The Web Application Security Consortium (WASC) is seeking contributed 'Guest Articles' by industry professionals on the latest in trends, techniques, defenses, best practices and lessons learned relevant to the field of web application security.

The Unexpected SQL Injection: When Escaping Is Not Enough
September 16th, 2007
This article surveys several scenarios under which SQL injection may occur, even though mysql_real_escape_string() has been used. more...

The business case for security frameworks
April 23rd, 2007
In this article Robert describes the advantages of using input validation frameworks during development to reduce risks such as Cross-site Scripting. more...

The Importance of Application Classification in Secure Application Development
April 16th, 2007
In this article Rohit Sethi describes the importance of Application Classification during the secure development process. more...

MX Injection : Capturing and Exploiting Hidden Mail Servers
December 11th, 2006
In this article Vicente discusses how an attacker can inject additional commands into an online web mail application communicating with an IMAP/SMTP server. more...

Domain Contamination
February 6th, 2006
In this article Amit discusses how an attacker who's hijacked a domain for a short peroid of time can still retain control of its audience long after the domain is returned to its rightful owner. more...

Preventing Log Evasion in IIS
August 29th, 2005
In this paper Robert describes an issue which allows an attacker to evade multiple aspects of logging within an IIS server environment, as well as how to remediate the problem. more...

DOM Based Cross Site Scripting or XSS of the Third Kind
A look at an overlooked flavor of XSS
July 11th, 2005
In this article Amit focuses on a little known variant of Cross Site Scripting which attacks a user's client without sending malicious content to the web server. more...

Common Security Problems in the Code of Dynamic Web Applications
June 21, 2005
"The majority of occurring software security holes in web applications may be sorted into just two categories: Failure to deal with metacharacters, and authorization problems due to giving too much trust in input. This article gives several examples from both categories, and then adds some from other categories as well." more...

The Insecure Indexing Vulnerability
"Attacks Against Local Search Engines"
February 28, 2005
Amit Klein has written an article which discusses the risks associated with using a local search engine that indexes its content locally. more...

The 80/20 Rule for Web Application Security
"Increase your security without touching the source code"
January 31, 2005
Jeremiah Grossman, CTO of WhiteHat Security, has written an article describing several simple techniques to make hacking into website more difficult without modifying application source code. more...

Web Security Articles Call for Papers
December 3, 2004
The Web Application Security Consortium (WASC) is seeking contributed 'Guest Articles' by industry professionals on the latest in trends, techniques, defenses, best practices and lessons learned relevant to the field of web application security. more...