Attacks and Solutions
Attacks like Buffer Overflows, Cross-Site Scripting, SQL-Injection are a high security risk for all Web Applications. Here you can find some Attacks and solutions for preventing them.
| Topic | Version | Language | Date | Type | Format | Author |
|---|---|---|---|---|---|---|
| Web Application Session Management | 1.0 |
|
01/22/07 | White Paper |
pdf
doc |
EUROSEC |
| Web Application Session Management |
|
11/23/05 | Presentation |
pdf
ppt |
EUROSEC | |
| Cross Site Scripting Overview |
|
11/23/05 | Presentation |
pdf
ppt |
EUROSEC | |
| SQL Injection |
|
11/23/05 | Course Material |
pdf
ppt |
EUROSEC | |
| A Short Guide to Input Validation | 1.0 |
|
04/25/2007 | White Paper |
pdf
|
Commerzbank |
| Input Normalization and Character Encodings | 1.0 |
|
03/13/06 | Whitepaper |
doc
|
EUROSEC |
SecologicTrain
SecologicTrain is an E-learning application, written in Java, which shows you typically vulnerabilities in the area of WebSecurity. With practical exercises you can study problems and solutions of secure programming. We designed a static prototype with the exercise 'Cookie Security'. The full version is programed in Java/JSP and ready to download. The topics of the downloadable version are: XSS (Cross Site Scripting), SQL-Injection, X-Path Injection, Cookie Security. Preconditions are an installed MySql Database and a Apache Tomcat. An installation guide is in the zip-file included.
| Topic | Version | Language | Date | Type | Format | Author |
|---|---|---|---|---|---|---|
| E-learning Applikation SecologicTrain | 1.0 |
|
12/19/06 | Software archive |
zip
|
SAP |
Cross Site Request Forgery
Cross Site Request Forgery (CSRF a.k.a. XSRF, a.k.a. Session Riding) attacks are public at least since 2001. However this class of web application vulnerabilities is rather obscure compared to attack vectors like Cross Site Scripting or SQL Injection. As the trend towards web applications continues and an increasing number of local programs and appliances like firewalls rely on web based frontends, the attack surface for XSRF grows continuously. Here you can find further information on this vulnerability class. Furthermore, we created two client-side tools that protect web-surfers against CSRF-attack: RequestRodeo for protection against Cookie- and HTTP-authentication attacks and LocalRodeo for protection against CSRF-attacks that target intranet resources.
| Topic | Version | Language | Date | Type | Format | Author |
|---|---|---|---|---|---|---|
| On CSRF and why you should care | 1.0 |
|
11/29/06 | Presentation |
pdf
|
SVS-UHH |
| RequestRodeo: Client Side Protection against Session Riding | 1.0 |
|
05/27/06 | Academic paper |
pdf
|
SVS-UHH |
| RequestRodeo: Client Side Protection against Session Riding (slides) | 1.0 |
|
05/27/06 | Presentation |
pdf
|
SVS-UHH |
Preventing XSS-based Session Hijacking
As HTTP is a stateless protocol, web applications have to create a session tracking mechanism on their own. If a vulnerability like XSS enables an attacker to obtain valid session identifier, he is able to hijack the attacked session completely. As part of the secologic-project we developed methods that protect web applications against session hijacking even if the applications contains an XSS-vulnerability.
| Topic | Version | Language | Date | Type | Format | Author |
|---|---|---|---|---|---|---|
| Using the same-origin policy to disarm XSS vulnerabilities | 1.0 |
|
05/27/06 | Presentation |
pdf
|
SVS-UHH |
| SessionSafe: Implementing XSS Immune Session Handling | 1.0 |
|
10/01/06 | Academic paper |
pdf
|
SVS-UHH |
| SessionSafe: Implementing XSS Immune Session Handling (slides) | 1.0 |
|
10/01/06 | Presentation |
pdf
|
SVS-UHH |