Skip to content

Preventing Cross Site Request Forgery Attacks

Posted: February 4th, 2014 | Filed under: IIS & HTTP

What is a Cross Site Request Forgery Attack?

Cross-site request forgery (CSRF or XSRF) is an attack that has been in the OWASP Top 10 since its inception, but is not nearly as talked about as other OWASP lifers like XSS or SQL injection. We’ve decided to give CSRF some needed attention and discuss some ways to mitigate it.

Also known as a “one click attack” or “session riding,” CSRF an exploit very similar to an XSS attack. Rather than an attacker injecting unauthorized code into a website, a cross-site request forgery attack only transmits unauthorized commands from a user that the website or application considers to be authenticated.

Certain websites and applications are at risk: those that perform actions based on input from trusted and authenticated users without requiring the user to authorize the specific action. These attacks are characteristic vulnerabilities of Ajax-based applications that make use of the XMLHttpRequest (XHR) API. A user that is authenticated by a cookie saved in his Web browser could unknowingly send an HTTP request to a site that trusts him and thereby cause an unwanted action (for instance, withdrawing funds from a bank account).

Read the rest of this entry »

No Comments »

Privilege Escalation Vulnerabilities Headline Modest January Security Bulletin

Posted: January 15th, 2014 | Filed under: Web and Application Security | Tags: , , , ,

Microsoft is kicking off 2014 with a modest security bulletin, which includes several vulnerabilities for Windows XP and Windows Server 2003. Luckily, none of this week’s batch contain any critical vulnerabilities. We are graced with ‘Important’-level vulnerabilities across the board.

Nevertheless, as with any security update, we recommend downloading and applying as soon as possible.

Apply all the Patches

MS14-001: Microsoft Office, SharePoint Server, Office Web Apps

Vulnerabilities in Microsoft Word and Office Web Apps Could Allow Remote Code Execution (2916605)

Attention Microsoft Office users with admin privileges: this update is intended for you. It fixes an issue in Microsoft Office that primarily affects 2010 and 2013 versions. If a specifically-crafted malicious file is opened using a vulnerable version of Word or other Office software, remote code can be executed. Microsoft says that a successful attack could allow the hacker gain the same user rights as the current user.

See affected versions and download patches

Read the rest of this entry »

No Comments »

PCI DSS Version 3.0: New and Important Requirements

Posted: November 27th, 2013 | Filed under: IIS & HTTP

PCI DSS is a set of standards developed by major credit card companies to keep credit card information secure and reduce fraud. The standards apply to any organization that processes, stores, or transmits credit card data. Occasionally, the PCI Security Standards Council will announce updates to the standards, which may require approved companies to make changes to their security hardware, software, and practices. The latest updates (PCI DSS Standards 3.0) were introduced a few months back, but recent documentation has shed a bit more light on you need to do to start preparing for compliance once the new rules come into effect on January 1, 2014.

Read the rest of this entry »

No Comments »

4 Ways Reporting and Alerting Are Valuable to Web Security

Posted: October 30th, 2013 | Filed under: IIS & HTTP

Despite our best preventive efforts and proactive measures, practices, and training, security breaches still happen. It is just a fact of life today. The most prepared CISOs could quickly handle a breach if they knew when it was going to occur. But there is no spidey sense that will tingle when a hacker makes his way into your database, or alarm that will sound when a user’s session is hijacked and unauthorized permissions are obtained. But certain activities can help you notice unusual and potentially dangerous activities happening around your web assets. They include:

  • Configuring alerts
  • Using reporting tools
  • Monitoring your app

These activities are vital for effectively dealing with an incident. Alerts (via email, SMS, etc.) offer the application and site owners a way to know that they are under attack. It’s as if the app is shouting “Help! Something is wrong!” And regular use of reports gives site owners a way monitor normal usage on the site and quickly recognize unusual activity. But the benefits do not end there.

Continue Reading

No Comments »

3 Web Security Videos that Will Make You Sleep with the Lights On

Posted: October 30th, 2013 | Filed under: Web and Application Security | Tags: , , ,

From the perspective of a business owner, the web can be a terrifying place, ripe with threats. We’ve compiled a list of our favorite web security videos that will make you want to disconnect from the internet and hide.

Continue Reading

No Comments »