[SC-L] Announcement: The Web Application Firewall Evaluation Criteria v1
The Web Application Firewall Evaluation Criteria project is proud to announce its first public release. The goal of the project is to develop a detailed web application firewall evaluation criteria; a testing methodology that can be used by any reasonably skilled technician to independently assess quality of a web application firewall. The primary purpose of this release is to solicit comments from the public. You can download the current version of the evaluation criteria from the project home page: http://www.webappsec.org/projects/waf_evaluation/ The project is open to contributors. Please join the project mailing list if you would like to comment on the draft release, or to participate in our future efforts. Regards, [EMAIL PROTECTED] - The Web Security Mailing List http://www.webappsec.org/lists/websecurity/ The Web Security Mailing List Archives http://www.webappsec.org/lists/websecurity/archive/
[SC-L] WASC Threat Classification in 4 languages
The Web Application Security Consortium (WASC) is announcing the availability of the Web Security Threat Classification in English, Japanese, Spanish, and Turkish. The material is open source and provided in TXT, PDF, and DOC formats. The Web Security Threat Classification is a cooperative effort to clarify and organize the threats to the security of a web site. The members of the Web Application Security Consortium have created this project to develop and promote industry standard terminology for describing these issues. Application developers, security professionals, software vendors, and compliance auditors will have the ability to access a consistent language for web security related issues. Download: http://www.webappsec.org/projects/threat/ About WASC: The Web Application Security Consortium (WASC) is an international group of experts, industry practitioners, and organizational representatives who produce open source and widely agreed upon best- practice security standards for the World Wide Web. Regards, Robert Auger [EMAIL PROTECTED] - The Web Security Mailing List http://www.webappsec.org/lists/websecurity/ The Web Security Mailing List Archives http://www.webappsec.org/lists/websecurity/archive/
[SC-L] WASC-Articles: 'DOM Based Cross Site Scripting or XSS of the Third Kind: A look at an overlooked flavor of XSS'
The Web Application Security Consortium is proud to present 'DOM Based Cross Site Scripting or XSS of the Third Kind: A look at an overlooked flavor of XSS ' written by Amit Klein. In this article Amit focuses on a little known variant of Cross Site Scripting which attacks a user's client without sending malicious content to the web server. This document can be found at http://www.webappsec.org/projects/articles/071105.shtml . Regards, - Robert Auger articles_at_webappsec.org http://www.webappsec.org Are you interested in writing a 'Guest Article' for the WASC? Additional information on article guidelines may be found at http://www.webappsec.org/articles/. Inquires can be sent to articles_at_webappsec.org "Contributed articles may include industry best practices, technical information about current issues, innovative defense techniques, etc. NO VENDOR PITCHES OR MARKETING GIMMICKS PLEASE. We are only soliciting concrete information from the experts on the front lines of the web application security field."
[SC-L] WASC-Articles: 'Common Security Problems in the Code of Dynamic Web Applications' By Sverre H. Huseby
The Web Application Security Consortium is proud to present 'Common Security Problems in the Code of Dynamic Web Applications' written by Sverre H. Huseby. "In the last few years an increasing number of web programmers have started realizing that the code they write for a living plays a major part in the overall security of a web site. Even though the administrators install state of the art firewalls, keep off-the-shelf software patched and protect communication with heavy encryption, there are many ways to attack the logic of the custom-made application code itself. There is seemingly an infinite number of different logical glitches that may lead to exploitable security problems in a web application. But even though the number of glitches may be infinite, many of the most frequently occurring glitches may be put in one of the following, rather limited set of categories: * Failure to deal with metacharacters of a subsystem * Authorization problems due to giving too much trust in input That's only two categories, and they cover much of the web application security hype published in the last eight years or so." This document can be found at http://www.webappsec.org/projects/articles/062105.shtml . Regards, - Robert Auger articles_at_webappsec.org http://www.webappsec.org Are you interested in writing a 'Guest Article' for the WASC? Additional information on article guidelines may be found at http://www.webappsec.org/articles/. Inquires can be sent to articles_at_webappsec.org "Contributed articles may include industry best practices, technical information about current issues, innovative defense techniques, etc. NO VENDOR PITCHES OR MARKETING GIMMICKS PLEASE. We are only soliciting concrete information from the experts on the front lines of the web application security field." http://www.webappsec.org";>http://www.webappsec.org
[SC-L] Announcement: The Web Security Mailing List
The Web Application Security Consortium (WASC) is proud to present 'The Web Security Mailing List'. What is The Web Security Mailing List? The Web Security Mailing List is an open information forum for discussing topics relevant to web security. Topics include, but are not limited to, industry news and technical discussions surrounding web applications, proxies, honeypots, new attack types, methodologies, application firewalls, discoveries, experiences, web servers, application servers, database security, tools, solutions, and others. To post a message send an email to: [EMAIL PROTECTED] Subscribe by sending email to: [EMAIL PROTECTED] Unsubscribe by sending email to: [EMAIL PROTECTED] Regards, - Robert Auger contact_at_webappsec.org http://www.webappsec.org The Web Security Mailing List Charter http://www.webappsec.org/lists/websecurity/ The Web Security Mailing List Archives http://www.webappsec.org/lists/websecurity/archive/