Compilation of AppSec Space of the last decade. @CGISECURITY
Ten years ago today I started cgisecurity.com to fill a void in the application security space. At the time no other dedicated site existed, neither OWASP <http://www.owasp.org/> nor WASC <http://www.webappsec.org/>had been created, and the www-mobile list was effectively the only place to discuss web related vulns and attacks . When I first started this site I admit I didn't know what I was doing, and looked at this site as an excuse to learn more about/discuss web based threats. A lot has happened since I first started this site, here are a few things to put it into perspective. - The vulnerability used by Code Red/Nimda hadn't yet been discovered - The Java Struts framework was only a few months old - The securityfocus webappsec list hadn't been created/renamed yet - www.incidents.org hadn't been renamed to isc.sans.org yet - Cross site scripting <http://www.cgisecurity.com/xss-faq.html> was less than a year old - The term XSS <http://www.cgisecurity.com/xss-faq.html> was less than 6 months old - You could still find vulnerable PHF<http://www.cert.org/advisories/CA-1996-06.html>machines (so I've been told :) - Web Application Security was refereed to as 'CGI Security' hence why I picked this domain name. - I was getting between 1-10 unique visitors a day compared to the 2,000-4,000 now. - Web based worms were theoretical<http://www.cgisecurity.com/anatomy-of-the-web-application-worm.html> - C# hadn't yet been renamed from "Cool" - RFP's Responsible Disclosure Policy<http://www.wiretrip.net/rfp/policy.html>was a few months old - XSS <http://www.cgisecurity.com/xss-faq.html> was lame (oh wait....) The following security sites didn't exist - http://jeremiahgrossman.blogspot.com - http://ha.ckers.org - http://www.securitybloggersnetwork.com - http://www.darkreading.com - http://www.milw0rm.com <http://isc.sans.edu/diary.html?storyid=6751> - http://www.webappsec.org/ - http://www.owasp.org - http://www.schneier.com/ (Bruce Schneier's blog) The following security terms hadn't been published/coined/discovered yet - CSRF <http://www.cgisecurity.com/articles/csrf-faq.shtml>/XSRF<http://www.cgisecurity.com/articles/csrf-faq.shtml> /Cross-site Request Forgery<http://www.cgisecurity.com/articles/csrf-faq.shtml>/Session Riding/One Click Attacks - XST<http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf> - HTTP Request Smuggling<http://www.cgisecurity.com/lib/HTTP-Request-Smuggling.pdf> - HTTP Request Splitting<http://projects.webappsec.org/HTTP-Request-Splitting> - HTTP Response Splitting<http://www.cgisecurity.com/lib/whitepaper_httpresponse.pdf> - HTTP Response Smuggling<http://projects.webappsec.org/HTTP-Response-Smuggling> - Session Fixation <http://projects.webappsec.org/Session-Fixation> - DOM XSS <http://www.webappsec.org/projects/articles/071105.shtml> - LDAP Injection<http://www.webappsec.org/projects/threat/classes/ldap_injection.shtml> - Click Jacking <http://en.wikipedia.org/wiki/Clickjacking> - Proxy Jacking<http://www.thesecuritypractice.com/the_security_practice/2009/03/socket-capable-browser-plugins-result-in-transparent-proxy-abuse.html> - Remote File Inclusion<http://projects.webappsec.org/Remote-File-Inclusion> - MX Injection <http://projects.webappsec.org/Mail-Command-Injection> - XPath Injection <http://projects.webappsec.org/XPath-Injection> - XQuery Injection <http://projects.webappsec.org/XQuery-Injection> - XML Injection <http://projects.webappsec.org/XML-Injection> - Cyber snarfing (ok I just made that one up<http://www.cgisecurity.com/2009/04/month-of-new-security-buzzwords.html> ) - Integer Overflows <http://projects.webappsec.org/Integer-Overflows>(from a vuln perspective) - Heap Spraying <http://en.wikipedia.org/wiki/Heap_spraying> - Double Free <http://cwe.mitre.org/data/definitions/415.html> - Null Pointer Dereference<http://cwe.mitre.org/data/definitions/476.html>(from a exploitability perspective) - Zero Allocation Vulnerabilities<http://cwe.mitre.org/data/definitions/476.html> - Return Oriented Programming<http://en.wikipedia.org/wiki/Return-oriented_programming> - Props to Sensepost <http://www.sensepost.com/blog/> for making gathering this list easier<http://www.cgisecurity.com/2010/09/zero%20allocation%20vulnerabilities> . The following browser technologies/terms didn't exist - httpOnly - EV-SSL - X-FRAME-OPTIONS - Iframe security attribute<http://msdn.microsoft.com/en-us/library/ms534622%28VS.85%29.aspx> - NoScript <http://noscript.net/> - HTTP Strict Transport Security<http://en.wikipedia.org/wiki/Strict_Transport_Security> - Webkit - Google Chrome - Firefox <http://en.wikipedia.org/wiki/List_of_web_browsers> - Tab isolation in browsers such as chrome didn't exist The following tools/products/frameworks/technologies did not exist - Modsecurity <http://www.modsecurity.org/> - Burp Proxy - Nikto - Paros - PaX <http://pax.grsecurity.net/> - Metasploit - ASLR <http://en.wikipedia.org/wiki/Address_space_layout_randomization> - GRSecurity Kernel Patch <http://grsecurity.net/> - Microsoft's .NET framework/ASP.NET - SilverLight - JavaFX - Ruby on Rails - Django - Google Android - Apple iPhone and iPod - OWASP ESAPI The following security processes/methodologies didn't exist - Microsoft's Secure Development Lifecycle<http://www.microsoft.com/security/sdl/about/history.aspx> - DREAD<http://msdn.microsoft.com/en-us/library/aa302419.aspx#c03618429_011> - BSIMM <http://bsimm2.com/index.php> - STRIDE <http://msdn.microsoft.com/en-us/magazine/cc163519.aspx> The following security compliance standards didn't exist - PCI / PCI-DSS <http://en.wikipedia.org/wiki/Payment_card_industry> The following security products/projects didn't exist - WASC Threat Classification<http://projects.webappsec.org/Threat-Classification> - OWASP Top Ten<http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project> - The Web Security Mailing List<http://www.webappsec.org/lists/websecurity/> - Daily Dave List <http://lists.immunitysec.com/pipermail/dailydave/> Cheers, 0xN41K -- You received this message because you are subscribed to the Google Groups "nforceit" group. To post to this group, send an email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/nforceit?hl=en-GB.
