On Security
Sverre's Writings on Information Security
Published
December 2000. Advice on how one should protect a PC from the threats
lurking on the Internet.
Published
on SecurityPortal.com
February 1, 2001.
Web Application Security
June 2005. The majority of occurring software security holes in web
applications may be sorted into just two categories: Failure to deal
with metacharacters, and authorization problems due to giving too much
trust in input. This article gives several examples from both
categories, and then adds some from other categories as well.
April 2005. On attacks that may be possible if different parts of an
application use incompatible methods when extracting incoming
parameters.
August 2003. On extracting secrets using binary search through
scripts vulnerable to SQL Injection.
November 2001. Why it's a bad idea to store clear text passwords in a
database.
November 2001. How attackers may give their victims offers on behalf
of a target web site and thereby tricking them into doing something
they never intended to do.
Selected E-mails on Web Application Security
vuln-dev, May 2002. Thoughts on passing data to sub-systems and being
ignorant.
vuln-dev, March 2002. Thoughts on separating input validation and
passing of data to sub-systems.
vuln-dev, March 2002. Why meta character handling is not the same as
input validation.
vuln-dev, January 2002. Examples on how timing may not be an issue
when stealing session cookies with Cross-site Scripting.
webappsec, November 2001. How malicious mails with scripts, read
using Outlook, may control an authenticated HTTPS session in Internet
Explorer.
|