Tuesday, November 28, 2006

Vulnerability Scanning Web 2.0 Client-Side Components


Web 2.0 applications are a combination of several technologies such as Asynchronous JavaScript and XML (AJAX), Flash, JavaScript Object Notation (JSON), Simple Object Access Protocol (SOAP), Representational State Transfer (REST). All these technologies, along with cross-domain information access, contribute to the complexity of the application. We are seeing a shift towards empowerment of an end-user's browser by loading libraries.

All these changes mean new scanning challenges for tools and professionals. The key learning objectives of this article are to understand the following concepts and techniques:

* Scanning complexity and challenges in new generation Web applications
* Web 2.0 client-side scanning objectives and methodology
* Web 2.0 vulnerability detection (XSS in RSS feeds)
* Cross-domain injection with JSON
* Countermeasures and defense through browser-side filtering

Read

Monday, November 27, 2006

Web 2.0 defense with Ajax fingerprinting & filtering

(IN)SECURE magazine contains my article on Ajax fingerprinting and filtering technique. It can help in defending Web 2.0 applications.

Friday, November 10, 2006

Top 10 Ajax Security Holes and Driving Factors


One of the central ingredients of Web 2.0 applications is Ajax encompassed by JavaScripts. This phase of evolution has transformed the Web into a superplatform. Not surprisingly, this transformation has also given rise to a new breed of worms and viruses such as Yamanner, Samy and Spaceflash. Portals like Google, NetFlix, Yahoo and MySpace have witnessed new vulnerabilities in the last few months. These vulnerabilities can be leveraged by attackers to perform Phishing, Cross-site Scripting (XSS) and Cross-Site Request Forgery (XSRF) exploitation.

Read

Thursday, November 02, 2006

[O'reilly Net] Detecting Web Application Security Vulnerabilities

Your web application is only as secure as the data coming in, and how you treat user input determines how secure you are. A little bit of thought and Python programming can help you analyze potential vulnerabilities in your code

Read Here