Web Security - Články

• Keeping Web Hacking at bay with Acunetix - How to avoid a Hacker Attack on your website
  Acunetix, November 2008 - This article describes why hackers may want to attack your website, since today hacks are not happening just to steal data but for many other reasons which could lead to legal actions, even if you are just the victim. It also explains how to prevent such attacks.
  
  
• Cross Site Scripting – The Underestimated Exploit
  Jacques Guillaumier, Acunetix, September 2007 - This article describes the Cross Site Scripting vulnerability, explains how it comes about and gives clear and offers a solution to prevent it. 
  
  
• Microsoft UK Events Website Hacked
  Acunetix, July 2007 - This article explains how the Microsoft UK Events website got hacked. It explains step by step in detail how by taking advantage of an SQL Injection and non filtered parameters, the hacker known as "rEmOtE" got to see the database passwords, proceeded with the attack and defaced Microsoft UK's website. If you are a web developer, a pen tester or in any way related to building and securing web pages, this is a must read article!
  
  
• Web Services - The Technology and its Security Concerns
  Jacques Guillaumier, Acunetix, May 2007 - This white paper examines the technology behind Web Services, how the system is made available to the user, and the way connections are made to back-end (and therefore sensitive) data. These different elements come together to make Web Services a portal for users to access data, but also provide different entry points which may be exploited for illegitimate purposes.
  
  
• Security's Top Five Priorities
  Dark Reading, May 2007 - What keeps you awake at night? For security professionals, the awake-at-night issues keep changing. Dark Reading have done some research on security professionals' current concerns, and those they foresee in the immediate future. The following is a synopsis of what they found.
  
  
• PCI Compliance (Payment Card Industry Data Security Standard)
  Acunetix, April 2007 - If your business relies on payment by credit cards, compliance to the PCI security standard is a requirement.  Read more how and which requirements from PCI DSS standard Acunetix helps you meet.
  
  
• The true nature of Web Application Security: The role and function of Black Box Scanners
  Acunetix, February 2007 - In this article the author explains how important it is to have secure web applications and gives examples why web applications should be secured based on true stories. He also explains what an important role black box scanners play in having secure web applications.
  
  
• Web Applications: What are they? What of them?
  Acunetix, February 2007 - Over the past decade or so, the web has been embraced by millions of businesses as an inexpensive channel to communicate with customers via web applications.  But what are web applications exactly, and does the availability of more information they bring with them brings along new security problems and more targets for malicious users?
  
  
• Web Hacking: An underestimated threat
  Acunetix, February 2007 - Just because you think your data is safe does not mean your database of sensitive organization information has not already be cloned and is resident elsewhere ready to be sold to the highest bidder. Hacking of websites and stealing of online data is part of nowadays' life and it costs companies a lot of money. Companies loose their reputation, go out of business simply because they were a victim of an attack. Read this article and find out real facts about hacking! 
  
  
• Ajax security: Are AJAX applications vulnerable to hack attacks?
  Acunetix, February 2007 - Since AJAX increases interactivity, speed and usability it also brings new security issues. Read more about the security issues they bring around with them and how they can be avoided. 
  
  
• Web app exploits biggest hacking target in 2007
  SC Magazine, February 2007 - Remotely exploitable vulnerabilities will be the most widespread global threat vector this year due to the lack of effective security, according to an expert at global security vendor, Secure Computing.
  
  
• How to check for SQL injection vulnerabilities
  Acunetix, January 2007 - Securing your website and web applications from SQL injections is a three-part process; analysing present state, making sure to use coding best practices and regularly performing a website security audit.
  
  
• PHP / SQL Security - Part 6
  Acunetix, December 2006 - In this final part of a series of 6 articles, the author covers session management and also takes the readers through a brief look at security modules for Apache and multiple server instances.
  
  
• Web Application Security - Check your site for Web Application Vulnerabilities
  Acunetix, December 2006 - With many businesses adopting web-based technologies for conducting online business, they are exposing their data to more and more people each day and their online presence makes them an interesting target for hackers. Read more to find out how important it is to secure your web applications and find out how to secure them.
  
  
• How safe is your business online?
  ITWales, December 2006 - Internet crime can seriously damage your business. Trust me, I've seen it happen. I've been a police officer for thirty years and for the last five, I have worked for the National High Tech Crime Unit, now part of SOCA, and Get Safe Online.
  
  
• SQL Injection: What is it?
  Acunetix, November 2006 - This article contains an in-depth explanation of what is a SQL injection; one of the most common application layer attack techniques used today. Rich with well explained examples, this article is a must read article!
  
  
• Gartner: $2 Billion in E-Commerce Sales Lost Because of Security Fears
  eWeek, November 2006 - According to a Gartner survey, in 2006 alone, retailers lost almost $2 billion because of consumer security fears, with about one-half of those losses ($913 million) coming from people who avoided sites that seemed to be less secure and the rest (about $1 billion) came from consumers who were too afraid to conduct e-commerce business at all.
  
  
• Web Security Scanning
  Acunetix, October 2006 - Web security is not just about writing secure web application code only, but it is much more.  Everything around the website like database servers, should also be secured.  In this article, the author speaks about web security scanning trends and how to scan your web application entry points as if you are a hacker yourself.
  
  
• Apache Web Server Security
  Acunetix, October 2006 - Web server security is important as much as Web Application security is. Read what can lead to be an Apache web server security issue which can be the source of an attack and how important it is to have a secure web server and not just a secure web application. 
  
  
• IIS Web Server Security
  Acunetix, October 2006 - IIS Web server is one of the most widely used web server today.  Read about how important is web server security and what can lead to be a web server security issue which can be the source of an attack. 
  
  
• PHP / SQL Security - Part 5
  Acunetix, October 2006 - this article describes in detail PHP safe mode; a generic set of options and restrictions applied to the entirety of PHP, restricting access to files, preventing operations which have severe security implications, and improving the security of multi-user hosting environments.
  
  
• Web Server Security and Database Server Security
  Acunetix, October 2006 - If your servers and/or web applications are compromised, hackers will have complete access to your back end data even though your firewall is configured correctly and your operating system and applications are patched repeatedly. Read how hackers manage to make it in even if everything around the website is secured!
  
  
• Web application security audits
  security.itworld.com, September 2006 - In this article, James Gaskin discusses the importance of web application security: "Leaving your Web applications insecure makes no more sense than building a brick wall but using a gate made from chain link fencing."
  
  
• Security Watch: JavaScript plus AJAX equals trouble
  ZDNet Reviews, August 2006 - In this article, Robert Vamosi discusses AJAX and cross-site scripting attacks using JavaScript executed on the desktop browser.
  
  
• PHP / SQL Security - Part 4
  Acunetix, July 2006 - In this article the author wraps up about PHP development and file handling.  In this article one can read about file uploads and how to securely implement such solutions if file uploads are needed via a PHP website.
  
• ID Theft - Name, Rank And Social Security Number
  SecurityPro News, July 2006 - Identity theft is the fastest growing crime in the U.S. The U.S. Secret Service has estimated that consumers nationwide lose $745 million to identity theft each year.
  
  
• Hackers have upper hand in fight against computer crime
  The Age, June 2006 - Computer hacker attacks on banks and other financial institutions increased by 300 per cent last year but the skills to fight them are in short supply, a report says.
  
  
• The JavaScript engine of Acunetix WVS
  Acunetix, May 2006 - This article describes how Acunetix Client Script Analyzer works and also shows the importance of having such a tool in a web application security scanner.  Using this tool helps you automate most of the scanning and helps also in making sure that all the website is crawled without leaving hidden documents or website area undiscovered.
  
  
• Keep your Web applications secure
  TechRepublic, May 2006 - Web-based applications are the portal of choice for mischief and illegal entrance to your organization's network. That's why you need to defend your network by arming yourself with the knowledge of how attacks occur-and learn how to fix the problem before someone finds holes in your network security armor.
  
  
• PHP / SQL Security - Part 3
  Acunetix, April 2006 - This article looks at controlling file access within PHP. The author explains in details how file handling should be done securely in PHP and also explains in details how UNIX file permissions work and how important it is to secure every aspect of your web site, not just the network around it.
  
  
• Five common Web application vulnerabilities
  SecurityFocus, April 2006 - This article looks at five common Web application attacks, primarily for PHP applications, and then presents a case study of a vulnerable Website that was found through Google and easily exploited.
  
  
• Are Network Security Devices Really Protecting your Web Applications?
  SecurityPark, March 2006 - Web Applications are delivering critical information to a growing number of employees and partners. Most organizations have already invested heavily in Network Security Devices, thus they often believe they are also protected at the application layer; in fact they are NOT... this article by Eric Battistoni discusses the myths surrounding Network Security Devices and their ability, or lack of it, to protect against web application attacks.
  
  
• Cross Site Scripting Attack
  Acunetix, February 2006 - Cross Site Scripting attack is one of the most common vulnerability. Most websites are hacked because of cross site scripting vulnerabilities. In this article you can learn more about them and have real life examples and you can also learn how to scan a website and find them and also how to prevent cross site scripting vulnerabilities. 
  
  
• PHP Security / SQL Security - Part 2
  Acunetix, February 2006 - In this second part of the article the author explains how important it is to handle properly SQL queries and anything related to PHP development and databases.  He goes into detail in explaining about SQL Injection, database ownership and permissions, non-string variables. file permissions, making database connections and much more!
  
  
• PHP Security / SQL Security - Part 1
  Acunetix, February 2006 - This article lists down all the attacks insecure PHP coding could lead to, attacks like SQL Injection, Directory Traversal, XSS and may other issues. It also explains in detail how and the importance of validating user input and how to check for PHP vulnerabilities.

• Google Hacking
  Acunetix, February 2006 - Google hacking is a term used when a hacker tries to find exploitable targets and sensitive data by using search engines. This article talks about Google hacking techniques, what hackers usually look for and how to prevent them. It also explains how Acunetix WVS checks your website using Google hacking techniques so they can be prevented.
  
  
• CRLF Injection Attack
  Acunetix, February 2006 - In this article the author explains what are CRLF injection, how to detect them and how a malicious user can exploit them.  In the article you can also see well explained examples of actual CRLF injection attacks.
  
  
• Authentication Hacking Attacks
  Acunetix, February 2006 - This article describes different kind of authentications, the side effects it can have when using weak credentials and what an attacker can do once he gains access. It also describes how to prevent such authentication hacking attacks.
  
  
• Domain Contamination
  Web application Security Consortium, February 2006 - This write-up by Amit Klein, describes an attack that exploits an inherent flaw of the client-side trust model in the context of cyber-squatting and domain hijacking, or in general, in the context of obtaining temporary ownership of a domain (or major parts of it, e.g. defacing the main page). Put simply, the idea explored is to force long term caching of malicious pages in order for them to still be in effect even when the domain returns to its rightful owner. Various attack vectors are discussed, as well as possible protection techniques. While previous works hinted at the possibility of such attack, it is worthwhile to discuss this attack in depth and to refute the common misconception that cyber-squatting, domain hijacking and similar attacks do not have long lasting effect.
  
  
• Directory Traversal Attacks
  Acunetix, January 2006 - This article explains in detail and using examples what is a directory traversal attack, an attack where a hacker can gain root access to a remote server and run commands on it.  It also explains how to check your website for such attacks and how to avoid them as well. 
  
  
• Web applications are easy targets
  Vnunet, January 2006 - Business software vendors are getting their security act together, but web applications remain a cause for concern. Tim Anderson writing for IT Week discusses security issues associated with web applications.
  
  
• SQL Injection Attacks, Easy To Prevent, But Apparently Still Ignored
  Sys-Con (BR), January 2006 - "You'd think that by now we'd have learned to lock down our code so as to prevent SQL injection attacks, but apparently this is not the case," Ben Forta explains what a SQL injection attack is and how to prevent it.
  
  
• Eight steps for integrating security into application development
  Computerworld, December 2005 - Article by Ruby Qurashi. "Most organizations spend a tremendous amount of resources, time and money to protect their network perimeters from Internet-borne threats and hackers. But no matter how good a defense may be, it usually falls short in addressing the vulnerabilities inside the network at the application layer."
  
  
• Google also a hacker ally
  SCMagazine, November 2005 - Article by Frank Washkuch Jr. " One of a PC user’s best friends – search engine superpower Google – could become an enemy tool if used by hackers, online security experts have warned."
  
  
• New Path Of Attack
  InformationWeek, November 2005 - Article by Thomas Claburn. "Just when patching showed progress against the worst security threats, cyber criminals shift their focus. A report on the 20 most-critical Internet security vulnerabilities for 2005, released last week by the SANS Institute in conjunction with government representatives from the United States and the United Kingdom, shows an unsettling shift. While most hacking between 1999 and 2004 targeted operating systems and Internet services on Web servers and E-mail servers, that changed this past year. Now, applications and network devices' operating systems have become the primary targets."
  
  
• Protect your Web site against path traversal attacks
  SearchSecurity.com, October 2005 - "Web servers generally are set up to restrict public access to a specific portion of the Web server's file system, typically called the "Web document root" directory. This directory contains the files intended for public access and any scripts necessary to provide Web application functionality." In this article, Michael Cobb describes what is known as a Directory or Path traversal attack. This occurs when an intruder manipulates a URL in such a way that the Web server executes or reveals the contents of a file anywhere on the server, including those lying outside the document root directory. Path traversal attacks take advantage of special-characters sequences in URL input parameters, cookies and HTTP request header.
  
  
• SQL Injection Attack and Defense
  SecurityDocs.com, September 2005 - Today many business houses, governments and society in general depend a great deal on web applications. Web applications are accessed using the Internet and so face risks associated with its use. These risks are evident with the increasing number of reported incidents on web security sites. All our important information assets are at risk with increased tendency of attackers breaking into computer systems. This paper by Sagar Joshi focuses on educating security professionals of the risks associated with this situation and aims to give a brief understanding of the various kinds of attacks that could be launched.
  
  
• Black Holes: Emerging Web app security devices and products bring source code vulnerabilities to light
  SearchSecurity.com, September 2005 - "Are your Web applications secure? Online businesses applications, which are wide open at port 80, put that question to the test daily." In this article, James Foster points out that if companies don't lock down their web applications, security risks will increase as corporate dependency on Internet and intranet applications rises, along with site complexity, language depth and overall functionality.
  
  
• An Applications View on Security
  eWeek, December 2004 - "The only completely secure application is one that accepts no input from the outside and offers no access to data." Security must be built into applications from the lowest level upward. Peter Coffee points out that even though a current application may be securely designed, an earlier version—perhaps accessible in a poorly secured archive—may give an attacker all the information needed to overcome that improvement.
  
  
• Don't let development pressures cut short security testing procedures, warn experts
  ComputerWeekly.com, November 2004 - Security vulnerabilities discovered on online bank Cahoot and Morgan Stanley's credit card website, which were remedied by the companies as soon as they were discovered, had left customers' personal data accessible on the Internet. This incident raised questions over the priority organisations give to testing when they roll out or upgrade Internet services. In his article, Bill Goodwin discusses how the Vulnerabilities could have been prevented.
  
  
• Ten questions to ask about application security systems
  Computerworld, November 2004 - "Robust application security is necessary to ensure Web site availability and to protect sensitive customer and corporate data and application-enabled revenue." However, there's growing confusion about what constitutes application security and how it's achieved. In this article, Abhishek Chauhan presents 10 questions to help you evaluate whether a product delivers true application protection.
  
  
• Google Hacking Mini Guide
  Johnny.ihackstuff.com, May 2004 - "Described by some as the best personal productivity tool since the word processor, Google's search engine has been embraced by the masses as an incredibly useful tool. However hackers, identity thieves and even terrorists can also leverage Google as a personal productivity tool. The Google Hacking Mini Guide by Johnny Long, outlines the more harmful applications of the Google search engine, techniques that have collectively been termed "Google hacking". In his article he aims to educate web administrators and the security community in the hopes of eventually stopping this form of information leakage.

Články o bezpečnosti

Více článků

Dokumenty White Paper

Další dokumenty White Paper...