Wednesday, February 28, 2007

Web 2.0 with Banks - Web Risk: A Growing Web's Harder To Secure

Banks are moving towards Web 2.0 frameworks and adding risk to the application layer. This news item talks about it.


Monday, February 19, 2007

Ajax scanning on AjaxWorld

Ajax Scanning technique for XSS is posted at AjaxWorld magazine.

Thursday, February 15, 2007

Scanning Ajax for XSS Entry Points

The continuous adoption of Web 2.0 architecture for web applications is instrumental in Ajax, Web services and Flash, emerging as key components. Ajax is a combination of technologies such as JavaScript with the XMLHttpRequest object, DOM and XML streams. Cross site scripting (XSS) can make browsers vulnerable to critical information hijacking if exploited with malicious intent. XSS is already categorized as persistent, non-persistent and DOM-based. Ajax code loaded in browser can have entry points to XSS and it is the job of the security analyst to identify these entry points. It is difficult to decisively conclude that possible entry points to an application can be exploited. One may need to do a trace or debug to measure the risk of these entry points.

This paper introduces you to a quick way to identify XSS entry points in an application.

Read here

Friday, February 09, 2007

Stateful Web Application Firewalls with .NET

A Web Application Firewall (WAF), though still evolving, is crucial for strong application layer defense. Unfortunately, HTTP is a stateless protocol, and session management is addressed at the application layer and not at the protocol layer. It is possible to bridge WAF and session objects on the .NET platform to build a stateful WAF (SWAF).

Read Here

Monday, February 05, 2007

Slides to Share

I found an interesting place to share past talks. I have posted some of my past speaking engagements at RSA, Infosecworld, AusCERT, Bellua and HITB on it. You may like it.