Technical
Cache Control Directives Demystified
by Siddharth Anbalahan in July 2008
Many years ago, HTTP 1.1 introduced specialized Cache Control directives to control the behavior of browser caches and proxy caches. These were a refinement over the HTTP 1.0 headers that programmers were using to control the behavior of caches. Though these directives are several years old, we still see them being used incorrectly. In this article, we explain the meaning and relevance of the most important cache control directives.… more →
CSRF - The hidden menace
by Sapna Satish in June 2008
Cross Site Request Forgery (also known as XSRF, CSRF, Sea Surf, Session Riding, and Cross Site Reference Forgery) is an attack that tricks the victim into taking some action on the vulnerable application without the victim’s knowledge. This can happen when the victim visits a webpage that contains a malicious request, which then performs the chosen action on behalf of the victim.… more →
Common mistakes in two-tier applications
by Siddharth Anbalahan in June 2007
In previous articles, we have talked about some of the attack techniques and defenses that are possible with two-tier applications. An important thing to note in two-tier applications is that a thick-client application running on the user’s machine directly connects to the database. This means that local machine can directly connect to the database. In this article, we look at some of the common mistakes made in configuring and developing two-tier applications which can render the database vulnerable to attacks from users.… more →
Wi-Fi Protected Access
by Balaji V in May 2007
Wired Equivalent Privacy (WEP), the previous security mechanism for wireless LANs can today be broken in about 2 minutes. So wireless equipment vendors provided improved security mechanisms in their products. But these enhanced security mechanisms were proprietary and did not work with one another. So the Wi-Fi Alliance introduced Wi-Fi Protected Access – it has become an effective standard implemented across multi-vendor devices.… more →
Mobile Banking Architecture
by Suraj Sankaran in May 2007
This two-part series on mobile banking security will help Bank security officers and auditors understand the security threats in Mobile banking. Here, I will present two popular mobile banking architectures and dive into the exchange of messages between the components. Next month, we will look at the threats inherent in this architecture and how to mitigate them.… more →
Back to Basics: Internet Cookies
by Jose Varghese in March 2007
Continuing with our Back to Basics series, we’ll discuss about internet cookies. Cookies are generally used by web sites to track users’ personal preferences so that personalized content can be served to the user. In the first part, we had covered Caching.… more →
Application Penetration Tester's Toolkit
by Balaji V in March 2007
In this article series, we will be looking at some of the tools used for application penetration testing. The most common categories of tools include web proxy editors, fuzzers, network proxies, memory viewers, decompilers, browser extensions and automated vulnerability scanners.… more →
Securing Web Based Payment Systems
by Siddharth Anbalahan in March 2007
A typical internet payment system consists of a payment gateway that handles information transfer over the internet between merchant and customer. In this article we shall look at some of the risks involved in this information flow.… more →
ASP Session Cookies
by Jaideep Jha in February 2007
Over the last few years of carrying out web application audits, we have observed in many ASP-based applications that cookie values do not change between unauthenticated pages and authenticated application areas. Since the user session is associated to the session cookie, if a malicious user gets hold of session cookie prior to user authentication, he can access the authenticated application area also. Classic ASP does not support any method to enforce the change of cookie value. Let’s look into some remedies in this article.… more →
Wireless Security - Cracking WEP
by Arvind Doraiswamy in February 2007
In the last issue, we took an in-depth look at the internals of WEP. We saw how exactly WEP was used to encrypt a short block of plain text. This time we’ll look at WEP from the perspective of an adversary. What will an adversary see if he manages to capture a block of WEP encrypted data? What can he do with it? Can he use this data to compromise my network? These, among others are some of the questions that we’ll be addressing in the course of this article. Without further delay let’s see how an adversary goes about trying to crack WEP.… more →
Wireless Security - How WEP works
by Arvind Doraiswamy in December 2006
As you probably already know Wired Equivalent Privacy (WEP) is used by companies to secure their wireless connections from sniffing attacks. You’ve probably also heard that it’s not very secure. In the first part of this 2 part series I’ll explain the inner workings of WEP and follow it up next month with why it’s insecure.… more →
Insecurities in Healthcare Applications
by Firosh Ummer in December 2006
Online Healthcare applications come under the radar of HIPAA. In this article we discuss the threats they are exposed to, the attacks we’ve seen work against them and the precautions to take.… more →
SaaS Security Testing - The Challenges
by Roshen Chandran in November 2006
Last month we looked at 5 Tips for Securing Software as a Service . This time, we’ll dive into the challenges in security testing SaaS applications, and how to overcome them.… more →
Anti-phishing - Incident Response
by Jose Varghese in October 2006
As we had seen in the first two parts of the series, there are several ways of preventing and detecting a phishing attack. Even if we take all necessary precautions a successful phishing attack could still happen and we need to be prepared to respond to it. In this article we explore some of the incident response steps we can take to limit the damage.… more →
Anti-Phishing Techniques - Detection Measures
by Jose Varghese in September 2006
As was outlined in the first part of this series, there are several methods to protect users from phishing attacks. But prevention is not enough. We need detection measures to get early warning signals when a phishing attack is being planned or is in progress.Before we get into detection measures let us look at the steps the attackers does while executing a phishing attack.… more →
HTTP Request Smuggling
by Prashant Gawade in September 2006
With the advent of HTTP-aware firewalls, IPSs, a lot of developers relax a little bit on strengthening the security of an application. Application firewalls are able to lock out most of the automated attacks on websites. However a new attack vector has been discovered which can bypass application firewalls too. HTTP request smuggling allows an attacker to send malicious requests across proxies and firewalls to the web server. Let’s have a short description of the attack techinique.… more →
Anti-Phishing Techniques - Protection Measures
by Jose Varghese in August 2006
If you are an Internet Banking user, you probably are already aware of phishing. If you are charged with the responsibility on building and operating an e-commerce application, phishing is probably one of your Top 3 concerns. Statistics indicate that more than 1000 phishing attacks are launched every month. To minimize impact of phishing attacks we need to look at protection, detection and response measures.… more →
More on dodging spiders
by Shalini Gupta in July 2006
In the first part of this article series, we discussed malicious use of spiders and some means to defend against them. In this article, we’ll explore other defenses such as use of onetime links, special links, turing tests and URL tokenization. We will also try to identify the most suitable solution to defend against crawling spiders.… more →
Are stored procedures safe against SQL injection?
by Santosh Kumar in June 2006
Stored procedures are widely used due to the benefits like encapsulation of business logic in a single entity, strong validation, faster execution and exception handling. But are they safe against SQL injection attacks? Not always. SQL injection is possible if the dynamic SQL inside the stored procedure is not handled properly… more →
Dodging the spiders
by Shalini Gupta in June 2006
Web spider is a software program that traverses pages in the World Wide Web in an automated manner and extracts information from web pages. They are also known as web crawlers or web robots. Web spiders can read the HTML content and hence can read both the visible and non-visible parts of the webpage. Spiders cannot access the contents that require authentication or authorization. Spiders can search for data across websites much quicker and deeper than humans can ever do.… more →
Browser Hijackers
by Shah Nawaz in May 2006
A browsers home page is a valuable commodity, and the online cheats know it. If they can somehow set the home page, with or without a user’s intervention to their ad packed site, then they are guaranteed of at least one visit every time a user opens the browser. The term used for such an attack is Browser hijacking.… more →
LinkDemand and InheritanceDemand
by Sangita Pakala in April 2006
.NET’s Code Access Security is a powerful mechanism to ensure that your code is protected from malicious assemblies. In the first article of this series, we discussed asserts and demands. Now let’s delve a little deeper into two special types of demands.… more →
Distributed Reflection Denial of Service: A Bandwidth Attack
by Anoop Mangla in April 2006
A bandwidth attack floods a network with large volume of bogus packets in order to overwhelm the network bandwidth. The aim is to consume network bandwidth of the targeted network to such an extent that it starts dropping packets. The packets that get dropped also include legitimate traffic, thus causing denial of service to valid users… more →
Thick Client Application Security - Attacks
by Balaji V in March 2006
Traditional two-tier thick client applications are vulnerable to several attacks. This two part series will discuss the attacks and defenses for them. In this first part, we focus on the different attack techniques and tools.… more →
Security issues in 'Remember Me' feature
by Shah Nawaz in March 2006
Most web sites that deal with sensitive personal information of users, require them to authenticate themselves with valid usernames and passwords. If the login credentials contain long digit card numbers or a series of complex passwords, users often find it difficult to remember the credentials. Thus they turn to the browser to help them remember login credentials. Let’s take the security issues that arise due to this feature.… more →
Assert Safely: How to use .Net's Assert wisely
by Sangita Pakala in February 2006
.NET’s Code Access Security is a powerful mechanism to ensure that your code is protected from malicious assemblies. In this article, we show you how to use a powerful feature of .NET securely: the assert security action.… more →
Rainbow Cracking and Password Security
by Sam Varughese in February 2006
Passwords are often stored hashed on the premise that significant time is required to brute force a hashed password. The value of password hashes, however, has been undermined by the Rainbow Cracking attack. Rainbow tables readily available today reduce the time required for cracking hashed passwords to minutes. This article presents this recent attack on password hashes.… more →
Two Factor Authentication
by Anoop Mangla in January 2006
Passwords, which are so widely used by applications to authenticate users, are just so easy to be guessed, cracked, stolen or compromised. However, teamed with a second factor, they can reduce the chances of an attacker significantly… more →
PHP Security - Securing the environment
by Nilesh Chaudhari in January 2006
We are starting a new in-depth article series where we will be covering practical suggestions on improving security in applications and securely coding in various programming languages. In this first article we will cover the environment around PHP.… more →
Defeating Bots with CAPTCHAs
by Balaji V in December 2005
Bots are software that crawl through your web site, make auto registrations and attempt automated attacks like password guessing. This article shows how to stop Bots in their tracks using a technique called CAPTCHAs.… more →
Securing Documents in Web Applications
by Varun Chaudhry in November 2005
More and more sensitive information is being published online everyday. This data could be in the form of simple HTML pages or Adobe’s PDF or Microsoft Word formats. Here we discuss how we can ensure that data sent in either of the forms remains protected and available only to the authenticated user… more →
Security in SMS Banking
by Sachin Shetty in November 2005
The first part of the SMS banking series included an overview of SMS banking, the components involved in SMS banking and the recommended secure network architecture for SMS banking. In this issue we will see some vulnerabilities in the SMS banking environment that an attacker can make use of and mitigation techniques for the same… more →
Implementing SSL
by Shalini Gupta in October 2005
In the September issue of Palisade we discussed how SSL works, what it actually protects against and what it does not. After understanding this, let’s look at how to implement SSL.… more →
Code Obfuscation Part 3 - Hiding Control Flows
by Sonali Gupta in October 2005
In the last two issues we introduced code obfuscation and went in-depth into data structure obfuscation. In this issue we look at control obfuscation, a class of obfuscation techniques that targets the control flow in a program… more →
Understanding SSL
by Shalini Gupta in September 2005
What come to the mind when you think of a secure web application? SSL. How does SSL work? Does SSL offer complete protection? This article tries to answer some of these questions. We’ll discuss about how SSL works and what it actually protects against and what it does not… more →
Code Obfuscation - Part 2: Obfuscating Data Structures
by Sonali Gupta in September 2005
Continuing from the earlier parts in this article series, Sonali looks at data obfuscation, a class of obfuscation techniques that targets the data structures in a program. She presents the different methods of data obfuscation with examples and also analyzes their quality… more →
SMS Banking
by Sachin Shetty in September 2005
When people are hard pressed for time, the need for “anytime anywhere” banking gains utmost importance. Bearing this in mind, banks provide a novel service which gives retail customers account information and real-time transaction capabilities from their cell phones. In this article we understand a typical SMS banking setup… more →
Using browser refresh to expose passwords
by Balaji V in August 2005
The back, forward and refresh buttons of the browser can be used to steal the password of a previous user. In this article we examine the vulnerability and look at ways to solve them… more →
Code Obfuscation
by Sonali Gupta in August 2005
Source code is often distributed in an insecure manner. Java and .NET programs retain practically all the information of the original source code. This makes them much easier to reverse engineer than traditional applications which are distributed as native code. It is essential to protect an application against reverse engineering. In this article we will look at code obfuscation… more →
Secure your sessions with Page Tokens
by Sangita Pakala in August 2005
Learn how page tokens can enhance the security of your applications beyond the regular session tokens that you already use. We explain a stronger system of session management that critical apps can use today… more →
Security Enhancements in Visual C++
by Priyali Vibhute in July 2005
Microsoft added several security enhancements in Visual C++ recently: secure versions of vulnerable functions, new functions optimized for security and security switches for the compiler. This article introduces these features and helps developers use them immediately… more →
Google Hacking - Is your web application secure?
by Balaji V in July 2005
Google hacking is a term that refers to applying advanced searching techniques to access unauthorized information through any search engine. In this article we look at some of vulnerabilties which are exploited by these techniques and how to safeguard applications from being compromised.… more →
XPath injection in XML databases
by Runa Dwibedi in July 2005
Applications that use XML databases are vulnerable to injection attacks. Read on to find out how XPATH queries are manipulated to access sensitive information… more →
Cryptanalysis: Collision attack in Hashing
by Prashant Gawade in June 2005
In general two types of attacks have been found prevalent in hashing -preimage attack and collision attack. In this article we look at some of the details of the collision attack including - which hashing algorithms are vulnerable and how difficult it is to perform these attacks. … more →
Security Reverse Proxy
by Sam Varughese in May 2005
Web applications vulnerabilities are increasingly being used by attackers to compromise systems on the internet. This has created demand for a mechanism to secure web application without rewriting the whole application. In this article, we see how a security reverse proxy can be used to provide reasonable security for web applications in an organization.… more →
Steganalysis
by Sonali Gupta in May 2005
Steganalysis is the technology that attempts to defeat steganography—by detecting the hidden information and extracting or destroying it. Let us look at these interesting techniques that extract/destroys the hidden data from the Stego-object (the modified medium with the hidden information). … more →
Fighting Keyloggers
by Sachin Shetty in April 2005
Internet usage is increasing by the day; so is the number of cyber crimes. Stealing sensitive information of naive users is a favorite with attackers. One method of stealing user passwords is with the help of keyloggers. Find out more about keyloggers and the prevention techniques… more →
Source Code Analyzers
by Manu Puthumana in March 2005
As early as the year 2002, Gartner’s research had shown that over 70% of all successful attacks make use of application vulnerabilities. And the last thing we do in security is looking at our own code for any problems. Coding is tough enough, and secure coding from the word go itself can sometimes seem an almost impossible task. However, we do have some good news.… more →
Backdoors and Trojans in Applications
by Gaurav Shukla in December 2004
Backdoor is a secret or unauthorized channel for accessing computer system. In an attack scenario, hackers install backdoors on a machine, once compromised, to access it in an easier manner at later times… more →
Introduction to Code Obfuscation
by Shaheem Motlekar in December 2004
Obfuscation means “to make difficult to perceive or understand”. Code obfuscation in programming world means making code harder to understand or read, generally for privacy or security purposes. Security through obscurity has long been viewed with disregard in the security community. However, there are applications where obscurity can provide a higher level of protection to its source code. Recent theories have shown usefulness of this technique; a popular paper Code Obfuscation techniques by Collberg shows just that.… more →
Of Captchas, Gimpys and BaffleText …
by Andres Desa in November 2004
Automated computer programs, or bots, can repeatedly hit your web site and execute thousands of requests a minute. These bots can mount brute force attacks to break passwords, automate registrations, fake large volume of support queries, etc. If you haven’t taken protection against these yet, you might want to evaluate the options. In this article, we look at the state of the art in foiling bots… more →
Same User, Different Privileges
by Sangita Pakala in October 2004
Frequently, applications have to assign a different privilege level to a user when he accesses it from the internet, versus the internal network. An employee might thus get only read privileges to some pages over the Internet, but update privileges internally. How can the application enforce this securely? Here we discuss the various options… more →
Securing Database Connection Strings
by Sonali Gupta in September 2004
In today’s systems, we check applications for vulnerabilities, write safer code and encrypt data communication; but we often overlook the database connection string. A connection string specifies the parameters for an application to connect to a database: it holds a lot of critical information including the username and password for accessing the database. Applications traditionally pass and store connection strings in plain text. An adversary could get this data if he has access to the machine. So what is the solution to this problem?… more →
Automated Application Vulnerability Scanners
by Roshen Chandran in August 2004
Organizations have been looking at Application Vulnerability Scanners to automate the task of assessing the security of applications. This article explains how these scanners work, where to use them and where they are inadequate.… more →
Passwords - In Memory Still Green
by Sangita Pakala in August 2004
Passwords are the keys to applications. Any user will want to protect his/her password from others, especially attackers. That is a good practice, but is not enough.… more →
Threat Modeling
by Sangita Pakala in July 2004
Threat modeling is a structured approach to identifying and planning mitigation for all the threats to any application. … more →