Follow us on Twitter!
The important thing is not to stop questioning. - Albert Einstein
Thursday, April 24, 2014
Navigation
Home
HellBoundHackers Main:
HellBoundHackers Find:
HellBoundHackers Information:
Learn
Communicate
Submit
Shop
Challenges
HellBoundHackers Exploit:
HellBoundHackers Programming:
HellBoundHackers Think:
HellBoundHackers Track:
HellBoundHackers Patch:
HellBoundHackers Other:
HellBoundHackers Need Help?
Other
Members Online
Total Online: 20
Guests Online: 15
Members Online: 5

Registered Members: 82894
Newest Member: Ricardox
Latest Articles

Website Security Tests Protect Against Application Vulnerabiliti

Arrow Image Small and medium-sized enterprises can protect websites against application vulnerabilities with simple, easy-to-use, and affordable service. Firewall, Intrusion prevention and Detection System (IDS/IPS) are not enough to protect your Website against today’s application vulnerabilities.



Website Security Tests Protect Against Application Vulnerabilities
Author: Avi D. Bartov
Introduction

More than four out of every five (85 percent) U.S. businesses have experienced a data breach, according to a recent study by Colchester, Conn.-based law firm Scott + Scott, putting millions of consumers\' Social Security numbers and other sensitive information in the hands of criminals.

If a website’s server and applications are not protected from security vulnerabilities, identities, credit card information, and billions of dollars are at risk. Unfortunately, firewalls do not provide enough protection.


Firewalls, IDS, IPS Are Not Enough

Attackers are well-aware of the valuable information accessible through Web applications, and their attempts to get at it are often unwittingly assisted by several important factors. Conscientious organizations carefully protect their perimeters with intrusion detection systems and firewalls, but these firewalls must keep ports 80 and 443 (SSL) open to conduct online business. These ports represent open doors to attackers, who have figured out thousands of ways to penetrate Web applications.

Network firewalls are designed to secure the internal network perimeter, leaving organizations vulnerable to various application attacks. Intrusion Prevention and Detection Systems (IDS/IPS) do not provide thorough analysis of packet contents. Applications without an added layer of protection increase the risk of harmful attacks and extreme vulnerabilities.


Extreme Vulnerabilities

In the past, security breaches occurred at the network level of the corporate systems. Today, hackers are manipulating web applications inside the corporate firewall. This entry enables them to access sensitive corporate and customer data. The standard security measures for protecting network traffic do not protect against web application level attacks.


OWASP’s Top 10 Web Application Security Vulnerabilities 2007

Open Web Application Security Project (OWASP), an organization that focuses on improving the security of application software, has put together a list of the top 10 web application security vulnerabilities.

1. Cross Site Scripting (XSS)
2. Injection Flaws
3. Malicious File Execution
4. Insecure Direct Object Reference
5. Cross Site Request Forgery (CSRF)
6. Information Leakage and Improper Error Handling
7. Broken Authentication and Session Management
8. Insecure Cryptographic Storage
9. Insecure Communications
10. Failure to Restrict URL Access


Web Application Security Consortium Most Common Vulnerabilities Report

The Web Application Security Consortium (WASC) reported the top five web application vulnerabilities by testing 31,373 sites.

According to the Gartner Group, “97% of the over 300 web sites audited were found vulnerable to web application attack,” and “75% of the cyber attacks today are at the application level.”


Web application vulnerability assessment

From the information above it’s clear that most e-commerce websites are wide open to attack and easy victims when targeted. Intruders need only to exploit a single vulnerability.

A web application scanner, which protects applications and servers from hackers, must provide an automated internet security service that searches for software vulnerabilities within web applications.

A web application scan should crawl the entire website, analyze in-depth each & every file, and display the entire website structure. The scanner has to perform an automatic audit for common network security vulnerabilities while launching a series of simulated web attacks. Web Security Seal and free trial should be available.

A web application vulnerability Assessment should execute continuous dynamic tests combined with simulation web-application attacks during the scanning process.

The web application scanner must have a continually updated service database. A website security test should identify the security vulnerabilities and recommend the optimally matched solution.

The vulnerability check has to deliver an executive summary report to management and a detailed report to the technical teams with the severity levels of each vulnerability.

It is recommended that the detailed report include an in-depth technical explanation of each vulnerability as well as appropriate recommendations. The website security test will conduct subsequent vulnerability scans and generate trend analysis reports that allow the customer to compare tests and track progress.
GamaSec Overview
GamaSec offering GamaScan is a remote online web vulnerability-assessment service that tests web servers, web-interfaced systems and web-based applications against thousands of known vulnerabilities with dynamic testing, and by simulating web-application attacks during online scanning. The service identifies security vulnerabilities and produces recommended solutions that can fix, or provide a viable workaround to the identified vulnerabilities. For more information please visit: www.gamasec.com or Contact: info@gamasec.com
For a more detailed version of this white paper with illustrations Website Security Tests Protect Against Application Vulnerabilities

http://www.gamasec.com/pdf/WebsiteSecurityTests.pdf

Comments

spywareon May 29 2008 - 23:17:24
Gah, only post original work. If you didn't write it, then just post a link in the forum.
SwartMumbaon May 30 2008 - 19:38:33
Ya I agree. This shit of people cving is getting a bit much.
korgon June 11 2008 - 07:53:30
Boring as hell anyway.
Post Comment

Sorry.

You must have completed the challenge Basic 1 and have 100 points or more, to be able to post.