Web Application Security Resources

Web Application Security

• Application Security Assessments » Advice on Assessing your Custom Application by Gunter Ollmann 2002
• Web Application Security Assessment by Fault Injection and Behavior Monitoring » by Yao-Wen Huang 2003

Code Injection/SQL Injection

• Second-order Code Injection » Advanced Code Injection Techniques and Testing Procedures by Gunter Ollmann 2005
• (more) Advanced SQL Injection » This paper addresses the subject of SQL Injection in a Microsoft SQL Server/IIS/Active Server Pages environment, but most of the techniques discussed have equivalents in other database environments. by NGS 2002
• Advanced SQL Injection in SQL Server Applications » This document discusses in detail the common 'SQL injection' technique, as it applies to the popular Microsoft Internet Information Server/Active Server Pages/SQL Server platform. by NGS 2002

Session Management

• Web Based Session Management » Best Practices in Managing HTTP Based Client Sessions by Gunter Ollmann 2002
• Authentication and Session Management on the Web » This paper looks at the security concerns specific to websites that have a secure area where users can login. by Paul Johnston 2005

Social Engineering Tricks

• How to Obscure Any URL » How Spammers And Scammers Hide and Confuse 2002
• Host Naming & URL Conventions » Security considerations for web-based applications by NGS 2005
• The Phishing Guide » Understanding and Preventing Phishing Attacks by Gunter Ollmann 2005

• Odysseus - http[s] proxy »
  Odysseus is a proxy server, which acts as a man-in-the-middle during an HTTP session. by Wastelands Technologies
• Nikto »
  Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 3100 potentially dangerous files/CGIs by CIRT.net
• misc perl tools »
  Usefull scripts, tools and security-related apps