Industry News

Web Security Books

Useful Documents

White Papers


2005

HTTP Request Smuggling
Released: June, 2005

Stopping Automated Attack Tools
Released: April, 2005


2004

Web Application Exposure to Risk: Raising Awareness to Build Confidence and Improve Security
Released: July, 2004

Blind XPath Injection
Released: May, 2004

Divide and Conquer - HTTP Response Splitting, Web Cache Poisoning Attacks, andaeRelated Topics
Released: March, 2004

Frequently Asked Questions on Web Application Security
Released: January, 2004


2003

Developing Secure Web Applications in Java Environments
Released: December, 2003

Manipulating Microsoft SQL Server Using SQL Injection
Released: December, 2003

Introduction to Database and Application Worms
Released: December, 2003


Real World XSS
Released: December, 2003

Circumventing Validation
Released: December, 2003

Web Application Hacking: Exposing Your Backend
Released: November, 2003

SOAP Web Services Attack? - Part1
The World Wide Web is being used increasingly for application-to-application communication, thanks to programmatic interfaces known as web services. In conjunction with current technology, web services are ideal for companies clamoring to join the e-commerce revolution.
Released: November, 2003

The Anatomy of Cross Site Scripting
Released: November, 2003

Blind SQL Injection
Are Your Web Applications Vulnerable?
SQL Injection can deliver total control of your server to a hacker giving them the ability to read, write and manipulate all data stored in your backend systems!
Despite being remarkably simple to protect against, there are an astonishing number of production systems connected to the Internet “fixed” the problem by hiding error data from the users but were left vulnerable to this type of attack!
Released: October, 2003

Advanced cross site scripting and client automation
This paper discusses one method of exploiting POST variables vulnerable to cross site scripting and secured areas protected by a temporary session. Following a natural progression of the method of exploitation I arrived at client automation, the forcing of a client to submit a form in effect allowing an attacker to change settings for a client.
Released: October, 2003

Is Your Site Being Hacked Without Your Knowledge?
Released: October, 2003

The Cross Site Scripting FAQ
This is a FAQ covering Cross Site Scripting. This paper also provides examples of practical cookie theft, along with public tools for use with testing.
Released: August, 2003

Using Binary Search with SQL Injection
Revised: August, 2003

Secure Coding Practices for Microsoft .NET Applications
Revised: July, 2003

LDAP Injection
Are Your Web Applications Vulnerable?
LDAP injection is the technique of exploiting web applications that use client-supplied data in LDAP statements without first stripping potentially harmful characters from the request.

The objective of this paper is to inform developers, system administrators and security professionals about various techniques that could be used to attack their applications.
Released: July, 2003

Cross-Site Scripting
Are your web applications vulnerable?
Think of how often you receive an email with a hyperlink. Imagine receiving a message with a link to your online banking site exclaiming that you could win 200 dollars as part of a promotional push to utilize the site. If you clicked the link, and logged into the site, you could have revealed your logon information to a hacker…just that easily.

Learn techniques that can be used to exploit a web application with
cross-site scripting, as we give suggestions on how to prevent such vulnerabilities from existing within a web application.
Released: July, 2003

SQL Injection
Are Your Web Applications Vulnerable?
SQL Injection can deliver total control of your server to a hacker giving them the ability to read, write and manipulate all data stored in your backend systems!
Released: July, 2003

Secure shared hosting with IIS 5.0
This guide provides technical solutions, methodologies and a step-by-step explanation on how to build secure IIS 5.0 servers. The aim of this security guide is to help ISPs and IIS administrators to secure their servers.
Released: July, 2003

Securing PHP: Step-by-step
Released: June, 2003

Improving Web Application Security: Threats and Countermeasures
This guide gives you a solid foundation for designing, building, and configuring secure ASP.NET Web applications. Whether you have existing applications or are building new ones, you can apply the guidance to help you make sure that your Web applications are hack-resilient.
Released: June, 2003

Web Application Security Assessment by Fault Injection and Behavior Monitoring
Released: May, 2003

Writing Secure ASP Scripts
Released: May, 2003

Securing Apache: Step-by-Step
Released: May, 2003

Auditing Web Site Authentication, Part One
Released: April, 2003

Prevention of the OWASP Top-10 in Perl
A discussion of the OWASP Top 10 list in relation to the Perl programming language.
Released: April, 2003

Developing Secure Web Applications Just Got Easier
Released: March, 2003

Security at the Next Level
Are Your Applications Vulnerable?
What techniques are hackers using to exploit Web-based applications and how can you protect your site? Unfortunately, most security products available today cannot adequately examine the applications that reside on your Web server! Yet these applications often provide backend access to confidential data!
Released: February, 2002

Cross-Site Tracing (XST)
New techniques and emerging threats to bypass current web security measures using TRACE and XSS.
Released: January, 2003

PHP and the OWASP Top Ten Security Vulnerabilities
Released: January, 2003



2002

Session Fixation Vulnerability in Web-based Applications
Released: December, 2002

The changing face of web security
Are we winning or losing the battle of web security? Read this white paper backed by industry figures to ensure you are aware of the facts.
Released: November, 2002

Bypassing JavaScript Filters
The Flash! Attack
Released: August, 2002

Web Application Forensics
Released: July, 2002

OWASP - A Guide to Building Secure Web Applications
Released: June, 2002

More Advanced SQL Injection
Released: June, 2002

Protecting Web-Based Applications
A META Security Group White Paper
Released: June, 2002

Developing Secure Web Applications
Released: June, 2002

Evolution of Cross-Site Scripting Attacks
Released: May, 2002

Cross Site Scripting Explained
Released: May, 2002

Hacker Repellent
Released: April, 2002

Hacking by Cookie Poisoning
Released: April, 2002

Assessing IIS Configuration Remotely
Released: March, 2002

Fingerprinting Port 80 Attacks
A look into web server, and web application attack signatures: Part Two.
Part two of "Fingerprinting port80 attacks". This paper provides information on web application attack forensics that will help you identify what an attacker might be doing. Part two covers attacks that where not mentioned in the first paper.
http://www.cgisecurity.net/papers/fingerprinting-2.html
Released: March, 2002

OWASP Top 10
Released: February, 2002

Hackproofing Oracle Application Server
Released: February, 2002

The World Wide Web Security FAQ
Released: February, 2002

Header Based Exploitation
Web Statistical Software Threats
This paper helps describe an attack method often overlooked by programmers. It explains how modification of HTTP headers can cause possible system access, cookie theft/poisoning, tricked advertising, database injection, and other bad things in web statistical software
Released: January, 2002

Advanced SQL Injection
Released: January, 2002

Exploitation of UNICODE Buffer Overflows
Released: January, 2002

Secure Programming in PHP
Released: January, 2002

Search this site
Home :: About Us :: Projects :: Mailing Lists :: Library :: News :: Links :: Contact Us
© Copyright 2005, Web Application Security Consortium. All rights reserved.      Hosting sponsored by FireHost