The Web Application Security Consortium (WASC) is seeking contributed 'Guest Articles' by industry professionals on the latest in trends, techniques, defenses, best practices and lessons learned relevant to the field of web application security.
The Unexpected SQL Injection: When Escaping Is Not Enough
September 16th, 2007
This article surveys several
scenarios under which SQL injection may occur, even though
mysql_real_escape_string() has been used.
The business case for security frameworks
April 23rd, 2007
In this article Robert describes the advantages of using input validation
frameworks during development to reduce risks such as Cross-site Scripting.
The Importance of Application Classification in Secure Application Development
April 16th, 2007
In this article Rohit Sethi describes the importance of Application Classification during the
secure development process.
MX Injection : Capturing and Exploiting Hidden Mail Servers
December 11th, 2006
In this article
Vicente discusses how an attacker can inject additional commands into an online web mail application
communicating with an IMAP/SMTP server.
February 6th, 2006
In this article Amit discusses how an attacker who's hijacked a domain for a
short peroid of time can still retain control of its audience long after the domain is returned
to its rightful owner.
Preventing Log Evasion in IIS
August 29th, 2005
In this paper Robert describes an issue which allows an attacker to evade multiple aspects of
logging within an IIS server environment, as well as how to remediate the problem.
DOM Based Cross Site Scripting or XSS of the Third Kind
A look at an overlooked flavor of XSS
July 11th, 2005
In this article Amit
focuses on a little known variant of Cross Site Scripting which attacks a user's client without
sending malicious content to the web server.
Common Security Problems in the Code of Dynamic Web Applications
June 21, 2005
"The majority of occurring software security holes in web applications may be sorted into just
two categories: Failure to deal with metacharacters, and authorization problems due to giving
too much trust in input. This article gives several examples from both categories, and then
adds some from other categories as well."
The Insecure Indexing Vulnerability
"Attacks Against Local Search Engines"
February 28, 2005
Amit Klein has written an article which discusses the risks associated with using a local search engine
that indexes its content locally.
The 80/20 Rule for Web Application Security
"Increase your security without touching the source code"
January 31, 2005
Jeremiah Grossman, CTO of WhiteHat Security, has written an article describing
several simple techniques to make hacking into website more difficult without modifying
application source code.
Web Security Articles Call for Papers
December 3, 2004
The Web Application Security Consortium (WASC) is seeking contributed
'Guest Articles' by industry professionals on the latest in trends,
techniques, defenses, best practices and lessons learned relevant to
the field of web application security. more...