service and the Department of Commerce, were quick to jump on the Internet bandwagon. Their initial efforts delivered better access to information and reduced service costs. Looking toward the future, Forrester sees significant opportunities in eGovernment as agencies address obstacles like persistent agency silos and the eroding IT workforce. Over time, agencies will obtain sustainable results from eGov initiatives by adopting best practices like addressing process change before implementing technologies and providing integrated services through multi-agency portals.
Register Now to Receive The Future of eGovernment
Security and Regulatory Compliance: Don't Forget Your Intranet (IDC Viewpoint)
Intranets exist in all sizes, shapes and forms. They can increase organizational efficiency and productivity by 24 x 7 access to data and applications. Companies can offer employees self-service operations, and intranets can also provide financial benefits by reducing costs associated with printing or distributing data. However, a large percentage of the information produced by organizations becomes outdated relatively quickly and must be replaced or updated. This is a double-edged sword -- if the old data isn't removed, it can eat up intranet resources, creating confusion and becoming an avenue for data loss or policy violation.
The rise in regulations requires all organizations to audit their intranets for security and regulatory compliance. According to IDC, intranet audits should have three steps -- discovery, usage analysis and security. Enterprises must look at the corporate intranet not just as a useful tool but also as a strategic asset that must be managed like all other strategic assets. The intranet adds value to the company, but it must be cost-effective, secure and relevant.
Register Now to Receive Security and Regulatory Compliance: Don't Forget Your Intranet
Responsible for a Financial Services Website? What Every Executive Needs to Know About Website Security
Who's responsible if there's a privacy or security breach on your website? If you're thinking to yourself. my security team - you're wrong! As the business owner of a website, you're responsible for many things, from increasing customer acquisition and improving retention to lowering the cost of service. But, how can you foster growth in the online channel if it's not a safe and sound place for your customers to do business?
This whitepaper sets out to:
- Offer more detail on Watchfire's recent survey methodology and results;
- Provide an overview of four common web application attack techniques;
- Explain why defending against attacks is difficult, but not impossible; and,
- Suggest how business owners can initiate a dialogue among their security and development teams to improve their organization's online risk management strategy.
Register Now to Receive Responsible for a Financial Services Website? What Every Executive Needs to Know About Website Security
Addressing Challenges in Application Security
Today's web application attacker can use your own applications to expose, embarrass and steal from you. Firewalls and SSL are commonplace yet, according to recent studies, three out of four websites are vulnerable to attack, and the vast majority of these attacks are application security attacks. Companies rely on network and host security, but often these measures are simply not enough to prevent these web application attacks.
Application security is different for network and host security. The traditional approaches to implement network and host security do not apply at this level. This paper will tell you why, what to do about it, and provide a roadmap to improving your own application security.
Register Now to Receive Addressing Challenges in Application Security
HTTP Request Smuggling
HTTP Request Smuggling, a new web entity attack technique recently discovered by Watchfire, works by taking advantage of the discrepancies in parsing when one or more HTTP devices/entities (e.g., cache server, proxy server, web application firewall, etc.) are in the data flow between the user and the web server. It enables various attacks - web cache poisoning, session hijacking, cross-site scripting and most importantly, the ability to bypass web application firewall protection.
The details described in this paper will help web application owners, developers and researchers to understand the damage that may be caused by hackers who use these techniques, and to better defend and protect their web applications against such attacks.
Register Now to Receive HTTP Request Smuggling
Privacy Trust Survey for Online Banking Report
The first Privacy Trust Survey for Online Banking, sponsored by Watchfire and conducted by the Ponemon Institute, reiterates a fact that executives instinctively know -- customers who have a high level of trust in their bank are more likely to do a variety of their banking tasks online such as automated bill payment or applying for new products or services. Consumers with a high level of trust in their primary bank are loyal, and in fact, 55 percent of "trusting consumers" have never visited another banks website.
However, 57 percent of consumers with high trust in their primary bank state they would cease all online services in the event of a single privacy breach. Clearly, trust is becoming the vital component in customer loyalty and brand strength, and successfully managing privacy issues creates opportunities to improve customer acquisition and retention.
Register Now to Receive Privacy Trust Survey for Online Banking Report
Compliance in an Online Environment
Organizations operating on the Internet -- whether in the commercial or public sector -- face a growing number of regulations and legislation. Rules governing online privacy and data security, as well as accessibility, are becoming more detailed and are being increasingly enforced by European regulators. This whitepaper highlights key legislation and the challenges organizations face when it comes to ensuring their online presence complies with global laws and regulations.
Register Now to Receive Compliance in an Online Environment
Blind XPath Injection
Blind XPath Injection allows an attacker to extract a complete XML document used for XPath querying without prior knowledge of the query. The attack makes use of two techniques - XPath crawling and Booleanization of XPath queries - and is considered "complete" since all possible data is exposed. This attack enables the attacker to get hold of the XML "database" used in the XPath query which can be powerful against sites that use XPath queries (and XML "databases") for authentication, searching and other uses. This paper describes the concept of a Blind XPath Injection and provides suggestions for defending these types of attacks.
Register Now to Receive Blind XPath Injection
HTTP Response Splitting, Web Cache Poisoning Attacks, and Related Topics
"HTTP Response Splitting" is a new application attack technique which enables various new attacks such as web cache poisoning, cross user defacement, hijacking pages with sensitive user information and an old favorite, cross-site scripting (XSS). This attack technique, and the derived attacks from it, are relevant to most web environments and is the result of the application's failure to reject illegal user input, in this case, input containing malicious or unexpected characters. This paper describes the concept of the attack and provides some use cases.
Register Now to Receive "HTTP Response Splitting, Web Cache Poisoning Attacks, and Related Topics"
The Twelve Most Common Application-level Hack Attacks
Hackers continue to add billions to the cost of doing business online despite security executives' efforts to prevent malicious attacks. What hackers know is that vulnerabilities in web applications -- those forms you use to collect personal, classified and confidential information -- present the easiest access to data you thought was safe and secure. With little more than a web browser and a few hours of spare time, hackers interact with your web applications in malicious ways until they find that vulnerability. This paper identifies the most common methods of attacks that we have seen and outlines a guideline for developing secure web applications.
Register Now to Receive "The Twelve Most Common Application-level Hack Attacks"
State and Federal E-Government in the United States, 2004
Researchers at Brown University have released their fifth annual e-government analysis on the accessibility of federal and state websites. Using Watchfire's Bobby software, researchers determined 42 percent of federal sites and 37 percent of state sites meet the World Wide Web Consortium (W3C) disability guidelines.
Register Now to Receive "State and Federal E-Government in the United States, 2004"
Developing and Deploying Secure Web Applications
Never before has application security across the entire development lifecycle been so critical. According to Gartner Group, 75% of hacks now occur at the application level, and 3 out of 4 business websites are vulnerable to attack. To build and deploy secure web applications, you need to create 'hacker resistant' business logic in the development environment, test quality in the QA/staging environment, and enforce security and compliance through internal and external audits.
Register Now to Receive "Developing and Deploying Secure Web Applications"
|
