Wednesday, April 22, 2009
Wednesday, April 15, 2009
XSSQLI is a term to describe a Cross Site Request Forgery (XSRF) + SQL Injection attack. This
attack consists in forcing a user to request a web application URL that will exploit a SQL
Injection vulnerability, as XSRF attacks the user can be forced to request a URL by using a
HTML IMG, FRAME, IFRAME, STYLE, etc. tag :
When a victim browses a web page with the above HTML code an automatic request will be
made to “intranetsite” web application without the user noticing it. The difference with a classic
XSRF attack is that instead of the URL requested triggering some action in the target web
application it will exploit SQL Injection.
Within Intranets, some web applications implementations use Windows integrated authentication, this means that the user authenticates to the web application with his Windows credentials, which is done automatically by IE because of “Automatic logon only in Intranet zone” security setting. MS SQL Server (other DBMS could be attacked in this way too) also authenticate users with Windows integrated authentication, some web applications are configured to access SQL Server backend database authenticating with the current Windows user that's accessing the web application. If an
attacker exploits a SQL Injection vulnerability in this kind of web application isn't as valuable as other attack paths since the attacker could directly connect to SQL Server and run SQL statements as far his permissions allows him but by using XSSQLI in order to attack, for instance a SQL Server DBA, the attacker will be able to elevate privileges running SQL Server statements with DBA permissions.
Friday, April 10, 2009
A new certification for Application Security professionals. And the attractive feature of the certification is you need not take any exam. The main features of the certification is:
1. No need to study - Candidates use our exclusive certification process to prove their Stated History of Individual Training via self-validation, which reflects their real-world experiences.
2. No need to take exams - After self validation, candidates agree to the Oath of Office and Code of Ethics. This process ensures only the most experienced ASS achieve certified status, without the need for a test.
3. Lowest Cost - There is no cost to become a Certified ASS! While many candidates have long been considered ASS's, they can now validate that claim with true certification at no cost.
4. Reflects the real world of security - By eliminating costly training programs and standardized tests, the Institute created a process that matches the standard management, processes for enterprise application security, and consistent with today's industry best-practices.
Check yourself at : http://www.asscert.com/
You can check yourself:
Happy hacking! :)
Friday, April 3, 2009
The use of the ESAPI will also make it much easier for static analysis tools to verify an application, by building ESAPI calls into static analysis tool rulesets.
It has been deveoped for various technologies like .NET, Java,PHP etc... Some are still good way from completion. The main idea behind the implementation of ESAPI is it gives you flexibility to use it against any language without caring about how they are receiving input and how they are filtreing it. Just use a method like ESAPI.endoeForHTML(input) and it will encode all the inputs taken by the application. The main difference between a normal encoding function and ESAPI encoding function is that the ESAPI functions are very well researched and carefully implemented .
Wrap your existing libraries and services
Extend and customize your ESAPI implementation
Fill in gaps with the reference implementation
I don't know what the problem is. They are dilly dallying the process. OK, I am not going to pressurise them but at least they should have lent their attention towards the issue.
I am talking about Clickjacking which I reported to Mozilla and Opera. After so much of conversation Mozilla at least responded somewhat positively. But in case of Opera, they have not been positive throughout the process. Even they didn't give their views regarding the issue.At least they should have responded me personally about their view on the issue. Any sort of response would have made me enthusiastic. Last week I posted some comments on an Opera's member blog. After a series of posting he even stopped responding. These things are discouraging.