KEEP YOUR WEB APPLICATIONS SECURE – FREE TEASER

Dear Readers,

Our new issue „Keep Your Web Applcations Secure” is going to be published on Monday but now you have a chance to check free teaser of the issue! Enjoy!

1. STEP BY STEP GUIDE TO APPLICATION SECURITY PENETRATION TEST. WEB APPLICATION SECURITY by Abhishek Dashora

This document will guide you to penetrate the web applications followed OWASP (Open Web Application Security Project) and OSSTM (Open Source Security Testing Methodologies) to construct this article.

2. WEB ATTACKS: BYPASSING WEB APPLICATION FIREWALLS THROUGH SQL INJECTION by Akansha Kesharwani

The Paper is just for education purpose only and before this documentation was produced the vulnerability was reported to the website owner. We do not support live web attacks without proper authority from the owner of the targeted website. Please follow the cyber laws of your country before doing any testing on live domains. We do not hold any responsibility for any attack performed by you on a website, blog or anything else.

3. MOBILE SECURITY – A PRACTICAL APPROACH by Amar Wakharkar, Amar Prakash and Abhijit Potdar
This is the era of information security; we have already a set a mile stone for the web application test scenario. Most of the vulnerabilities are identified by the combine effort of various security people and now we are shifting our need from desktop or laptop toward mobile or smart phones. All the standard best practices are going to be rewritten in the mobile or smart phone enable world; data storage, distribution of data, application and device security brought our focus to re-evaluate the risk and re-design the security countermeasure. The traditional mode of risk management within the enterprise using the perimeter controls is not sufficient, as the existing framework has been broken. IT consumerism has changed the IT landscape and IT administrators are now support to myriad system which provide flexibility as well as various choices which benefit to end users. Also ensuring data and application security within a secure enterprise infrastructure is critical to the success of mobility initiatives.

4. BUILDING SECURE SOFTWARE – PART I by Bryan Soliman

Many security practitioners have gotten used to a world in which having security problems in
software is common, and even acceptable. Some people even assume that it is too hard to get
developers to build secure software, so they don’t raise the issue. Instead, they focus their efforts
on “best-practice”, network security solutions, erecting firewalls, and trying to detect intrusions
and patch known security problems in a timely manner.
5. COORDINATED ATTACK ANATHOMY by Varun Srivastava

CSA (Cloud Security Alliance) introduced the 9 looming threats to Cloud Security alongwith recommended controls to potentially neutralize the threat to cloud computing. Service providers and more so, enterprises, might be slow to realize the need of the rapid adaptation to risk and threat response towards their cloud infrastructure. And that is the opportunity which attackers utilize to plan, coordinate and execute carefully articulated breaches in supposedly the most guarded of the organizations.

6. MANAGING THE RISKS IN THE SOFTWARE SUPPLY CHAIN by Mark Merkow, CISSP, CISM, CSSLP

Any modern software application is dependent on tools and other applications that originate from outside the organization.  You may or may not have any idea of their provenance or know of any way to gain any level of assurance that they were created with security in mind.  You don’t write your own compilers, database servers, Web servers, middleware, or other critical software elements, but you need some basic information to gain assurance that they don’t serve as the weakest links in the software and systems supply chain.
7. HOW TO DISABLE OR CHANGE WEB-SERVER SIGNATURE by Mohit Raj
To know Web-server signature means to know Web-server software and its version, it means to know which software and its version is running on the server machine. Many new developed website easily show their Signature.

8. GOOGLE HACKING by Rafael Souza (ciso of hackers online club)

Readers, I introduce a little about a very interesting technique that is Google Hacking, is a key to investigate if we are doing a pentest, or protecting our organization or individual item.
Google Hacking is the activity of using the site search capabilities, aiming to attack or better protect information of a company. The information available on the company’s web servers are likely to be in the databases of Google.

9. the beginning of the web pages AND ETHICAL HACKER by Rafael Souza (ciso of hackers online club)

The evolution of technology has reached a point that necessitated the emergence of communication protocols, there was then the spread of the HTTP protocol and the HTML language initially, in the early 90s, the web pages have become a major means of communication between users, governments, institutions and professionals.
The “HyperText Transfer Protocol” is a protocol application responsible for handling requests and responses between “client and server” in the “World Wide Web”, came up with the purpose of distributing information over the Internet, also to communicate between computers and specifications would be performed as transactions between clients and servers, through the use of rules.

10. WE ARE THE BEST TOOL FOR WEB APPLICATION SECURITY by Rafael Souza(Co-Founder of grey hat)

It is known that computers and software are developed and designed by humans, human error is a reflection of a mental response to a particular activity.
Did you know that numerous inventions and discoveries are due to misconceptions?
There are levels of human performance based on the behavior of mental response , explaining in a more comprehensive, we humans tend to err , and due to this reason we are the largest tool to find these errors , even pos software for analysis and farredura vulnerabilities were unimproved by us.

11. ZED ATTACK PROXY (ZAP) by Ronan Dunne and Anthony Caldwell

Given the range of designs, platforms and implementations of web applications, testing web applications and providing a comprehensive report can be a daunting challenge for even the experience pen tester. The Zed Attack Proxy (ZAP) is a great all-round testing tool used in the industry to automate parts of the process while allowing the flexibility of manual techniques to be leveraged.

12. INJECTIONS (SQLI AND XSS): STILL REMAIN A SERIOUS THREAT IN THE WEB SPACE by Uday Bhaskar

With most of the day-to-day practices such as banking, finance, insurance, health, shopping and many of the application software’s making their way from desktops to web, there has been a tremendous increase in the online web based applications in the recent years. And as the usage of web applications increase, the chances of misuse of the applications increase. Keeping these aspects in mind, this article would provide a dive deep into two of the most notorious vulnerabilities of the Application Security Space, Injections and Cross Site Scripting (XSS).This article majorly covers the attackers prospective of these two vulnerabilities.

13. 3-PILLAR SECURITY ASSURANCE TEAM STRUCTURE FOR ENSURING ENTERPRISE WIDE WEB APPLICATION SECURITY by Vedachalam Mahadevan
With the growing concern of Web application security, enterprises have realized the need to invest in security assurance programs to ensure safety of their websites exposed over the internet. These investments are typically in the area of: a) Application Security Scan tools b) Network and Firewall components c) Security QA, QC, Policy and Governance teams.

14. WEB SECURITY XSS by Vineet Bhardwaj

We saw above that how hacker can get to know the website is vulnerable. But now most of the site is can’t easily accept XSS scripts because website have own firewall to stop these type of scripts. So how you can bypass your scripts if a firewall installed on web server which won’t allow to pass your scripts in comment box or search box. This is a big question who doesn’t know how to bypass your malicious scripts? Let me show some bypassing techniques

15. WEB APPLICATION THREATS by Zain Ur Rehman

Since the dawn of cloud computing more and more peoples are conducting research, business, sharing information, correlating data through web applications. Whenever someone uses a browser to connect to a specific website they are using one or more web applications. These applications reduce the cost of local processing by doing it on server’s end.

16. PASSWORDS: REQUIREMENT FOR A STRONG PASSWORD by Manish Kumar

A password is a string of characters or a secret word and it is used for authentication purpose. Passwords are the most popular and secure way to secure confidential information or to add security to any device/platform to avoid unauthorized access.