Archive for the ‘Web Application Security Guide’ Category

Seducing the Client – How the attacker manipulates the client side of a Web Application to do things that he is not supposed to do.

Loading ... Loading ...
03 | 01 | 2012

Military tactics are like unto water; for water in it’s natural course runs away from high places and hastens downwards.

So in war, the way is to avoid what is strong and to strike at what is weak.” – Sun Tzu On The Art of War, emphasizing the effectiveness of attacking the point of least resistance.

Welcome to the fourth article in the “The Neophyte Web Developer’s Guide to practical Web Application Security” series. In the previous chapters of this basic web developer’s security reckoner we have learned about the various factors and the various security concerns surrounding a web application and how an attacker gains potentially leverage inducing knowledge about the web application infrastructure. We have also learned about the ways in which an attacker gains insight in to the internal workings of a web application for the purpose of targeted attacks. Since we have covered a lot of ground about the basic theories and the mindsets utilized by an attacker in the previous episodes it is time to learn about the practical ways used by him in breaching a web application.

Building the Web Application Blueprint or Surveying and Mapping the Web Application– How the attacker learns about the inner working of a Web Application

Loading ... Loading ...
25 | 10 | 2011

Whether the object be to crush an army, to storm a city, or to assassinate an individual, it is always necessary to begin by finding out the names of the attendants, the aides-de-camp, and door-keepers and sentries of the general in command.” – Sun TzuOn The Art of War, emphasizing the point on having spies and having foreknowledge about the target.

Welcome to the third article in the “The Neophyte Web Developer’s Guide to practical Web Application Security” series. In the first two parts of this basic security reckoner we have learned about the various factors and the various security concerns surrounding a web application and how an attacker gains potentially leverage inducing knowledge about the web application infrastructure. In this third installment of the “The Neophyte Web Developer’s Guide to practical Web Application Security” series we are going to look at the more hands-on ways in which a web application is surveyed and mapped in to a complete schematic which can aid an attacker in successfully breaching it. The goal of this phase is to get a complete picture about the behavior of the web application under various scenarios and about the actual working and services offered by the web application.

The Recon Game – The Tales before the actual attack – How attackers gain insight into a target web application infrastructure

Loading ... Loading ...
12 | 07 | 2011

Welcome to the second article in the “The Neophyte Web Developer’s Guide to practical Web Application Security” series. In the first part of this basic security reckoner (available here) we have learned about the various factors involved in a web application and the various security concerns surrounding such an application. We have taken a glance at some of the common threat concepts and the various generic steps ways followed by malicious outsiders to gain access to a web application stack.

Before taking a broader look at each threat scenarios and the programmatic concerns associated with them we are going to uncover the commons ways in which a malicious entity who is trying to gain unwarranted access to a web application gain the basic foothold on a system. The second session of this series is dedicated to the Reconnaissance steps involved with the attack, which is used to gain a total blue print of the target application server and the resources associated with it. The things performed by an entity in this Recon Stage is of great importance as the information which is gathered in this phase precedes the actual attack by defining the various options which are available for an attacker to break in to the target application. The modus operandi of the actual attack is formulated based on the info gleaned in this phase and will give the attacker enough familiarity with the innards of the system so that he can kill a web application with a single decisive blow.