[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [WEB SECURITY] application attacks

From: "Andre Maisonneuve" <Andre.Maisonneuve@xxxxxxxxxxxx>
Subject: RE: [WEB SECURITY] application attacks
Date: Mon, 17 Jul 2006 19:44:39 -0400

------_=_NextPart_001_01C6A9FB.92792A5C
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

Hi, Antoine!
trying to protect applications by protecting the communication network =
(which is what you describe in your text) is not operating at the right =
layer: protecting applications must be made at the application layer, =
not at the transport layer. Furthermore, developers can ensure that only =
authorized applications can send data to this application, that all =
applications are authenticated and cannot be impersonated, and that all =
communications are encrypted going in and out of the applications.
regards
Andre
=20

________________________________

From: AF [mailto:newsalaksa@nxtg.net]
Sent: Mon 17/07/2006 3:25 PM
To: websecurity@webappsec.org
Subject: Re: [WEB SECURITY] application attacks




Hi there!

I think the mistake is in this sentence:

> Now, every developer know how to
> protect their web applications against application attacks such as SQL
> Injection,XSS, HTTP smuggling, and others. So could someone give me =
some
>  clear image about that. What's wrong?

The question is "Who's wrong ?"
The answer is : You. : )

That's a fact: many web developpers still don't know how to implement =
security
principles. Many don't even know security principles exist!

So when it comes to sql injection, xss, splitting, applogic, and so =
on... well... there's
still a lot of work ahead of us to do. This applies to almost every =
industry!

Pentesting, for fun, but also teaching and spreading the information =
around us,
as much as we can. That's it. That's what we can (have to?) do.

@ntoine



-------------------------------------------------------------------------=
---
The Web Security Mailing List:
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]




------_=_NextPart_001_01C6A9FB.92792A5C
Content-Type: text/html;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Diso-8859-1">=0A=
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">=0A=
<HTML>=0A=
<HEAD>=0A=
=0A=
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
6.5.7638.1">=0A=
<TITLE>Re: [WEB SECURITY] application attacks</TITLE>=0A=
</HEAD>=0A=
<BODY>=0A=
<DIV id=3DidOWAReplyText22844 dir=3Dltr>=0A=
<DIV dir=3Dltr><FONT face=3DArial color=3D#000000 size=3D2>Hi, =
Antoine!</FONT></DIV>=0A=
<DIV dir=3Dltr><FONT face=3DArial size=3D2>trying to protect =
applications by =0A=
protecting the communication&nbsp;network (which is what you describe in =
your =0A=
text) is not operating at the right layer: protecting applications must =
be made =0A=
at the application layer, not at the transport layer. Furthermore, =
developers =0A=
can ensure that only authorized applications can send data to this =
application, =0A=
that all applications are authenticated and cannot be impersonated, and =
that all =0A=
communications are encrypted going in and out of the =
applications.</FONT></DIV>=0A=
<DIV dir=3Dltr><FONT face=3DArial size=3D2>regards</FONT></DIV>=0A=
<DIV dir=3Dltr><FONT face=3DArial size=3D2>Andre</FONT></DIV>=0A=
<DIV dir=3Dltr>&nbsp;</DIV></DIV>=0A=
<DIV dir=3Dltr><BR>=0A=
<HR tabIndex=3D-1>=0A=
<FONT face=3DTahoma size=3D2><B>From:</B> AF =0A=
[mailto:newsalaksa@nxtg.net]<BR><B>Sent:</B> Mon 17/07/2006 3:25 =0A=
PM<BR><B>To:</B> websecurity@webappsec.org<BR><B>Subject:</B> Re: [WEB =
SECURITY] =0A=
application attacks<BR></FONT><BR></DIV>=0A=
<DIV><BR>=0A=
<P><FONT size=3D2>Hi there!<BR><BR>I think the mistake is in this =0A=
sentence:<BR><BR>&gt; Now, every developer know how to<BR>&gt; protect =
their web =0A=
applications against application attacks such as SQL<BR>&gt; =
Injection,XSS, HTTP =0A=
smuggling, and others. So could someone give me some<BR>&gt;&nbsp; clear =
image =0A=
about that. What's wrong?<BR><BR>The question is "Who's wrong ?"<BR>The =
answer =0A=
is : You. : )<BR><BR>That's a fact: many web developpers still don't =
know how to =0A=
implement security<BR>principles. Many don't even know security =
principles =0A=
exist!<BR><BR>So when it comes to sql injection, xss, splitting, =
applogic, and =0A=
so on... well... there's<BR>still a lot of work ahead of us to do. This =
applies =0A=
to almost every industry!<BR><BR>Pentesting, for fun, but also teaching =
and =0A=
spreading the information around us,<BR>as much as we can. That's it. =
That's =0A=
what we can (have to?) =0A=
do.<BR><BR>@ntoine<BR><BR><BR><BR>---------------------------------------=
-------------------------------------<BR>The =0A=
Web Security Mailing List:<BR><A =0A=
href=3D"http://www.webappsec.org/lists/websecurity/";>http://www.webappsec=
.org/lists/websecurity/</A><BR><BR>The =0A=
Web Security Mailing List Archives:<BR><A =0A=
href=3D"http://www.webappsec.org/lists/websecurity/archive/";>http://www.w=
ebappsec.org/lists/websecurity/archive/</A><BR><A =0A=
href=3D"http://www.webappsec.org/rss/websecurity.rss";>http://www.webappse=
c.org/rss/websecurity.rss</A> =0A=
[RSS Feed]<BR><BR></FONT></P></DIV>=0A=
=0A=
</BODY>=0A=
</HTML>
------_=_NextPart_001_01C6A9FB.92792A5C--

References:
- [WEB SECURITY] application attacks
  - From: shadi Aljawarneh
- Re: [WEB SECURITY] application attacks
  - From: AF

Prev by Date: [WEB SECURITY] MySpace Flash worm
Next by Date: [WEB SECURITY] Data Validation
Previous by thread: RE: [WEB SECURITY] application attacks
Next by thread: [WEB SECURITY] MySpace Flash worm
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site