Web Application Security

Links from the class materials and other supplemental information, grouped by chapter:

Chapter 1: Introduction

Chapter 2: Web application security

Links from the text:

• Open Web Application Security Project (OWASP)
• Web Application Security Consortium
• The Web Hacking Incidents Database

Chapter 3: How HTTP works

Links from the text:

• The CGI RFC, RFC 3875
• RFC 2616
• RFC 2965
• netcat for Windows
• Cygwin

Chapter 4: Cryptography in Web Applications

Links from the text:

• An excellent overview of cryptography
• The standards for the SHA series of hashes
• The American Bar Association Section of Science and Technology Information Security Committee Digital Signature Guidelines Tutorial
• Digital Signature Standard (DSS, also called DSA)
• using RSA for digital signatures

Chapter 5: Attacking Web Applications

Links from the text:

• Web proxy from PortSwigger.net
• WebScarab's web site
• Paros suite
• Nikto
• The Firefox Web Developer toolbar home page
• The Web Developer toolbar, from Mozilla.org
• IEWatch
• WebGoat project page
• WebGoat
• The Firefox SwitchProxy toolbar

Additional links, not from the course text, or, software needed for the chapter:

nikto-2.02.tar.gz
web-developer-1.1.6.xpi
burpsuite_v1.1.zip
paros-3.2.13-unix.zip
paros-3.2.13-win.dat
paros-3.2.13-win.exe
paros-3.2.13-src.zip
paros_user_guide.pdf
WebGoat-OWASP_Standard-5.1.zip (for Linux and Windows)
webgoat-5.1.sh (startup file for Linux)
webscarab-installer-20070504-1631.jar
webscarab-selfcontained-20070504-1631.jar
webscarab-src-20070504-1631.zip
switchproxy_tool-1.4.1-fx+mz+tb.xpi
tamper_data-10.0.4-fx.xpi

Chapter 6: The user controls the client: input validation

Links from the text:

• Client Side Data Validation: A False Sense of Security by Tarak Modi
• Javascript form validation---doing it right by Stephen Poley
• Email With Misleading URL Encoding
• SecurityFocus bug description for Smartwin Technology CyberOffice Shopping Cart 2.0 Price Modification Vulnerability
• One web proxy allowing you to change what you send to the server
• A definition of ``paranoid programming''
• Cleaning Up, Mucking Out and Paranoid Programming
• a humorous view of paranoid programming
• URL Encoded Attacks Attacks using the common web browser by Gunter Ollmann
• Also at
• Abstracting Application-Level Web Security by David Scott and Richard Sharp
• XSS (Cross Site Scripting) Cheat Sheet Esp: for filter evasion By RSnake
• URL encoding program
• More information about Nimda
• The corresponding CERT vulnerability note for IIS
• Another related CERT page
• The Nimda cost
• The Atlanta Business Chronicle's Nimda cost
• Code Red plus Nimda cost $3 billion
• XMMS Remote input validation error
• The OS.Path structure
• Security Considerations for the Implementation of Unicode and Related Technology
• Microsoft IIS and PWS Extended Unicode Directory Traversal Vulnerability
• In ``Taint-Enhanced Policy Enforcement: A Practical Approach to Defeat a Wide Range of Attacks,'' Xu, Bhatkar, \& Sekar review current taint-related research and present a C-to-C translator for implementing fine-grained taint tracking.

Chapter 7: State and the web

Links from the text:

• gmail bug
• Schneier on Security for November 24, 2005
• The bug report for the Payflow Link vulnerability
• Cart32 vulnerability information
• Other, similar hidden field vulnerabilities
• SecurityFocus.com's search page
• An example of using Java to secure client-side state with hidden forms
• The LinPHA vulnerability
• Perl session cookies
• ASP session cookies
• Java session cookies
• More Java session cookies information
• WHID 2005-61: Gmail session management bug
• FTD.com hole leaks personal information
• Microsoft vulnerability with session identifiers
• An example of exploiting the Hotmail vulnerability
• Microsoft Passport Account Hijack Attack by Obscure
• Huge Hotmail security flaw reported by ZDNN Staff
• A good article with information about how ASP.NET sessions operate
• The Open Source Vulnerability Database
• Securityfocus.com
• National Vulnerability Database
• Add N Edit Cookies

Chapter 8: Cross-site scripting (XSS)

Links from the text:

• The Cross Site Scripting (XSS) FAQ
• Wikipedia entry on cross-site scripting
• CERT Advisory CA-2000-02: Malicious HTML Tags Embedded in Client Web Requests
• Safari Archive JavaScript Same Origin Policy Violation Vulnerability
• Mozilla Firefox Unspecified Javascript Remote Code Execution Vulnerability
• Microsoft Internet Explorer JavaScript OnLoad Handler Remote Code Execution Vulnerability
• Sun Java Runtime Environment Java Plug-in JavaScript Security Restriction Bypass Vulnerability
• Adobe Acrobat JavaScript Parsing Engine Arbitrary Code Execution Vulnerability
• MS Outlook Express 5 Javascript Email Access Vulnerability
• Example ways of session hijacking via XSS
• This link is a simple XSS example
• example of how to DoS the browser
• XSS---Stealing Cookies 101
• Example denial of service XSS attack
• Posting a bogus news message via XSS
• Another, well-written paper that includes posting a bogus story at a news site
• demo JavaScript port scanner
• The XSS worm on MySpace
• A description of the worm from its author
• More from Samy
• The Cross-site Scripting Virus
• XSS (Cross Site Scripting) Cheat Sheet Esp: for filter evasion
• Stored and Reflected XSS attacks at OWASP
• information about using Flash for XSS attacks
• ``How To: Prevent Cross-Site Scripting in ASP.NET''
• Anti-Cross Scripting Library for ASP.NET
• Adding Cross-Site Scripting Protection to ASP.NET 1.0
• the fake secure login page
• ExploreNM.com
• information about the bogus login screen
• TrustBar: Protecting (even Naïve) Web Users from Spoofing and Phishing Attacks by Amir Herzberg and Ahmad Gbara

Chapter 9: Fail securely

Links from the text:

• information about failing securely
• a seminal 1975 paper on security by Saltzer and Schroeder
• Microsoft Security Bulletin MS02-018
• JVN#45389864 CGIWrap error page cross-site scripting vulnerability
• PR07-37 XSS on Apache HTTP Server 413 error pages via malformed HTTP method
• Apple Safari error page cross-site scripting
• PR08-19 XSS on Cisco IOS HTTP Server
• Paul Starzetz of iSEC Security Research
• Defcom Labs advisory def-2001-26
• Section 2.8 of Implementing CIFS: The Common Internet FileSystem by Christopher R. Hertel
• IKEA catalog breach
• Tamper Data

Chapter 10: XML Security

Links from the text:

• XML tutorial
• The XML standard
• IBM's online tutorial Introduction to XML
• Introduction to XML for web developers
• XML Namespaces tutorial
• RFC 2396
• The standard for how to specify XML namespaces
• W3C tutorial on XML schemas
• Inge Henriksen's IE5/6 DoS security advisory
• Sun advisory that includes a pathological XML DTD
• OWASP's page on XML injection
• Testing for XML Injection
• Mitigating XPath injection in .NET
• ``XML Firewall Architecture and Best Practices for Configuration and Auditing''
• XML Port Scanning

Additional links, not from the course text, or, software needed for the chapter:

check-xml.pl
testfile.xml
testfile-good.xml
sample.dtd
INSTALL-CHECKER

Chapter 11: AJAX Security

Links from the text:

• Stamos and Lackey's Black Hat 2006 presentation
• Shreeraj Shah's Hacking Web 2.0 Applications with Firefox
• The JSON standard web site
• The Wikipedia entry for JSON
• Security issues in JSON
• Wikipedia entry on JSON
• Practical CSRF and JSON Security by Jon Sykes
• DOM-based XSS attacks at OWASP
• JavaScript hijacking attack
• Garett Rogers's report on a Gmail vulnerability
• YGN Ethical Hacker Group WebGoat Videos

Chapter 12: Cross-site request forgery (CSRF)

Links from the text:

• CSRF Vulnerability: A 'Sleeping Giant'
• Cross-Site Request Forgeries (Re: The Dangers of Allowing Users to Post Images)
• Gmail contact list hijacking (January 2007)
• Gmail filter hijack (September 2007)
• Gmail password change CSRF (March 2009)
• Foiling Cross-Site Attacks
• Jeremiah Grossman's blog
• The Wikipedia entry on CAPTCHA
• The CAPTCHA Project
• Origin header presentation from Stanford
• OWASP CSRFTester
• CAPEC 62
• WebGoat CSRF solution video
• SOMA Firefox add-on
• Content Security Policy

Chapter 13: Mashups

Links from the text:

• MashupAwards
• Subspace
• sMash
• Caja's home page
• a talk on MashupOS
• America's most unsafe Cities
• Greasemonkey scripts
• Content Provider Content on the Modern Web

Chapter 14: Other Injection attacks

Links from the text:

• Xbox Linux
• Technical Analysis of 007: Agent Under Fire save game hack
• The xkcd cartoon
• The Chris Rimmer threat

Chapter 15: Web services security overview

Links from the text:

• W3C Web Services Glossary
• Flickr tightens up image security by Raoul Pop
• James Snell's article on REST and SOAP
• Wikipedia entry on REST
• Mark O'Neill's RSA Security 2006 presentation
• Flickr APIs
• ``Rest on Rails''

Chapter 16: SOAP Security Issues

Links from the text:

• A good SOAP tutorial
• The SOAP standard
• A SOAP FAQ
• SOAP: The Simple Object Access Protocol by Aaron Skonnard
• sample SOAP message
• The security reference in the standard
• Web Service Security
• A RESTful approach: clean UPnP without SOAP by Newmarch, J.
• soapUI
• ``Getting Started with soapUI'' guide
• get a Google API key

Additional links, not from the course text, or, software needed for the chapter:

You will need these files for the lab:
CheckList.pm
names.txt
soap-client.pl
soap-server.pl

These are the modified versions as the lab describes:
soap-client-sol.pl
soap-server-sol.pl

Chapter 17: Web Services

Links from the text:

• The Internet Archive copy of Visual Studio Enables the Programmable Web
• Mark O'Neill's Web Services Security
• Why applying standards to Web services is not enough by Viega, J. and Epstein, J.
• details about WEP insecurity
• Battered, but not broken: understanding the WPA crack by Glenn Fleishman
• Tutorial: How to Crack WPA/WPA2
• Analysis of the SSL 3.0 protocol by David Wagner and Bruce Schneier
• the OpenSSL timing attack
• A good WSDL 1.1 tutorial
• The WSDL 1.1 standard
• The WSDL 2.0 standard
• Wikipedia entry on WSDL
• The UDDI standard
• The UDDI standard FAQ
• An online UDDI community
• Understanding WSDL in a UDDI registry, Part 1
• SOAPDebugger
• WSBang
• wsChess
• WSFuzzer
• XMLSpy
• SOAPbox
• Google Search WSDL file
• Amazon WSDL file
• Seekda
• Global Biodiversity Information Facility UDDI Registry

Chapter 18: Mapping the target web site and server

Links from the text:

• Vote Someone Else's Shares
• List of incidents of class Credential/Session Prediction
• South : Station
• nmap
• picture of running nmap
• Documentation for the Burp spider
• National Vulnerability Database
• Securityfocus.com
• The open source vulnerability database (OSVDB)
• Common Vulnerabilities and Exposures (CVE)
• Computer Emergency Response Team (CERT) Coordination Center
• Public Cooperative Vulnerability Database
• LWN Linux Vulnerability database
• Secunia
• Internet Security Systems (ISS) X-Force
• Hacker Web Directory
• Packet Storm
• Phrack
• 2600
• Rootshell.com (archives)
• hackin9
• ha.ckers
• nmap's Port Scanning Techniques
• Firewall/IDS Evasion and Spoofing
• ExploreNM.com

SkillBridge Training

Examples from the class notes (or, all as one file).

Selected Solutions from the class notes (no looking until you have solved the problems!). Note that all solutions are in an appendix of your course book. All solutions in a compressed tar file.

Evaluation form (if needed)