Wednesday, October 31, 2007

OWASP - .NET Web Services Hacking

.Net Web Services Hacking - Scan, Attacks and Defense
Following topics will be covered.
1. Web Services Discovery strategies in Web 2.0 applications
2. Scanning and profiling Web Services.
3. Attacking and Fuzzing Web Services for Vulnerability detection
4. Defense strategies for Web Services with content filtering (HTTPModule) - Web Services Firewall

Some of the content will be covered from my books - Hacking Web Services and Web 2.0 Security - Defending Ajax, RIA and SOA.

Look forward to see OWASP and WASC folks.

Monday, October 15, 2007

web2wall : Web Application/Services Firewall - IHTTPModule for Web 2.0 application

Microsoft‘s .Net framework includes two interfaces - IHTTPModule and IHTTPHandler. These two interfaces can be leveraged to provide application-level defense customized to application-level, folder-level or variable-level. This can act as the first line of defense, before any incoming request touches the Web application source code level. This is Web application defense at the gates, for the .Net framework on IIS.

Web2wall is a simple binary module which can be loaded in your Web 2.0 applications. You can defend your application layer code by using regex patterns; this can help in filtering XML and JSON streams. This tool is in beta and more features will be added with time. We will resolve bugs to make the module much more robust.

Download

Saturday, October 06, 2007

AppCodeScan - Application Code Scanning tool

This tool is designed to help in performing whitebox testing. During whitebox testing one needs to scan complete application code for various different vulnerabilities like XSS, SQL injection, Poor validations etc. It is possible to discover these vulnerable points using this tool and one can follow code walking across the code base to trace this vulnerability.This tool works on following two areas:

Code Scanning - One needs to feed target code folder, rules pattern in regex (sample is provided for ASP) and list of file extension to scan. The tool will take this information and run against the target folder with depth of three (3) and scan each line for matching pattern. If pattern is found then it will report that line in the tool.
Code Walker - This little utility would help in walking across the code base and find variable or function. This will help to trace variables and their entire path in the large code base. This utility would help in negating false positives from the identified pattern.


This tool runs on .NET framework and still in initial beta state. We are working on it and more features will be added.

Download and Play

Tuesday, October 02, 2007

[Dubai-ISACA] I-SAFE Information Governance in this e- World

Speaking on - EMERGING TECHNOLOGIES: Web 2.0 on the rise and related technologies,strategies and security

This presentation is going to cover all aspects of emerging technologies in detail with real life cases and demonstrations. Following which, the session will explore security issues growing around these vectors and threats associated with it. Professionals will be able to collect enough know-how on emerging web technologies to apply this learning to their work place.

Read More