http://www.gdssecurity.com/l/b Gotham Digital Science Security Blog Thu, 07 Aug 2008 22:13:40 +0000 http://backend.userland.com/rss092 en Well, I'm offstage now having just presented my talk on "SQL Injection for Fun & Profit" at Blackhat in Las Vegas. One of the main aims of the talk was to provide more coverage on the mass SQL injection attacks that started earlier this year (and are still going ... http://www.gdssecurity.com/l/b/2008/08/07/sql-injection-worms-for-fun-and-profit-slides-and-demo/ I've just uploaded an update to AntiXSS, based on feedback we've received from developers looking at the library. This can be found at the GDS Tools page. I have also updated the original AntiXSS announcement post to point to the new release. Since the release of the library, the two main ... http://www.gdssecurity.com/l/b/2008/06/02/antixss-updated/ Current version of Sqlbrute supports Microsoft SQL Server and Oracle, however the similarities between Microsoft SQL Server and Sybase make it easy to adapt to Sybase with a few minor tweaks. Make the following changes to the current version and you should be able to brute Sybase as easily as ... http://www.gdssecurity.com/l/b/2008/05/20/adapting-sqlbrute/ I was recently asked by a client for some technical countermeasures to consider as they prepare to build an Ajax enabled web application (aside from the more fundamental countermeasures like rigid output encoding and request tokenization to defend against XSS and XSRF respectively). What follows are a few suggestions ... http://www.gdssecurity.com/l/b/2008/04/24/web-20-and-%e2%80%9cdefense-in-depth%e2%80%9d/ This morning we released an advisory to bugtraq regarding an exposure in DotNetNuke that can be used to trivially forge authentication tokens and impersonate arbitrary users (including the built in admin account). The vendor was notified back on March 3, 2008 and has now corrected the issue with the release ... http://www.gdssecurity.com/l/b/2008/03/21/dotnetnuke-default-machine-key-advisory/ The ability to transform and inspect HTTP data as it flows in and out of a web application has many practical uses (both inside and outside of security). On IIS, this capability was historically restricted to ISAPI filters. Http Modules written in ASP.NET have always allowed processing of requests ... http://www.gdssecurity.com/l/b/2008/02/27/bi-directional-http-transformation/ I wrote a plug-in for Burp Proxy that decompresses HTTP response content in the ZLIB (RFC1950) and DEFLATE (RFC1951) compression data formats. This arose out of an immediate need on a recent web application security assessment. Inspecting the HTTP traffic between client and server of the application under review, it ... http://www.gdssecurity.com/l/b/2008/02/19/a-delfate-burp-plug-in/ Insecure handling of file uploads is one of my favorite issues to test for during web application security assessments. They often provide exploitable attack vectors for compromising the server, application and/or end-user. In this post, I focus on insecure handling of uploaded archive files – something I've seen repeatedly. From ... http://www.gdssecurity.com/l/b/2008/01/21/handling-uploaded-archives-securely/ I’ve just uploaded the latest version of AntiXSS for Java (version 0.02) to the GDS Tools page. What is AntiXSS for Java? Its a port to Java of the Microsoft Anti-Cross Site Scripting (AntiXSS) v1.5 library for .NET applications. For those not familiar with the Microsoft AntiXSS library, it is an ... http://www.gdssecurity.com/l/b/2007/12/29/antixss-for-java/ It seems like every day I hear about a new web-based authentication technique intended to enhance user security and/or thwart phishing scams. This is especially common in the banking world, where most applications are starting to use strong two-factor authentication. Unfortunately for most of the larger consumer web applications, ... http://www.gdssecurity.com/l/b/2007/12/27/yet-another-flawed-authentication-scheme/