Saturday, June 25, 2005

Browser Identification

Paper on browser identification is posted on infosecwriters. Several approaches are defined in this paper.

Read Here

Thursday, June 09, 2005

[Oreilly] Protect your applications without recoding them

Article on Onlamp.

Web services are increasingly becoming an integral part of next-generation web applications. They're also vulnerable to attacks. The nature of these attacks is the same as for traditional web applications, but the modus operandi is different. These attacks can lead to information leakage; further, they aid in remote command execution. By using WSDL, an attacker can determine an access point and available interfaces for web services. These interfaces or methods take inputs using SOAP over HTTP/HTTPS. Without good defense at the source code level, your application is in danger of compromise and exploitation. mod_security operates as an Apache web server module, ideal for defending web services against attacks that also include malicious POST data containing SOAP envelopes.

Go to Onlamp

Monday, June 06, 2005

wschess 1.3 released

wsKnight is updated with 4 new audit/attack vectors. This will help in auditing or testing web services.

1. Bruteforcing - One can specify user/pass fields and map it to files. This will launch bruteforcing combinations on the wire.
2. Buffer overflow - Specify parameter and buffer size.
3. LDAP and XPath injection - This is very simple just a different category.

Stay tune more to go.