Most modern programming languages rely on exceptions for dealing with abnormal situations. Although exception handling was a significant improvement over other mechanisms like checking return codes, it is far from perfect. In fact, it can be argued that this mechanism is seriously limited, if not, flawed. This paper aims to contribute to the discussion by providing quantitative measures on how programmers are currently using exception handling. We examined 32 different applications, both for Java and .NET. The major conclusion for this work is that exceptions are not being correctly used as an error recovery mechanism. Exception handlers are not specialized enough for allowing recovery and, typically, programmers just do one of the following actions: logging, user notification and application termination. To our knowledge, this is the most comprehensive study done on exception handling to date, providing a quantitative measure useful for guiding the development of new error handling mechanisms.
Read the rest of this entry »

• 0 Comments

XML Web Services provide a flexible API for building distributed systems as a collection of endpoints that can send and receive SOAP messages. These systems are secured using message-based cryptographic mechanisms defined in a series of specifications developed by Microsoft, IBM, and others. Such home-grown security protocols often go wrong; they are prone to a well-known class of attacks, formalized by Dolev and Yao, where an attacker can intercept, modify, and replay messages. The vulnerability is only increased by the flexible message formats and complex trust configurations allowed by the standards. Our goal is to verify the security of families of protocol configurations, such as those deployed for Microsoft’s WSE and Indigo web services implementations.
Read the rest of this entry »

• 0 Comments

Although traditional firewalls have effectively prevented network-level attacks, most future attacks will be at the application level, where current security mechanisms are woefully inadequate. Application-level security vulnerabilities are inherent in a Web application’s code, regardless of the technology in which the application is implemented or the security of the Web server and backend database on which it is built. A recent advisory published by Internet Security Systems (see the “Internet Resources” sidebar, p. 44) claims that 11 widely deployed shopping cart applications are vulnerable to a simple attack that lets hackers pur- chase goods for much less than their listed price. Worryingly, the attack does not require particular technical skill; it suffices to save the shopping cart’s HTML confirmation form to disk, use a text editor to modify the price of the goods (stored in a hidden form field), and load the HTML form back into the browser.
Read the rest of this entry »

• 0 Comments

Sharing personal content online is surprisingly hard despite the recent emergence of a huge number of content sharing systems and sites. These systems suffer from several drawbacks: they each have a different way of providing access control which cannot be used with other systems; moving to a new system is a lengthy process and requires registration and invitation of all one’s friends to the new system; and the rules for access control are complicated and become more so as our networks of online friends grow.
Read the rest of this entry »

• 0 Comments

This paper details various security concerns and risks associated with web 2.0 technologies such as Asynchronous Java script and XML (AJAX), Syndication, aggregation and notification of data in RSS or Atom feeds, mashups created by merging content from different sources. This paper also describes the security implications leading with the usage of web 2.0 technologies such as AJAX, RSS, and Mashups. Increase in application functionality leading to the emerging new web technologies (web 2.0). These new web technologies open more avenues to security threats to the online applications and users. Efficient protection mechanisms should be considered when dealing with web 2.0 technologies usage.
Read the rest of this entry »

• 0 Comments

To combat these new threats one needs to look at different strategies as well. In this paper we shall look at different approaches and tools to improve security posture at both, the server as well as browser ends. Listed below are the key learning objectives:
• The need for Ajax fingerprinting and content filtering.
• The concept of Ajax fingerprinting and its implementation in the browser using XHR.
• Processing Ajax fingerprints on the Web server.
• Implementation using ModSecurity for Apache
• Strengthening browser security using HTTP response content filtering of untrusted information directed at the browser in the form of RSS feeds or blogs.
• Web application firewall (WAF) for content filtering and defense against Cross-Site Scripting (XSS)
Read the rest of this entry »

• 0 Comments

The most significant differences between Microsoft’s Network Access Protection architecture and other NAC architectures you see in the iLabs come because Microsoft does not make switches or routers. Therefore, the path for handling enforcement is different, focusing on server enforcement and standards-based switch enforcement. The original intent of MS-NAP was not security, but to find and quarantine non-compliant clients in the enterprise LAN. As the interest in NAC has increased, Microsoft has adjusted their architecture to include more enforcement mechanisms. In early 2007, the Trusted Computing Group (TCG) and Microsoft announced interoperability between TNC and NAP thus opening the door for a single unified Network Access Control client
Read the rest of this entry »

• 0 Comments

Memory protection
Buffer overrun attacks are among the most common mechanisms, or vectors, for intrusion into computers. In this type of exploit, the attacker sends a long string to an input stream or control – longer than the memory buffer allocated to hold it. The long string injects code into the system, which is executed, launching a virus or worm.
Read the rest of this entry »

• 0 Comments