Palisade Magazine : Application Security Intelligence

Quiz: Specifying life time for a webpage

October 15, 2008 10:57 AM

We have often come across the message “Webpage has expired” when attempting to access a recently accessed page. This message comes as a result of the web server specifying an expiration time for the webpage when it is stored on the browser’s cache. How does a web server specify the life time for a page to the browser’s cache?

Using the Expires header
Using the Max-age directive along with Expires header
Setting the Must-Revalidate header in the response
All of the above

SAP Baseline Security Audit

October 15, 2008 10:42 AM

A SAP Baseline Security Audit tells enterprises how their SAP security posture stacks up against industry best practices. The Baseline Security Audit is the first step in a comprehensive security audit program and is ideal for generating a quick win early. This article outlines the areas covered under the SAP Baseline Security Audit we perform.

Defeating Encryption in Some Thick Clients

October 15, 2008 10:19 AM

While testing thick client applications we sometimes encounter the client encrypting pieces of the request. At such times, many of our variable manipulation attacks are foiled. To overcome this barrier, there are several techniques. Here’s one of the methods we tried for a recent thick client application test.

Database Links Security

October 15, 2008 10:04 AM

Database links (DBLinks in Oracle) are a technique for one database to connect to a remote database and execute queries. The originating database uses an account in the remote destination database to connect. This connection thus uses a username and password of an account in the destination database. The connection has the privileges of the account that’s used in the destination database.

Quiz: Proposal to amend Same Origin Policy

July 9, 2008 08:46 PM

Same origin policy of browser prevents scripts loaded in one domain to access resource from another domain. However, this policy imposes several limitations to Web 2.0 apps and restricts interactivity between sites. A new proposal has been formed by W3C, to incorporate Web 2.0 developer’s demands, by allowing cross site requests. Which among the following is the said proposal?

Configuring Domain Authorization Rules on the application server side
Access Control for Cross-site Requests
Configuring Application level ACL

Cache Control Directives Demystified

July 9, 2008 02:43 PM

Many years ago, HTTP 1.1 introduced specialized Cache Control directives to control the behavior of browser caches and proxy caches. These were a refinement over the HTTP 1.0 headers that programmers were using to control the behavior of caches. Though these directives are several years old, we still see them being used incorrectly. In this article, we explain the meaning and relevance of the most important cache control directives.

The Payment Application Data Security Standard (PA DSS)

July 9, 2008 02:38 PM

PA DSS fills a gap in the more well known PCI DSS standard. Today, we’ll discuss this lesser-known standard. Remember that the biggies of the credit card industry put their heads together and came up with Payment Card Industry Data Security Standard (PCI DSS). Their aim was to protect the “Cardholder’s” data. PCI DSS was first released in 2005 and then revised in October 2006. PCI DSS has a few requirements that talk about securing web applications that deal with cardholder’s data.

Defend against Reverse Engineering

July 9, 2008 11:34 AM

Software reverse engineering is the technique of getting the original source code from the binary. Competitors might use reverse engineering to figure out how you implemented that cool feature. Crackers might use it to see how they can bypass your license policy. Game cheats use reverse engineering, well, to cheat.

Quiz: Cross Site Printing

June 10, 2008 03:30 PM

What is Cross Site Printing?

A typo for Cross Site Scripting
A new Printing technology from Microsoft
A new attack that prints to your internal printers when you visit a website
None of these

CSRF - The hidden menace

June 10, 2008 03:00 PM

Cross Site Request Forgery (also known as XSRF, CSRF, Sea Surf, Session Riding, and Cross Site Reference Forgery) is an attack that tricks the victim into taking some action on the vulnerable application without the victim’s knowledge. This can happen when the victim visits a webpage that contains a malicious request, which then performs the chosen action on behalf of the victim.

Mobile Banking - Threats and Mitigation

June 10, 2008 02:30 PM

In my previous article, I had explained the two common mobile banking architectures and exchange of information using one of the architectures. In this article, I’ll be explaining the threats observed and an ideal process to overcome these threats. The explanation would be based on the information exchange for the architecture discussed in my previous article. Each phase has the threats mentioned and a secure process to ensure these threats are mitigated.

URL Redirection Flaw

June 10, 2008 02:00 PM

Harry gets an email from his bank stating that he has received some promotion offers so he should click on the link below to avail those offers. Harry ensures that the site is authentic by checking the name of his bank in the URL as he is aware of phishing attacks. He finds it to be a genuine URL of the bank, so he clicks the link. On clicking the link the login page of his bank is displayed to him. He enters his username and password on the login page. He gets an error page saying “The server is unable to process your request”.

Quiz: Safe Authentication Controls

June 15, 2007 11:29 AM

Which of the following is/are required as safe authentication controls at login page?

Enable SSL
Define acceptable Inputs
Use Salted Hash technique
Disable password save and AutoComplete/fill-in
All of them

Common mistakes in two-tier applications

June 15, 2007 11:27 AM

In previous articles, we have talked about some of the attack techniques and defenses that are possible with two-tier applications. An important thing to note in two-tier applications is that a thick-client application running on the user’s machine directly connects to the database. This means that local machine can directly connect to the database. In this article, we look at some of the common mistakes made in configuring and developing two-tier applications which can render the database vulnerable to attacks from users.

Virtualization – the promised land?

June 15, 2007 11:23 AM

Someone somewhere is still getting compromised after investing a lot in security. Now there’s something called ‘virtualization’ which seems to be some kind of a promised land – a ‘solution’ to all these security problems. It’s being adopted rapidly across multiple organizations just because its ‘secure’. So what is virtualization? Why is it such a craze? Is it really that secure? Is there no way to compromise it? Are we finally 100% safe? A lot of pertinent questions there – let’s try and answer them, shall we?