Ruby on Rails and Security
Has anyone ran across any good Powerpoint presentations on how to securely develop a web application in Ruby? ...
owasp
Attacking websites without leaving an audit trail.
Recently Aetna suffered a breach where it lost 65,000 SSNs. They never were able to find an audit trail of what happened which probably hints that the attack leveraged XSS or similar technique. Are there specific known attacks that the bad guys are repeatedly leveraging for this type of attack? ...
Best Practices for defining PatternLayout when using Log4j SyslogAppender
For those who are developing applications that are under PCI scope, where the guidance suggests that you should store your application logs on another tier, remoting to a syslog server elsewhere feels like a best practice. The question becomes, what should the PatternLayout look like that best enables folks to review their logs at least...
Secure XML Parsers
In typical Java applications, the XML parsers is XALAN/XERCES but they were not written with security in mind. I am curious to know if there are parsers that are more robust when it comes to security. ...
What is the SQL Server equivalent to Oracle's Virtual Private Database?
What is the SQL Server equivalent to Oracle's Virtual Private Database (VPD)? ...
PCI/DSS: Data at Rest
Would you consider the use of caching products in the category of data at rest? ...
OWASP Consider regenerating a new session upon successful authentication or privilege level change.
On the OWASP web site one of their top ten items states that we should consider regenerating a new session upon successful authentication or privilege level change. What would be the correct way of doing this? One thing a co-worker has told me but I haven't tested is that when a user uses browser tabs each tab does not get it's own se...
XSS - SQL Injection -- Owasp vs AntiXss Vs Microsoft Anti-Cross Site Scripting Library
Hello, We are looking at using a library to help us detect SQL injections. We are using sprocs and parametrized statements, but for the sake of this post that we are only using some sore of library that detects/ verifies user input. Whats the best one? Easiest to implement? Easiest to update/manage? Why prefer one over the othe...
What is the difference between a countermeasure and a control?
While reading the OWASP site, I stumbled upon pages www.owasp.org/index.php/Category:Countermeasure and www.owasp.org/index.php/Category:Control. My question is simple: what's the difference between the two? I'm sure I could see it if there was more information, but right now they both seem to state that they are something that are ...
CSRF (Cross-site request forgery) attack example and prevention in PHP
I have an website where people can place a vote like this: http://mysite.com/vote/25 This will place a vote on item 25. I want to only make this available for registered users, and only if they want to do this. Now I know when someone is busy on the website, and someone gives them a link like this: http://mysite.com/vote/30 then th...
How do you protect against specific CSRF attack
I am going trough the OWASP Top 10 list of 2007 and 2010. I stumbled upon Cross Site Request Forgery (CSRF) this is often called session riding as you let the user usee his session to fulfill your wishes. Now a solution to this is adding a token to every url and this token is checked for every link. For example to vote on product x th...
OWASP Regex Repository: Is this regex correct?
I was looking at the regular expression for validating various data types from the (OWASP Regex Repository). One of the regular expressions in there is called safetext and looks like: ^[a-zA-Z0-9\s.\-]+$ My first question is: Is this regular expression correct? complementary question If this Regex Repository any good at all? UPDA...
SQL Injection Protection for dynamic queries
The typical controls against SQL injection flaws are to use bind variables (cfqueryparam tag), validation of string data and to turn to stored procedures for the actual SQL layer. This is all fine and I agree, however what if the site is a legacy one and it features a lot of dynamic queries. Then, rewriting all the queries is a herculean...
Javascript Comments are security risk?
During a recient PCI audit the auditor said that we had major security risks because It was possible to download static resources from our website such as images css and javascript without prior authentication. Our javascript had comments in it. Personally I think that this is not a security risk at all. The images css and javascri...
Best libraries/practices to prevent OWASP Top 10 Vulnerabilities
I'm looking for the best reusable libraries and inbuilt features in ASP.Net to prevent the OWASP top 10 security vulnerabilities like injection, XSS, CSRF etc., and also easy to use tools for detecting these vulnerabilities for use by the testing team. When do you think is the best time to start incorporating the security coding into ...
How to not transform special characters to html entities with owasp antisamy
Hello, I use Owasp Anti samy with Ebay policy file to prevent XSS attacks on my website. I also use Hibernate search to index my objects. When I use this code: String html = "special word: été"; // use the Ebay configuration file Policy policy = Policy.getInstance(xssPolicyFile.getInputStream()); AntiSamy as = new AntiSamy()...
AntiSamy is allowing An encoded Script alert to get by? How to block?
Hello, I'm using AntiSamy with the available antisamy-1.4.1.xml policy. The policy is working nicely to block most XSS attacked but the following below is not being blocked. Any suggestions on how to block the following below to prevent XSS attacks? 1234%27%2Balert%2873918%29%2B%27 Thanks ...
Why Open Redirect URLS?
I've been going through the OWASP top 10 to get a deeper understanding of each specific type of vulnerability. I've made my way to the last item, Unvalidated URL Redirects. I understand the attack; such a phishing scheme seems completely obviously now that I have read about it in OWASP. What I am struggling to understand is why this s...
What is OWASP exactly?
Open Web Application Security Project Promotes secure software development Oriented to the delivery of web oriented services Focused primarily on the “back-end” than web-design issues An open forum for discussion A free resource for any development team What is it...is it a operating system or a software??? ...
How to prevent 'DROP BOBBY TABLES' when user enters a password with special characters?
In our ancient Classic ASP environment, we utilize OWASP to get the password from the request object and encrypt non-alphanumeric characters. This is a first line of defense to preventing sql injection. We use other methods for full sql injection prevention. The problem is, when we are collecting data to put together an HTTP post mess...