Compass Security Blog

Offensive Defense

Page 5 of 5

Why does Compass Security recommend HSTS?

Secure web communications using HTTPS isn’t anything fancy anymore these days. It ensures traffic from a user to your web application cannot be eavesdropped or tampered with, given it has been set up securely using SSL/TLS. But, do you trust your web application’s code to entirely disregard unencrypted requests? Are you sure your Apache/IIS is […]

Continue reading

Risks of DOM Based XSS due to “unsafe” JavaScript functions

Introduction Several native JavaScript functions or properties like .eval() and .innerHTML as well as several jQuery functions like .html() and .append() are considered as “unsafe”, but why? The reason is that they allow DOM manipulation using strings containing HTML code (e.g.”<b>This text is bold</b>“), which can lead to DOM Based Cross-Site Scripting vulnerabilities. To be […]

Continue reading

Secure XML Parser Configuration

Most XML parsers are vulnerable for XML external entitiy attacks (XXE) by default. So what’s your mitigation? The easiest way to prevent XXE is to disallow the Doctype declaration completely: import java.io.File; import org.jdom.Document; import org.jdom.JDOMException; import org.jdom.input.SAXBuilder; public class XEE_Disallow_Doctype_Decl { public static void main(String[] args) { String element= null; SAXBuilder objBuilder = null; […]

Continue reading

AntiSamy to face XSS and XXE

The community hosts a neat little project called AntiSamy[1] which lends its name from the well known MySpace worm[2] and which comes in handy when trying to mitigate Cross-site Scripting[3] attacks. Whereby XSS is sometimes hard to mitigate when business is asking for HTML formatting in user supplied inputs. At that point, AntiSamy might become […]

Continue reading

nevisProxy Advisory Release

Today, Compass Security published a public advisory regarding nevisProxy, a product from AdNovum, used by several Swiss financial institutions. nevisProxy is a secure reverse proxy with an integrated web application firewall (WAF). It acts as a central upstream entry point for web traffic to integrated online applications. nevisProxy controls user access and protects sensitive data, […]

Continue reading

JBoss 7.1 Web Server Hardening

JBoss is a popular open-source Java application server which underwent a major rewrite of its code-base for its latest version 7.x. Of this new branch, only version 7.1.0.Final, released a week ago, is certified for the Java EE 6 Full Profile. As part of the code rewrite, the configuration settings also got a global overhaul. […]

Continue reading

Nächster Compass BeerTalk am Donnerstag 01.03.2012

Am 1. März 2012 ist es wieder so weit, wir führen den ersten BeerTalk im Jahr 2012 zum Thema Advanced Web Security durch. Das weit verbreitete Struts Framework war im letzten halben Jahr immer wieder auf Remote Code Execution verwundbar, was Angreifern erlaubte, ganze Systeme zu kompromittieren. Philipp Oesch, Leiter Software Entwicklung bei der Compass […]

Continue reading

New Security Enhancing HTTP Headers

In the past few years, several new HTTP Headers have been proposed to increase the security of web applications. This is being done by providing additional instructions and information about the served application to the browser. Those can mitigate and avert various common web attacks, even if the underlying application contains vulnerabilities, therefore adding another […]

Continue reading

BeanShell puts Java Application Servers at Risk

Developers increasingly integrate BeanShell support into web applications to provide end users and administrators with a simple extension framework. But be warned! BeanShell support without appropriate access control will put the hosting web server at severe risk. An attacker could easily execute operating system calls and without appropriate system hardening such an attack will immediately result in full system compromise. The […]

Continue reading

Retrospective about cache snooping

As it is known since at least 2006, a website is able to identify the domains a user previously visited, with some simple CSS hacks. This had great privacy implications, and browsers took steps to eliminate this problem. But in December 2011, lcamtuf presented a new proof of concept based on cache timings, which basically does the […]

Continue reading

Newer posts »