Having authenticated with WebAuth using an SSO username and password, the PHP script is executed. As you can see, the PHP script is passed a parameter which is the URL of a login page of a Rails application. The only thing the PHP script does is to redirect to that URL passing a parameter that is a base64 encoded string: https://www.abcd.ox.ac.uk:8113/apps/contacts/login?id=base64string The id parameter is the base64 encoded version of an encryption of the username and the current date and time.
Read the rest of this entry »

• 0 Comments

We present a practical protection mechanism against SQL injection attacks. Such attacks target databases that are accessible through a web front-end, and take advantage of flaws in the input validation logic of Web components such as CGI scripts. We apply the concept of instruction-set randomization to SQL, creating instances of the language that are unpredictable to the attacker. Queries injected by the attacker will be caught and terminated by the database parser. We show how to use this technique with the MySQL database using an intermediary proxy that translates the random SQL to its standard language. Our mechanism imposes negligible performance overhead to query processing and can be easily retrofitted to existing systems.
Read the rest of this entry »

• 0 Comments

The current study aimed to investigate the mechanism of a selected punch of Macro Viruses spread in the field of Personal Computers with a concentration on virus called “Concept” in order to determine the needed methods to diagnosis the infection by such kind of virus and selecting procedural steps to prevent its damaging effects on software and its files.
Read the rest of this entry »

• 0 Comments

The .NET Framework is an integral Windows component that supports building and running the next generation of applications and XML Web services. The .NET Framework is designed to fulfill the following objectives:
• To provide a consistent object-oriented programming environment whether object code is stored and executed locally, executed locally but Internet-distributed, or executed remotely.
• To provide a code-execution environment that minimizes software deployment and versioning conflicts.
• To provide a code-execution environment that promotes safe execution of code, including code created by an unknown or semi-trusted third party.
Read the rest of this entry »

• 0 Comments

XML Web Services provide a flexible API for building distributed systems as a collection of endpoints that can send and receive SOAP messages. These systems are secured using message-based cryptographic mechanisms defined in a series of specifications developed by Microsoft, IBM, and others. Such home-grown security protocols often go wrong; they are prone to a well-known class of attacks, formalized by Dolev and Yao, where an attacker can intercept, modify, and replay messages. The vulnerability is only increased by the flexible message formats and complex trust configurations allowed by the standards. Our goal is to verify the security of families of protocol configurations, such as those deployed for Microsoft’s WSE and Indigo web services implementations.
Read the rest of this entry »

• 0 Comments

Web sites today face many threats to the confidentiality and integrity of the data used and the functionality provided by the application. This problem is compounded by the fact that Web developers are simply lack of either adequate knowledge and skills in writing secure Web application codes (Huang et al., 2005) or sufficient testing methodologies for the audit and control of Web development (Mansouir and Houri, 2006). Works in the design and implementation of security measures for Web applications are greatly in need.
Read the rest of this entry »

• 0 Comments

This document is only a guide containing recommended security settings. It is not meant to replace well-structured policy or sound judgment. Furthermore this guide does not address site-specific configuration issues. Care must be taken when implementing this guide to address local operational and policy concerns. The security changes described in this document only apply to Microsoft Windows 2000 systems and should not be applied to any other Windows 2000 versions or operating systems.
Read the rest of this entry »

• 0 Comments

Although traditional firewalls have effectively prevented network-level attacks, most future attacks will be at the application level, where current security mechanisms are woefully inadequate. Application-level security vulnerabilities are inherent in a Web application’s code, regardless of the technology in which the application is implemented or the security of the Web server and backend database on which it is built. A recent advisory published by Internet Security Systems (see the “Internet Resources” sidebar, p. 44) claims that 11 widely deployed shopping cart applications are vulnerable to a simple attack that lets hackers pur- chase goods for much less than their listed price. Worryingly, the attack does not require particular technical skill; it suffices to save the shopping cart’s HTML confirmation form to disk, use a text editor to modify the price of the goods (stored in a hidden form field), and load the HTML form back into the browser.
Read the rest of this entry »

• 0 Comments