2005 HTTP Request Smuggling Released: June, 2005 Stopping Automated Attack Tools Released: April, 2005 2004 Web Application Exposure to Risk: Raising Awareness to Build Confidence and Improve Security Released: July, 2004 Blind XPath Injection Released: May, 2004 Divide and Conquer - HTTP Response Splitting, Web Cache Poisoning Attacks, andaeRelated Topics Released: March, 2004 Frequently Asked Questions on Web Application Security Released: January, 2004 2003 Developing Secure Web Applications in Java Environments Released: December, 2003 Manipulating Microsoft SQL Server Using SQL Injection Released: December, 2003 Introduction to Database and Application Worms Released: December, 2003 Real World XSS Released: December, 2003 Circumventing Validation Released: December, 2003 Web Application Hacking: Exposing Your Backend Released: November, 2003 SOAP Web Services Attack? - Part1 The World Wide Web is being used increasingly for application-to-application communication, thanks to programmatic interfaces known as web services. In conjunction with current technology, web services are ideal for companies clamoring to join the e-commerce revolution. Released: November, 2003 The Anatomy of Cross Site Scripting Released: November, 2003 Blind SQL Injection Are Your Web Applications Vulnerable? SQL Injection can deliver total control of your server to a hacker giving them the ability to read, write and manipulate all data stored in your backend systems! Despite being remarkably simple to protect against, there are an astonishing number of production systems connected to the Internet “fixed” the problem by hiding error data from the users but were left vulnerable to this type of attack! Released: October, 2003 Advanced cross site scripting and client automation This paper discusses one method of exploiting POST variables vulnerable to cross site scripting and secured areas protected by a temporary session. Following a natural progression of the method of exploitation I arrived at client automation, the forcing of a client to submit a form in effect allowing an attacker to change settings for a client. Released: October, 2003 Is Your Site Being Hacked Without Your Knowledge? Released: October, 2003 The Cross Site Scripting FAQ This is a FAQ covering Cross Site Scripting. This paper also provides examples of practical cookie theft, along with public tools for use with testing. Released: August, 2003 Using Binary Search with SQL Injection Revised: August, 2003 Secure Coding Practices for Microsoft .NET Applications Revised: July, 2003 LDAP Injection Are Your Web Applications Vulnerable? LDAP injection is the technique of exploiting web applications that use client-supplied data in LDAP statements without first stripping potentially harmful characters from the request. The objective of this paper is to inform developers, system administrators and security professionals about various techniques that could be used to attack their applications. Released: July, 2003 Cross-Site Scripting Are your web applications vulnerable? Think of how often you receive an email with a hyperlink. Imagine receiving a message with a link to your online banking site exclaiming that you could win 200 dollars as part of a promotional push to utilize the site. If you clicked the link, and logged into the site, you could have revealed your logon information to a hacker…just that easily. Learn techniques that can be used to exploit a web application with cross-site scripting, as we give suggestions on how to prevent such vulnerabilities from existing within a web application. Released: July, 2003 SQL Injection Are Your Web Applications Vulnerable? SQL Injection can deliver total control of your server to a hacker giving them the ability to read, write and manipulate all data stored in your backend systems! Released: July, 2003 Secure shared hosting with IIS 5.0 This guide provides technical solutions, methodologies and a step-by-step explanation on how to build secure IIS 5.0 servers. The aim of this security guide is to help ISPs and IIS administrators to secure their servers. Released: July, 2003 Securing PHP: Step-by-step Released: June, 2003 Improving Web Application Security: Threats and Countermeasures This guide gives you a solid foundation for designing, building, and configuring secure ASP.NET Web applications. Whether you have existing applications or are building new ones, you can apply the guidance to help you make sure that your Web applications are hack-resilient. Released: June, 2003 Web Application Security Assessment by Fault Injection and Behavior Monitoring Released: May, 2003 Writing Secure ASP Scripts Released: May, 2003 Securing Apache: Step-by-Step Released: May, 2003 Auditing Web Site Authentication, Part One Released: April, 2003 Prevention of the OWASP Top-10 in Perl A discussion of the OWASP Top 10 list in relation to the Perl programming language. Released: April, 2003 Developing Secure Web Applications Just Got Easier Released: March, 2003 Security at the Next Level Are Your Applications Vulnerable? What techniques are hackers using to exploit Web-based applications and how can you protect your site? Unfortunately, most security products available today cannot adequately examine the applications that reside on your Web server! Yet these applications often provide backend access to confidential data! Released: February, 2002 Cross-Site Tracing (XST) New techniques and emerging threats to bypass current web security measures using TRACE and XSS. Released: January, 2003 PHP and the OWASP Top Ten Security Vulnerabilities Released: January, 2003 2002 Session Fixation Vulnerability in Web-based Applications Released: December, 2002 The changing face of web security Are we winning or losing the battle of web security? Read this white paper backed by industry figures to ensure you are aware of the facts. Released: November, 2002 Bypassing JavaScript Filters The Flash! Attack Released: August, 2002 Web Application Forensics Released: July, 2002 OWASP - A Guide to Building Secure Web Applications Released: June, 2002 More Advanced SQL Injection Released: June, 2002 Protecting Web-Based Applications A META Security Group White Paper Released: June, 2002 Developing Secure Web Applications Released: June, 2002 Evolution of Cross-Site Scripting Attacks Released: May, 2002 Cross Site Scripting Explained Released: May, 2002 Hacker Repellent Released: April, 2002 Hacking by Cookie Poisoning Released: April, 2002 Assessing IIS Configuration Remotely Released: March, 2002 Fingerprinting Port 80 Attacks A look into web server, and web application attack signatures: Part Two. Part two of "Fingerprinting port80 attacks". This paper provides information on web application attack forensics that will help you identify what an attacker might be doing. Part two covers attacks that where not mentioned in the first paper. http://www.cgisecurity.net/papers/fingerprinting-2.html Released: March, 2002 OWASP Top 10 Released: February, 2002 Hackproofing Oracle Application Server Released: February, 2002 The World Wide Web Security FAQ Released: February, 2002 Header Based Exploitation Web Statistical Software Threats This paper helps describe an attack method often overlooked by programmers. It explains how modification of HTTP headers can cause possible system access, cookie theft/poisoning, tricked advertising, database injection, and other bad things in web statistical software Released: January, 2002 Advanced SQL Injection Released: January, 2002 Exploitation of UNICODE Buffer Overflows Released: January, 2002 Secure Programming in PHP Released: January, 2002