August 2006
Session Riding Attacks
by Balaji V
A session riding attack (also called a Cross Site Request Forging attack) is a technique to spoof requests on behalf of other users. It lets adversaries spoof online transactions, modify user details, siphon off funds. And that’s only the beginning. In this article, we show how the attack works and the defenses we need to put in place. The key to understanding session riding is Cookie-based session management - the most popular form of session management. So, let’s turn to that first.… more →
Anti-Phishing Techniques - Protection Measures
by Jose Varghese, CISSP, GSEC, GCIH, CBCP, BS7799 LA
If you are an Internet Banking user, you probably are already aware of phishing. If you are charged with the responsibility on building and operating an e-commerce application, phishing is probably one of your Top 3 concerns. Statistics indicate that more than 1000 phishing attacks are launched every month. To minimize impact of phishing attacks we need to look at protection, detection and response measures.… more →
Are Complex Passwords Really Necessary?
by Roshen Chandran, CISSP
Why it’s silly to enforce passwords like “2@$Rw0rd~” in web applications. Insist on complex passwords in your Windows LAN. But, not in your web applications. In this issue we put complex passwords in perspective. We first discuss how they enhance the security of Windows LANs, and then show why they are less relevant for web apps.… more →
Quiz: Identifying buffer overflow attack
An attacker enters a long nasty looking string into the date field. The input overwrites parts of the running program and executes commands on the server. What type of attack just took place?
- SQL Injection attack
- Buffer Overflow attack
- Cross Site Scripting attack