Using Foundstone CookieDigger to Analyze Web Session Management

Size: px
Start display at page:

Download "Using Foundstone CookieDigger to Analyze Web Session Management"

Transcription

1 Using Foundstone CookieDigger to Analyze Web Session Management Foundstone Professional Services May 2005

2 Web Session Management Managing web sessions has become a critical component of secure coding techniques. Malicious intruders, e- shoplifters, and hackers are increasingly targeting poorly designed applications which do not properly manage web sessions. Web session management encompasses the techniques used by web applications to transparently authenticate users over HTTP without having them repeatedly login. The HTTP protocol is inherently stateless in nature and so the application needs some way of performing session management. Session management entails the server sending a token of identity to the client (e.g. web browsers) after successful authentication. The most common way of performing session management is via the Set-Cookie directive of HTTP which stores a token on the client. Every subsequent request made by the client includes that token as a means to prove its identity. The application server has a database of user information corresponding to every token issued. Upon receiving a request that includes a token the application server correlates the user state with the token received. If the token is recognized, the request is processed, if it is not recognized, the request is rejected. Therefore, the token set on the client is the most critical information which provides a user access to his / her resources. This token is popularly called a Cookie. Foundstone CookieDigger CookieDigger, designed by Foundstone, is a free tool to help identify weak cookie generation and insecure implementations of session management by web applications. The tool works by collecting and analyzing cookies issued by a web application for multiple users. The tools functionality can be divided into 3 broad categories; 1. Cookie Collection 2. Cookie Analyses 3. Results Foundstone, Inc. All Rights Reserved - 1

3 To use CookieDigger, the user needs to point the tool to the web application that is being analyzed. When the tool is launched a scaled down version of a web browser is presented. 1. The user needs to browse to the website using this browser Foundstone, Inc. All Rights Reserved - 2

4 2. Login in as a regular user on the web site with valid credentials Foundstone, Inc. All Rights Reserved - 3

5 3. Logout of the web site. This is required because some websites do not allow multiple logins simultaneously Foundstone, Inc. All Rights Reserved - 4

6 4. Click on Replay URLs. This shows all the URLs that have been visited Foundstone, Inc. All Rights Reserved - 5

7 5. The Visited URLs panel displays a tree view of all the URLs visited along with the associated parameter names and values. 6. Identify the request that has the credentials that were used to log on to the website. The application tries to make the best guess of the User ID and Password parameter but that may not be accurate in all cases. Select the right User ID and Password parameter using the drop down box Foundstone, Inc. All Rights Reserved - 6

8 Foundstone, Inc. All Rights Reserved - 7

9 7. Enter a set of credentials which can be used by the tool to log on the web application to collect the cookies. The tool does not use the initially entered credentials if not they are not reentered during this phase. The user needs to enter a minimum of one set of credentials and a maximum of 20 sets of credentials can be entered. 8. Select the number of times you want to repeat the login process for each set of credentials. The tool collects cookies set for each login attempt. The minimum is 2 and the maximum is 100. Press Done after having selected the number of attempts Foundstone, Inc. All Rights Reserved - 8

10 9. Depending on the number of credentials and number of login attempts the tool can take from a few seconds to a few minutes to collect the cookies. 10. After the cookie collection is complete, you can choose to save the cookies in XML files for more extensive testing, manually analyze the results with the options provided, display the report with the default analyses performed on the collected cookies, or just ignore the collected cookies and the analyses Foundstone, Inc. All Rights Reserved - 9

11 11. Save the cookies as an XML file. 12. The user can choose to manually test the cookies collected for commonly known mistakes. 13. The users can choose the instance of cookie that they wants to analyze. The tool provides the ability to choose the user and the instance number of the cookie that the user wants to see Foundstone, Inc. All Rights Reserved - 10

12 14. The user can hash strings using MD5 and SHA1 algorithms and compare them with the cookies collected to check if the web application is using hashes of predictable string, or timestamps as cookies. The string value entered is hashed and compared to all the cookie values collected. The results are included in the report generated at the end of manual testing Foundstone, Inc. All Rights Reserved - 11

13 15. The user can decode the cookie values to check for useful information passed in the cookies. The user currently has the option to perform Base64 and URL decoding on the collected cookies Foundstone, Inc. All Rights Reserved - 12

14 Choose the cookie name value pair that you want to decode. Select the type of decoding and click ok. The decoded value will appear under Covert Value Foundstone, Inc. All Rights Reserved - 13

15 16. The tool provides the user with the ability to search for particular strings and/or substrings across all the cookie values collected. This is particularly useful if the user is aware of the encryption algorithm and key used but is not sure of the plain text that is being encrypted. 17. The user has the option to directly go to the Manual Testing panel from the main window to continue performing the manual analyses on the cookies. The user needs to Load Cookies to access the stored XML files Foundstone, Inc. All Rights Reserved - 14

16 18. The results of the analyses performed on the collected cookies and the analyses results can be seen through the Show Report tab Foundstone, Inc. All Rights Reserved - 15

17 Analyses: CookieDigger performs the following analysis on the cookies collected: Average Length of the Cookie: If the average length of the cookie that is used as an authenticator is small then it would take fewer brute force attempts to hijack another users session. On a popular site we can assume many users to be logged in at the same time, therefore the chances of a successful brute force attempt might be high. Character Set of the Cookie: The character set employed in the generation of cookie value plays an important role in the entropy of the cookie. For any given cookie length, a large character set increases the strength of the authenticator. If the attacker can determine the character set employed by the application, the brute force attempts can be crafted more efficiently. The combination of the length of the cookie and the character set used determines the strength of the authenticator. Critical Information: The tool checks the cookie values set by the application to see if any of the cookies contains the usernames or password values in it. The check is performed on both the plain text value of the cookie and on the base64 decoded value of the cookie. Other common useful information passed in the cookie values are account numbers, names, privilege levels, etc. Entropy of the Cookies: The tool compares the different values of the cookie values to check how many characters are changing for every subsequent login. If the cookie value remains the same on subsequent logins, it shows that the algorithm used for generating the cookies is vulnerable to chosen plain text attacks. Furthermore, if the cookie values remain the same on subsequent logins it gives the attacker longer periods of time to perform the brute forces attempts Foundstone, Inc. All Rights Reserved - 16

18 The screen shots below shows a sample report output collected from The report provides a summary of the findings. It generates a predictability index based upon the cookie values collected. The analyses results are displayed in the report. The base line analyses performed on the cookies provides a user with a good indication on how strong the session identifiers are Foundstone, Inc. All Rights Reserved - 17

19 The report shows all the collected cookie values in the report for the user to view and analyze the results. The report displays the findings of the manual analyses at the end of the report. If there was any positive finding during the manual testing the report displays the cookie values for user s reference Foundstone, Inc. All Rights Reserved - 18

20 Known Issues 1. The tool does not work on the websites that requires scripting on parameter values before being sent back to the application. 2. The tool fails in cases where it the websites sends and expects a nonce for every new login. About Foundstone Professional Services Foundstone Professional Services, a division of McAfee, offers a unique combination of services and education to help organizations continuously and measurably protect the most important assets from the most critical threats. Through a strategic approach to security, Foundstone identifies, recommends, and implements the right balance of technology, people, and process to manage digital risk and leverage security investments more effectively. Foundstone s Secure Software Security Initiative (S3i ) services help organizations design and engineer secure software. By building in security throughout the Software Development Lifecycle, organizations can significantly reduce their risk of malicious attacks and minimize costly remediation efforts. Services include: Source Code Audits Software Design and Architecture Reviews Threat Modeling Web Application Penetration Testing Software Security Metrics and Measurement For more information about Foundstone S3i services, go to Foundstone S3i training is designed to teach programmers and application developers how to build secure software and to write secure code. Classes include: Building Secure Software Writing Secure Code Java (J2EE) Writing Secure Code ASP.NET (C#) Ultimate Web Hacking For the latest course schedule, go to Foundstone, Inc. All Rights Reserved - 19

Check list for web developers

Check list for web developers Check list for web developers Requirement Yes No Remarks 1. Input Validation 1.1) Have you done input validation for all the user inputs using white listing and/or sanitization? 1.2) Does the input validation

More information

Proof of Concept. A New Data Validation Technique for Microsoft ASP.NET Web Applications. Foundstone Professional Services

Proof of Concept. A New Data Validation Technique for Microsoft ASP.NET Web Applications. Foundstone Professional Services Proof of Concept A New Data Validation Technique for Microsoft ASP.NET Web Applications Foundstone Professional Services February 2005 Introduction Despite significant awareness of security issues like

More information

Application Security Testing. Generic Test Strategy

Application Security Testing. Generic Test Strategy Application Security Testing Generic Test Strategy Page 2 of 8 Contents 1 Introduction 3 1.1 Purpose: 3 1.2 Application Security Testing: 3 2 Audience 3 3 Test Strategy guidelines 3 3.1 Authentication

More information

Design Authorization Systems Using SecureUML

Design Authorization Systems Using SecureUML Design Authorization Systems Using SecureUML By Rudolph Araujo & Shanit Gupta, Foundstone Professional Services February 2005 Overview This whitepaper describes the Foundstone SecureUML template, a Microsoft

More information

BASELINE SECURITY TEST PLAN FOR EDUCATIONAL WEB AND MOBILE APPLICATIONS

BASELINE SECURITY TEST PLAN FOR EDUCATIONAL WEB AND MOBILE APPLICATIONS BASELINE SECURITY TEST PLAN FOR EDUCATIONAL WEB AND MOBILE APPLICATIONS Published by Tony Porterfield Feb 1, 2015. Overview The intent of this test plan is to evaluate a baseline set of data security practices

More information

HP WebInspect Tutorial

HP WebInspect Tutorial HP WebInspect Tutorial Introduction: With the exponential increase in internet usage, companies around the world are now obsessed about having a web application of their own which would provide all the

More information

Acunetix Web Vulnerability Scanner. Getting Started. By Acunetix Ltd.

Acunetix Web Vulnerability Scanner. Getting Started. By Acunetix Ltd. Acunetix Web Vulnerability Scanner Getting Started V8 By Acunetix Ltd. 1 Starting a Scan The Scan Wizard allows you to quickly set-up an automated scan of your website. An automated scan provides a comprehensive

More information

AJAX Storage: A Look at Flash Cookies and Internet Explorer Persistence

AJAX Storage: A Look at Flash Cookies and Internet Explorer Persistence AJAX Storage: A Look at Flash Cookies and Internet Explorer Persistence Corey Benninger The AJAX Storage Dilemna AJAX (Asynchronous JavaScript and XML) applications are constantly looking for ways to increase

More information

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering How to break in Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering Time Agenda Agenda Item 9:30 10:00 Introduction 10:00 10:45 Web Application Penetration

More information

Acunetix Web Vulnerability Scanner. Getting Started. By Acunetix Ltd.

Acunetix Web Vulnerability Scanner. Getting Started. By Acunetix Ltd. Acunetix Web Vulnerability Scanner Getting Started V9 By Acunetix Ltd. Starting a Scan The Scan Wizard allows you to quickly set-up an automated security scan of your website. The security scan provides

More information

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008 Detecting Web Application Vulnerabilities Using Open Source Means OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008 Kostas Papapanagiotou Committee Member OWASP Greek Chapter conpap@owasp.gr

More information

Remedy ITSM Service Request Management Quick Start Guide

Remedy ITSM Service Request Management Quick Start Guide Remedy ITSM Service Request Management Quick Start Guide Table of Contents 1.0 Getting Started With Remedy s Service Request Management. 3 2.0 Submitting a Service Request.7 3.0 Updating a Service Request

More information

Thick Client Application Security

Thick Client Application Security Thick Client Application Security Arindam Mandal (arindam.mandal@paladion.net) (http://www.paladion.net) January 2005 This paper discusses the critical vulnerabilities and corresponding risks in a two

More information

Active Directory Authentication Integration

Active Directory Authentication Integration Active Directory Authentication Integration This document provides a detailed explanation of how to integrate Active Directory into the ipconfigure Installation of a Windows 2003 Server for network security.

More information

Criteria for web application security check. Version 2015.1

Criteria for web application security check. Version 2015.1 Criteria for web application security check Version 2015.1 i Content Introduction... iii ISC- P- 001 ISC- P- 001.1 ISC- P- 001.2 ISC- P- 001.3 ISC- P- 001.4 ISC- P- 001.5 ISC- P- 001.6 ISC- P- 001.7 ISC-

More information

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management What is an? s Ten Most Critical Web Application Security Vulnerabilities Anthony LAI, CISSP, CISA Chapter Leader (Hong Kong) anthonylai@owasp.org Open Web Application Security Project http://www.owasp.org

More information

Secure Authentication and Session. State Management for Web Services

Secure Authentication and Session. State Management for Web Services Lehman 0 Secure Authentication and Session State Management for Web Services Clay Lehman CSC 499: Honors Thesis Supervised by: Dr. R. Michael Young Lehman 1 1. Introduction Web services are a relatively

More information

Web Application Security

Web Application Security Web Application Security Ng Wee Kai Senior Security Consultant PulseSecure Pte Ltd About PulseSecure IT Security Consulting Company Part of Consortium in IDA (T) 606 Term Tender Cover most of the IT Security

More information

ADFS Integration Guidelines

ADFS Integration Guidelines ADFS Integration Guidelines Version 1.6 updated March 13 th 2014 Table of contents About This Guide 3 Requirements 3 Part 1 Configure Marcombox in the ADFS Environment 4 Part 2 Add Relying Party in ADFS

More information

NeoMail Guide. Neotel (Pty) Ltd

NeoMail Guide. Neotel (Pty) Ltd NeoMail Guide Neotel (Pty) Ltd NeoMail Connect Guide... 1 1. POP and IMAP Client access... 3 2. Outlook Web Access... 4 3. Outlook (IMAP and POP)... 6 4. Outlook 2007... 16 5. Outlook Express... 24 1.

More information

Safewhere*Identify 3.4. Release Notes

Safewhere*Identify 3.4. Release Notes Safewhere*Identify 3.4 Release Notes Safewhere*identify is a new kind of user identification and administration service providing for externalized and seamless authentication and authorization across organizations.

More information

CSE598i - Web 2.0 Security OWASP Top 10: The Ten Most Critical Web Application Security Vulnerabilities

CSE598i - Web 2.0 Security OWASP Top 10: The Ten Most Critical Web Application Security Vulnerabilities CSE598i - Web 2.0 Security OWASP Top 10: The Ten Most Critical Web Application Security Vulnerabilities Thomas Moyer Spring 2010 1 Web Applications What has changed with web applications? Traditional applications

More information

(WAPT) Web Application Penetration Testing

(WAPT) Web Application Penetration Testing (WAPT) Web Application Penetration Testing Module 0: Introduction 1. Introduction to the course. 2. How to get most out of the course 3. Resources you will need for the course 4. What is WAPT? Module 1:

More information

Configuring Single Sign-on for WebVPN

Configuring Single Sign-on for WebVPN CHAPTER 8 This chapter presents example procedures for configuring SSO for WebVPN users. It includes the following sections: Using Single Sign-on with WebVPN, page 8-1 Configuring SSO Authentication Using

More information

FINAL DoIT 04.01.2013- v.8 APPLICATION SECURITY PROCEDURE

FINAL DoIT 04.01.2013- v.8 APPLICATION SECURITY PROCEDURE Purpose: This procedure identifies what is required to ensure the development of a secure application. Procedure: The five basic areas covered by this document include: Standards for Privacy and Security

More information

SECURITY DOCUMENT. BetterTranslationTechnology

SECURITY DOCUMENT. BetterTranslationTechnology SECURITY DOCUMENT BetterTranslationTechnology XTM Security Document Documentation for XTM Version 6.2 Published by XTM International Ltd. Copyright XTM International Ltd. All rights reserved. No part of

More information

How-to: Single Sign-On

How-to: Single Sign-On How-to: Single Sign-On Document version: 1.02 nirva systems info@nirva-systems.com nirva-systems.com How-to: Single Sign-On - page 2 This document describes how to use the Single Sign-On (SSO) features

More information

JVA-122. Secure Java Web Development

JVA-122. Secure Java Web Development JVA-122. Secure Java Web Development Version 7.0 This comprehensive course shows experienced developers of Java EE applications how to secure those applications and to apply best practices with regard

More information

Session Management in Web Applications

Session Management in Web Applications Session Management in Web Applications Author: EUROSEC GmbH Chiffriertechnik & Sicherheit Tel: 06173 / 60850, www.eurosec.com EUROSEC GmbH Chiffriertechnik & Sicherheit, 2005 What is Web-based Session

More information

Two-Factor Authentication

Two-Factor Authentication Two-Factor Authentication This document describes SonicWALL s implementation of two-factor authentication for SonicWALL SSL-VPN appliances. This document contains the following sections: Feature Overview

More information

Web Application Security Guidelines for Hosting Dynamic Websites on NIC Servers

Web Application Security Guidelines for Hosting Dynamic Websites on NIC Servers Web Application Security Guidelines for Hosting Dynamic Websites on NIC Servers The Website can be developed under Windows or Linux Platform. Windows Development should be use: ASP, ASP.NET 1.1/ 2.0, and

More information

Using EMC Unisphere in a Web Browsing Environment: Browser and Security Settings to Improve the Experience

Using EMC Unisphere in a Web Browsing Environment: Browser and Security Settings to Improve the Experience Using EMC Unisphere in a Web Browsing Environment: Browser and Security Settings to Improve the Experience Applied Technology Abstract The Web-based approach to system management taken by EMC Unisphere

More information

SCADA Security. Enabling Integrated Windows Authentication For CitectSCADA Web Client. Applies To: CitectSCADA 6.xx and 7.xx VijeoCitect 6.xx and 7.

SCADA Security. Enabling Integrated Windows Authentication For CitectSCADA Web Client. Applies To: CitectSCADA 6.xx and 7.xx VijeoCitect 6.xx and 7. Enabling Integrated Windows Authentication For CitectSCADA Web Client Applies To: CitectSCADA 6.xx and 7.xx VijeoCitect 6.xx and 7.xx Summary: What is the difference between Basic Authentication and Windows

More information

CA Nimsoft Service Desk

CA Nimsoft Service Desk CA Nimsoft Service Desk Single Sign-On Configuration Guide 6.2.6 This Documentation, which includes embedded help systems and electronically distributed materials, (hereinafter referred to as the Documentation

More information

elearning for Secure Application Development

elearning for Secure Application Development elearning for Secure Application Development Curriculum Application Security Awareness Series 1-2 Secure Software Development Series 2-8 Secure Architectures and Threat Modeling Series 9 Application Security

More information

Lotus Domino Security

Lotus Domino Security An X-Force White Paper Lotus Domino Security December 2002 6303 Barfield Road Atlanta, GA 30328 Tel: 404.236.2600 Fax: 404.236.2626 Introduction Lotus Domino is an Application server that provides groupware

More information

Security vulnerabilities in new web applications. Ing. Pavol Lupták, CISSP, CEH Lead Security Consultant

Security vulnerabilities in new web applications. Ing. Pavol Lupták, CISSP, CEH Lead Security Consultant Security vulnerabilities in new web applications Ing. Pavol Lupták, CISSP, CEH Lead Security Consultant $whoami Introduction Pavol Lupták 10+ years of practical experience in security and seeking vulnerabilities

More information

Passing PCI Compliance How to Address the Application Security Mandates

Passing PCI Compliance How to Address the Application Security Mandates Passing PCI Compliance How to Address the Application Security Mandates The Payment Card Industry Data Security Standards includes several requirements that mandate security at the application layer. These

More information

Web Application Security

Web Application Security Web Application Security John Zaharopoulos ITS - Security 10/9/2012 1 Web App Security Trends Web 2.0 Dynamic Webpages Growth of Ajax / Client side Javascript Hardening of OSes Secure by default Auto-patching

More information

Elluminate Live! Access Guide. Page 1 of 7

Elluminate Live! Access Guide. Page 1 of 7 This guide is provided to Elluminate Live! users to assist them to make a successful connection to an Elluminate Live! session through a proxy firewall. In some cases settings discussed in this document

More information

Lecture 11 Web Application Security (part 1)

Lecture 11 Web Application Security (part 1) Lecture 11 Web Application Security (part 1) Computer and Network Security 4th of January 2016 Computer Science and Engineering Department CSE Dep, ACS, UPB Lecture 11, Web Application Security (part 1)

More information

Windows XP Exchange Client Installation Instructions

Windows XP Exchange Client Installation Instructions WINDOWS XP with Outlook 2003 or Outlook 2007 1. Click the Start button and select Control Panel: 2. If your control panel looks like this: Click Switch to Classic View. 3. Double click Mail. 4. Click show

More information

An overview of configuring WebEx for single sign-on. To configure the WebEx application for single-sign on from the cloud service (an overview)

An overview of configuring WebEx for single sign-on. To configure the WebEx application for single-sign on from the cloud service (an overview) Chapter 83 WebEx This chapter includes the following sections: An overview of configuring WebEx for single sign-on Configuring WebEx for SSO Configuring WebEx in Cloud Manager For more information about

More information

QUANTIFY INSTALLATION GUIDE

QUANTIFY INSTALLATION GUIDE QUANTIFY INSTALLATION GUIDE Thank you for putting your trust in Avontus! This guide reviews the process of installing Quantify software. For Quantify system requirement information, please refer to the

More information

CMP3002 Advanced Web Technology

CMP3002 Advanced Web Technology CMP3002 Advanced Web Technology Assignment 1: Web Security Audit A web security audit on a proposed eshop website By Adam Wright Table of Contents Table of Contents... 2 Table of Tables... 2 Introduction...

More information

Network Security Audit. Vulnerability Assessment (VA)

Network Security Audit. Vulnerability Assessment (VA) Network Security Audit Vulnerability Assessment (VA) Introduction Vulnerability Assessment is the systematic examination of an information system (IS) or product to determine the adequacy of security measures.

More information

IBM Security QRadar Version 7.2.5. Vulnerability Assessment Configuration Guide IBM

IBM Security QRadar Version 7.2.5. Vulnerability Assessment Configuration Guide IBM IBM Security QRadar Version 7.2.5 Vulnerability Assessment Configuration Guide IBM Note Before using this information and the product that it supports, read the information in Notices on page 93. Product

More information

Leveraging User Interactions for In-Depth Testing of Web Applications

Leveraging User Interactions for In-Depth Testing of Web Applications Leveraging User Interactions for In-Depth Testing of Web Applications Sean Mc Allister, Technical University Vienna (sean@iseclab.org) Christopher Kruegel, University California, Santa Barbara (chris@iseclab.org)

More information

Creating a User Profile for Outlook 2013

Creating a User Profile for Outlook 2013 Creating a User Profile for Outlook 2013 This document tells you how to create a user profile for Outlook 2013 on your computer (also known as the Outlook client). This is necessary, for example, when

More information

Sitefinity Security and Best Practices

Sitefinity Security and Best Practices Sitefinity Security and Best Practices Table of Contents Overview The Ten Most Critical Web Application Security Risks Injection Cross-Site-Scripting (XSS) Broken Authentication and Session Management

More information

Guide to add https://bbmy.ocbc.com as trusted site in Java 7 Update 55. Version of 21 OCBC Bank. All Rights Reserved

Guide to add https://bbmy.ocbc.com as trusted site in Java 7 Update 55. Version of 21 OCBC Bank. All Rights Reserved Velocity@ocbc Guide to add https://bbmy.ocbc.com as trusted site in Java 7 Update 55 Version 1.0 160414 1 of 21 Contents Java 7 Update 55 (difficulty logging into Velocity@ocbc)... 3 Uninstall Java Prior

More information

Guide to add https://bbmy.ocbc.com as trusted site in Java 7 Update 71. Version of 23 OCBC Bank. All Rights Reserved

Guide to add https://bbmy.ocbc.com as trusted site in Java 7 Update 71. Version of 23 OCBC Bank. All Rights Reserved Velocity@ocbc Guide to add https://bbmy.ocbc.com as trusted site in Java 7 Update 71 Version 1.0 141014 1 of 23 Contents Java 7 Update 71 (difficulty logging into Velocity@ocbc)... 3 Uninstall Java Prior

More information

ASP.NET Forms Authentication Best Practices for Software Developers

ASP.NET Forms Authentication Best Practices for Software Developers ASP.NET Forms Authentication Best Practices for Software Developers By Rudolph Araujo, Foundstone Professional Services August 2005 Background ASP.NET does an excellent job of providing out of the box

More information

User-password application scripting guide

User-password application scripting guide Chapter 2 User-password application scripting guide You can use the generic user-password application template (described in Creating a generic user-password application profile) to add a user-password

More information

Marcum LLP MFT Guide

Marcum LLP MFT Guide MFT Guide Contents 1. Logging In...3 2. Installing the Upload Wizard...4 3. Uploading Files Using the Upload Wizard...5 4. Downloading Files Using the Upload Wizard...8 5. Frequently Asked Questions...9

More information

What is Web Security? Motivation

What is Web Security? Motivation brucker@inf.ethz.ch http://www.brucker.ch/ Information Security ETH Zürich Zürich, Switzerland Information Security Fundamentals March 23, 2004 The End Users View The Server Providers View What is Web

More information

Introduction to Web Application Security. Microsoft CSO Roundtable Houston, TX. September 13 th, 2006

Introduction to Web Application Security. Microsoft CSO Roundtable Houston, TX. September 13 th, 2006 Introduction to Web Application Security Microsoft CSO Roundtable Houston, TX September 13 th, 2006 Overview Background What is Application Security and Why Is It Important? Examples Where Do We Go From

More information

Table of Contents. Open-Xchange Authentication & Session Handling. 1.Introduction...3

Table of Contents. Open-Xchange Authentication & Session Handling. 1.Introduction...3 Open-Xchange Authentication & Session Handling Table of Contents 1.Introduction...3 2.System overview/implementation...4 2.1.Overview... 4 2.1.1.Access to IMAP back end services...4 2.1.2.Basic Implementation

More information

Proto Balance SSL TLS Off-Loading, Load Balancing. User Manual - SSL. http://www.protonet.co.za/

Proto Balance SSL TLS Off-Loading, Load Balancing. User Manual - SSL. http://www.protonet.co.za/ Proto Balance SSL TLS Off-Loading, Load Balancing http://www.protonet.co.za/ User Manual - SSL Copyright c 2003-2010 Shine The Way 238 CC. All rights reserved. March 13, 2010 Contents 1. Introduction........................................................................

More information

Business ebanking Fraud Prevention Best Practices

Business ebanking Fraud Prevention Best Practices Business ebanking Fraud Prevention Best Practices User ID and Password Guidelines Create a strong password with at least 8 characters that includes a combination of mixed case letters, numbers, and special

More information

Multi Factor Authentication API

Multi Factor Authentication API GEORGIA INSTITUTE OF TECHNOLOGY Multi Factor Authentication API Yusuf Nadir Saghar Amay Singhal CONTENTS Abstract... 3 Motivation... 3 Overall Design:... 4 MFA Architecture... 5 Authentication Workflow...

More information

IBM Security QRadar SIEM Version 7.1.0 MR1. Vulnerability Assessment Configuration Guide

IBM Security QRadar SIEM Version 7.1.0 MR1. Vulnerability Assessment Configuration Guide IBM Security QRadar SIEM Version 7.1.0 MR1 Vulnerability Assessment Configuration Guide Note: Before using this information and the product that it supports, read the information in Notices and Trademarks

More information

IIS, FTP Server and Windows

IIS, FTP Server and Windows IIS, FTP Server and Windows The Objective: To setup, configure and test FTP server. Requirement: Any version of the Windows 2000 Server. FTP Windows s component. Internet Information Services, IIS. Steps:

More information

Adobe Systems Incorporated

Adobe Systems Incorporated Adobe Connect 9.2 Page 1 of 8 Adobe Systems Incorporated Adobe Connect 9.2 Hosted Solution June 20 th 2014 Adobe Connect 9.2 Page 2 of 8 Table of Contents Engagement Overview... 3 About Connect 9.2...

More information

Elluminate Live! Access Guide. Page 1 of 7

Elluminate Live! Access Guide. Page 1 of 7 This guide is provided to Elluminate Live! users to assist them to make a successful connection to an Elluminate Live! session through a proxy firewall. In some cases settings discussed in this document

More information

OPENID AUTHENTICATION SECURITY

OPENID AUTHENTICATION SECURITY OPENID AUTHENTICATION SECURITY Erik Lagercrantz and Patrik Sternudd Uppsala, May 17 2009 1 ABSTRACT This documents gives an introduction to OpenID, which is a system for centralised online authentication.

More information

Tenrox. Single Sign-On (SSO) Setup Guide. January, 2012. 2012 Tenrox. All rights reserved.

Tenrox. Single Sign-On (SSO) Setup Guide. January, 2012. 2012 Tenrox. All rights reserved. Tenrox Single Sign-On (SSO) Setup Guide January, 2012 2012 Tenrox. All rights reserved. About this Guide This guide provides a high-level technical overview of the Tenrox Single Sign-On (SSO) architecture,

More information

New Single Sign-on Options for IBM Lotus Notes & Domino. 2012 IBM Corporation

New Single Sign-on Options for IBM Lotus Notes & Domino. 2012 IBM Corporation New Single Sign-on Options for IBM Lotus Notes & Domino 2012 IBM Corporation IBM s statements regarding its plans, directions, and intent are subject to change or withdrawal without notice at IBM s sole

More information

ICE Trade Vault. Public User & Technology Guide June 6, 2014

ICE Trade Vault. Public User & Technology Guide June 6, 2014 ICE Trade Vault Public User & Technology Guide June 6, 2014 This material may not be reproduced or redistributed in whole or in part without the express, prior written consent of IntercontinentalExchange,

More information

Smithsonian Enterprises

Smithsonian Enterprises Smithsonian Enterprises Audit of the Effectiveness of the Information Security Program Table of Contents I. Introduction... 1 II. Background... 2 III. Results of Audit... 3 Finding #1: Needed Improvement

More information

FINAL DoIT 11.03.2015 - v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

FINAL DoIT 11.03.2015 - v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES Purpose: The Department of Information Technology (DoIT) is committed to developing secure applications. DoIT s System Development Methodology (SDM) and Application Development requirements ensure that

More information

Recon and Mapping Tools and Exploitation Tools in SamuraiWTF Report section Nick Robbins

Recon and Mapping Tools and Exploitation Tools in SamuraiWTF Report section Nick Robbins Recon and Mapping Tools and Exploitation Tools in SamuraiWTF Report section Nick Robbins During initial stages of penetration testing it is essential to build a strong information foundation before you

More information

Defender 5.7 - Token Deployment System Quick Start Guide

Defender 5.7 - Token Deployment System Quick Start Guide Defender 5.7 - Token Deployment System Quick Start Guide This guide describes how to install, configure and use the Defender Token Deployment System, based on default settings and how to self register

More information

Riverbed Cascade Shark Common REST API v1.0

Riverbed Cascade Shark Common REST API v1.0 Riverbed Cascade Shark Common REST API v1.0 Copyright Riverbed Technology Inc. 2015 Created Feb 1, 2015 at 04:02 PM Contents Contents Overview Data Encoding Resources information: ping information: list

More information

HIRSCH Velocity Web Console Guide

HIRSCH Velocity Web Console Guide HIRSCH Velocity Web Console Guide MAN012-1112 HIRSCH Velocity Web Console Guide MAN012-1112, November 2012 Version 1.1 Copyright 2012 Identive Group. All rights reserved. ScramblePad and ScrambleProx are

More information

Top Ten Web Application Vulnerabilities in J2EE. Vincent Partington and Eelco Klaver Xebia

Top Ten Web Application Vulnerabilities in J2EE. Vincent Partington and Eelco Klaver Xebia Top Ten Web Application Vulnerabilities in J2EE Vincent Partington and Eelco Klaver Xebia Introduction Open Web Application Security Project is an open project aimed at identifying and preventing causes

More information

Management, Logging and Troubleshooting

Management, Logging and Troubleshooting CHAPTER 15 This chapter describes the following: SNMP Configuration System Logging SNMP Configuration Cisco NAC Guest Server supports management applications monitoring the system over SNMP (Simple Network

More information

QualysGuard SAML 2.0 Single Sign-On. Technical Brief

QualysGuard SAML 2.0 Single Sign-On. Technical Brief QualysGuard SAML 2.0 Single Sign-On Technical Brief Introduction Qualys provides its customer the option to use SAML 2.0 Single Sign On (SSO) authentication with their QualysGuard subscription. When implemented,

More information

Remedy ITSM Service Request Management Quick Start Guide

Remedy ITSM Service Request Management Quick Start Guide Remedy ITSM Service Request Management Quick Start Guide For use by customers of IT services with Remedy ITSM at Missouri S&T Version 1.5 December 11, 2013 Table of Contents 1.0 Getting Started With Remedy

More information

1.5.5 Cookie Analysis

1.5.5 Cookie Analysis 1.5.5 Cookie Analysis As part of the first audit, Facebook were asked to provide an explanation of the purpose of each of the identified cookies. The information provided at the time has been reviewed

More information

Security Implications Associated with Mass Notification Systems

Security Implications Associated with Mass Notification Systems Security Implications Associated with Mass Notification Systems Overview Cyber infrastructure: Includes electronic information and communications systems and services and the information contained in these

More information

Web application security

Web application security Web application security Sebastian Lopienski CERN Computer Security Team openlab and summer lectures 2010 (non-web question) Is this OK? int set_non_root_uid(int uid) { // making sure that uid is not 0

More information

Secure Web Development Teaching Modules 1. Threat Assessment

Secure Web Development Teaching Modules 1. Threat Assessment Secure Web Development Teaching Modules 1 Threat Assessment Contents 1 Concepts... 1 1.1 Software Assurance Maturity Model... 1 1.2 Security practices for construction... 3 1.3 Web application security

More information

How to set up Outlook Anywhere on your home system

How to set up Outlook Anywhere on your home system How to set up Outlook Anywhere on your home system The Outlook Anywhere feature for Microsoft Exchange Server 2007 allows Microsoft Office Outlook 2007 and Outlook 2003 users to connect to their Outlook

More information

Application Security Policy

Application Security Policy Purpose This document establishes the corporate policy and standards for ensuring that applications developed or purchased at LandStar Title Agency, Inc meet a minimum acceptable level of security. Policy

More information

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats WHITE PAPER FortiWeb and the OWASP Top 10 PAGE 2 Introduction The Open Web Application Security project (OWASP) Top Ten provides a powerful awareness document for web application security. The OWASP Top

More information

ASP.NET MVC Secure Coding 4-Day hands on Course. Course Syllabus

ASP.NET MVC Secure Coding 4-Day hands on Course. Course Syllabus ASP.NET MVC Secure Coding 4-Day hands on Course Course Syllabus Course description ASP.NET MVC Secure Coding 4-Day hands on Course Secure programming is the best defense against hackers. This multilayered

More information

Web Application Security

Web Application Security Chapter 1 Web Application Security In this chapter: OWASP Top 10..........................................................2 General Principles to Live By.............................................. 4

More information

Secure Global Desktop (SGD)

Secure Global Desktop (SGD) Secure Global Desktop (SGD) Table of Contents Checking your Java Version...3 Preparing Your Desktop Computer...3 Accessing SGD...5 Logging into SGD...6 Using SGD to Access Your Desktop...7 Using SGD to

More information

Workday Mobile Security FAQ

Workday Mobile Security FAQ Workday Mobile Security FAQ Workday Mobile Security FAQ Contents The Workday Approach 2 Authentication 3 Session 3 Mobile Device Management (MDM) 3 Workday Applications 4 Web 4 Transport Security 5 Privacy

More information

Evaluation of different Open Source Identity management Systems

Evaluation of different Open Source Identity management Systems Evaluation of different Open Source Identity management Systems Ghasan Bhatti, Syed Yasir Imtiaz Linkoping s universitetet, Sweden [ghabh683, syeim642]@student.liu.se 1. Abstract Identity management systems

More information

Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security

Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security Presented 2009-05-29 by David Strauss Thinking Securely Security is a process, not

More information

Step-by-Step guide for SSO from MS Sharepoint 2010 to SAP EP 7.0x

Step-by-Step guide for SSO from MS Sharepoint 2010 to SAP EP 7.0x Step-by-Step guide for SSO from MS Sharepoint 2010 to SAP EP 7.0x Sverview Trust between SharePoint 2010 and ADFS 2.0 Use article Federated Collaboration with Shibboleth 2.0 and SharePoint 2010 Technologies

More information

Note that if at any time during the setup process you are asked to login, click either Cancel or Work Offline depending upon the prompt.

Note that if at any time during the setup process you are asked to login, click either Cancel or Work Offline depending upon the prompt. USC Marshall School of Business Academic Information Services Configuring Outlook 2010 RPC Over HTTP Protocol For Windows 7 Home Computers or Wireless Laptops The steps in this document cover how to configure

More information

Penetration Test Report

Penetration Test Report Penetration Test Report Acme Test Company ACMEIT System 26 th November 2010 Executive Summary Info-Assure Ltd was engaged by Acme Test Company to perform an IT Health Check (ITHC) on the ACMEIT System

More information

Investment Management System. Connectivity Guide. IMS Connectivity Guide Page 1 of 11

Investment Management System. Connectivity Guide. IMS Connectivity Guide Page 1 of 11 Investment Management System Connectivity Guide IMS Connectivity Guide Page 1 of 11 1. Introduction This document details the necessary steps and procedures required for organisations to access the Homes

More information

Using Internet or Windows Explorer to Upload Your Site

Using Internet or Windows Explorer to Upload Your Site Using Internet or Windows Explorer to Upload Your Site This article briefly describes what an FTP client is and how to use Internet Explorer or Windows Explorer to upload your Web site to your hosting

More information

Installing the ASP.NET VETtrak APIs onto IIS 5 or 6

Installing the ASP.NET VETtrak APIs onto IIS 5 or 6 Installing the ASP.NET VETtrak APIs onto IIS 5 or 6 2 Installing the ASP.NET VETtrak APIs onto IIS 5 or 6 3... 3 IIS 5 or 6 1 Step 1- Install/Check 6 Set Up and Configure VETtrak ASP.NET API 2 Step 2 -...

More information

Introduction:... 1 Security in SDLC:... 2 Penetration Testing Methodology: Case Study... 3

Introduction:... 1 Security in SDLC:... 2 Penetration Testing Methodology: Case Study... 3 Table of Contents Introduction:... 1 Security in SDLC:... 2 Penetration Testing Methodology: Case Study... 3 Information Gathering... 3 Vulnerability Testing... 7 OWASP TOP 10 Vulnerabilities:... 8 Injection

More information

Integrated Network Vulnerability Scanning & Penetration Testing SAINTcorporation.com

Integrated Network Vulnerability Scanning & Penetration Testing SAINTcorporation.com SAINT Integrated Network Vulnerability Scanning and Penetration Testing www.saintcorporation.com Introduction While network vulnerability scanning is an important tool in proactive network security, penetration

More information