secologic

Seite auf deutsch
Deutsch
Page in english
English
Results & Downloads :: Security for Applications :: Attacks and Solutions

Attacks and Solutions

Attacks like Buffer Overflows, Cross-Site Scripting, SQL-Injection are a high security risk for all Web Applications. Here you can find some Attacks and solutions for preventing them.

Topic Version Language Date Type Format Author
Web Application Session Management 1.0new English 01/22/07 White Paper pdf
doc
EUROSEC
Web Application Session Management English 11/23/05 Presentation pdf
ppt
EUROSEC
Cross Site Scripting Overview English 11/23/05 Presentation pdf
ppt
EUROSEC
SQL Injection Deutsch 11/23/05 Course Material pdf
ppt
EUROSEC
A Short Guide to Input Validation 1.0 English 04/25/2007 White Paper pdf
Commerzbank
Input Normalization and Character Encodings 1.0new English 03/13/06 Whitepaper doc
pdf
EUROSEC

SecologicTrain

SecologicTrain is an E-learning application, written in Java, which shows you typically vulnerabilities in the area of WebSecurity. With practical exercises you can study problems and solutions of secure programming. We designed a static prototype with the exercise 'Cookie Security'. The full version is programed in Java/JSP and ready to download. The topics of the downloadable version are: XSS (Cross Site Scripting), SQL-Injection, X-Path Injection, Cookie Security. Preconditions are an installed MySql Database and a Apache Tomcat. An installation guide is in the zip-file included.

Topic Version Language Date Type Format Author
E-learning Applikation SecologicTrain 1.0 English 12/19/06 Software archive zip
SAP

Cross Site Request Forgery

Cross Site Request Forgery (CSRF a.k.a. XSRF, a.k.a. Session Riding) attacks are public at least since 2001. However this class of web application vulnerabilities is rather obscure compared to attack vectors like Cross Site Scripting or SQL Injection. As the trend towards web applications continues and an increasing number of local programs and appliances like firewalls rely on web based frontends, the attack surface for XSRF grows continuously. Here you can find further information on this vulnerability class. Furthermore, we created two client-side tools that protect web-surfers against CSRF-attack: RequestRodeo for protection against Cookie- and HTTP-authentication attacks and LocalRodeo for protection against CSRF-attacks that target intranet resources.

Topic Version Language Date Type Format Author
On CSRF and why you should care 1.0 English 11/29/06 Presentation pdf
SVS-UHH
RequestRodeo: Client Side Protection against Session Riding 1.0 English 05/27/06 Academic paper pdf
SVS-UHH
RequestRodeo: Client Side Protection against Session Riding (slides) 1.0 English 05/27/06 Presentation pdf
SVS-UHH

Preventing XSS-based Session Hijacking

As HTTP is a stateless protocol, web applications have to create a session tracking mechanism on their own. If a vulnerability like XSS enables an attacker to obtain valid session identifier, he is able to hijack the attacked session completely. As part of the secologic-project we developed methods that protect web applications against session hijacking even if the applications contains an XSS-vulnerability.

Topic Version Language Date Type Format Author
Using the same-origin policy to disarm XSS vulnerabilities 1.0 English 05/27/06 Presentation pdf
SVS-UHH
SessionSafe: Implementing XSS Immune Session Handling 1.0 English 10/01/06 Academic paper pdf
SVS-UHH
SessionSafe: Implementing XSS Immune Session Handling (slides) 1.0 English 10/01/06 Presentation pdf
SVS-UHH