My Security Planet » Items by Anurag Agarwal

Feeds

13620 items (0 unread) in 75 feeds

• Jeremy Zawodny's blog
• Mozilla Webdev
• Transcendental Technical Travails
• Ian Bicking: a blog
• Hackosis

WebSecurity

• Watchfire Application Security Insider
• BlogSecurity
• sirdarckcat
• Google Online Security Blog
• CGISecurity.com: Your Web Site and Application Security Resource
• Switch/Twitch
• mybeNi websecurity
• cat slave diary
• SecuriTeam Blogs
• Curiouser and Curiouser
• Alex's Corner
• Billy (BK) Rios
• Chris Shiflett
• christian's weblog
• funkatron.com
• GNUCITIZEN
• The Spanner
• hackademix.net
• Ruby on Rails Security Project
• It's a shampoo world anyway
• Web Security Blog
• ha.ckers.org web application security lab
• Yet Another Infosec Blog
• PHP Security Blog
• Security Thoughts
• Sunnet Beskerming Security Advisories
• Disenchant's Blog
• Sylvan von Stuppe
• Larholm.com
• The Turkey Curse
• Jeremiah Grossman
• Anurag Agarwal - Application Security Evangelist
• Ivan Ristic
• deep inside | security & tools
• omg.wtf.bbq.
• BlueHat Security Briefings
• Tactical Web Application Security
• .:Computer Defense:.

Security

• tssci security
• Plynt Penetration Testing Blog
• Michael Howard's Web Log
• Security Retentive
• BindShell.Net
• Dominic White's .tHE pRODUCT
• SecurityFocus News
• Justice League
• Schneier on Security
• Rational Survivability
• terminal23
• 1 Raindrop
• hiredhacker.com
• Matasano Chargen
• Security Vulnerability Research & Defense
• Michael on Security - Musings on Information Security
• Fortify blog
• The Art of Software Security Assessment
• GDS Security Blog
• Vodun.org
• Robert Penz Blog
• Mark Curphey - SecurityBuddha.com
• Liminal states
• Security Ripcord
• ModSecurity Blog
• IBM Internet Security Systems Frequency X Blog
• Suspekt...
• extern blog SensePost;
• Zero in a bit

SEO

• SEO BlackHat: Black Hat SEO Blog
• busin3ss.name

Tools

• Opensourcetesting.org News

Items by Anurag Agarwal

Anurag Agarwal - Application Security Evangelist

• 

  Web Application Security Summit

  Posted: April 15th, 2008, 6:48am CDT by Anurag Agarwal

  Tags:    [edit]

  SANS and WASC have organized a Web Application Security Summit in Vegas.Web Application Security SummitJeremiah Grossman, Summit Chairwith Robert “RSnake” Hansen, Gary McGraw, and Caleb SimaJune 2-3, 2008 • Paris Hotel & Casino • Las Vegas, NVOn June 2-3, Various Application Security folks working in the enterprises will share the lessons learned in their application security initiatives. Case
• 

  RSA Conference Pictures

  Posted: April 11th, 2008, 11:47am CDT by Anurag Agarwal

  Tags:    [edit]

  RSA Conference 2008 is almost over. As usual there were so many companies showcasing their products and services or in some cases just a little bit of fun like video games, rock climbing, etc.I personally think there were more companies talking about web application security then last year. We still need some more companies with secure SDLC solutions to come out there. In addition, there were
• 

  WASC meetup at RSA - pictures

  Posted: April 11th, 2008, 6:26am CDT by Anurag Agarwal

  Tags:    [edit]

  WASC meetup at RSA was a huge success. More then 100 people showed up and it was a lot of fun sharing ideas and experiences with our peers. I am posting some of the pictures I took below.Caleb Sima(HP), Robert Auger(WASC)Neil Daswani (Google), Robi papp (Accuvant)Pool was so much fun.Dawn Van Hoegaerdan (Whitehat Security), Jermiah Grossman, Rachel Miller (Shift Communiations)Dawn, James(
• 

  Malware installation attempt via phishing

  Posted: March 22nd, 2008, 1:53pm CDT by Anurag Agarwal

  Tags:    [edit]

  I got this email yesterday and it immediately caught my attention, maybe due to the recent news about malware being installed via legitimate website. Or maybe most of the previous phishing attempts were about stealing username/passwords. This one is about installing something on their machine (which i am sure is some sort of malware). This might be a shift in the approach and of course it makes a
• 

  WASC meetup at RSA

  Posted: March 6th, 2008, 12:13pm CST by Anurag Agarwal

  Tags:    [edit]

  RSA conference is around the corner and a lot of people from the webappsec field would be coming over to the conference. This is a perfect opportunity to meet with your peers. To facilitate that, WASC is organizing a meetup on April 9, 2008 12pm to 2pm. Whitehat Security has graciously accepted to sponsor the event. Please click on the image to see a larger version of the invite.Last year WASC
• 

  Certification for Web Application Security Professional

  Posted: February 21st, 2008, 5:15am CST by Anurag Agarwal

  Tags:    [edit]

  Web Application Security Consortium and SANS has partnered together to define, train, test and certify the individuals. WASC is a leading web application security organization and SANS is a leader in training and certification. Together they have the subject matter expertise and process expertise to make this a huge success.Why do we need this certification?As more and more software is moving to
• 

  New IRS Scam via SMS messages

  Posted: January 29th, 2008, 8:29am CST by Anurag Agarwal

  Tags:    [edit]

  I got a text message today which said likeFrom:TAX@internalrefunding.com------Message-----Subject: NOTICEYou have .30 IRS UNITS pending forrefunding, completethe form usingwww.internalrefunding.com ASAPMy first reaction was "What the f***" but then I started thinking "Could it be IRS?", if yes, then "Why send a SMS?"Then my paranoid mind started working and even though I haven't heard of a scam
• 

  IETF starts working on security requirements for HTTP

  Posted: January 23rd, 2008, 12:48pm CST by Anurag Agarwal

  Tags:    [edit]

  Andre sent me a link on "Security Requirements for HTTP". It is exciting to see at least security issues of HTTP protocol are being addressed by IETF. This is a first draft and they are starting to identify the problems and will address them as a final part of this document.http://www.ietf.org/internet-drafts/draft-ietf-httpbis-security-properties-00.txtRecent IESG practice dictates that IETF
• 

  Do you have to fix XSS vulns to be PCI Compliant? ScanAlert Says No

  Posted: January 21st, 2008, 8:10am CST by Anurag Agarwal

  Tags:    [edit]

  I was reading Jeremiah's blog about ScanAlert's Response - ScanAlert - XSS is not our problemI had blogged earlier about Should ScanAlert be revoked of their PCI Scanning abilities?The interesting thing here is that if Hacker Safe is not detecting XSS attacks and I can bet they would not be detecting SQL injection attacks as well. So, what part of web application attacks are they trying to detect
• 

  The Fortification Movie

  Posted: January 21st, 2008, 5:16am CST by Anurag Agarwal

  Tags:    [edit]

  Last week i went to see the documentary by fortify on "The new face of Cybercrime". I went there thinking that it would be something that shows what cybercrime is all about and how bad guys are breaking into websites to steal credit card numbers, SSN, etc. and selling it on the black market to make money. Basically a visual representation of what we deal with, day in, day out. But it turned out
• 

  Calling all web hacks of 2007

  Posted: January 8th, 2008, 5:07am CST by Anurag Agarwal

  Tags:    [edit]

  Jeremiah Grossman is trying to gather all the neat researches behind web hacks of 2007."The hardest part is collecting a rather complete list of references to vote on, they’re all over the place, so that’s the reason for this post. Below is what I’ve gathered so far, and if you know of others, please comment them in with the title and link and I’ll add them. In the next few days the list will be
• 

  Should ScanAlert be revoked of their PCI Scanning abilities?

  Posted: January 7th, 2008, 8:18am CST by Anurag Agarwal

  Tags:    [edit]

  I was passed on this link today about "Hacker Safe Website gets hit by Hacker". For those who don't know, Hacker Safe is a service provided by Scan Alert (which is set to be acquired by McAfee). I am not going to go into the details of how safe are the sites displaying the logo "Hacker Safe". I don't even want to go into the details of what level of scanning services are provided by ScanAlert
• 

  AppSec 2007 pictures of breach party

  Posted: November 19th, 2007, 10:49am CST by Anurag Agarwal

  Tags:    [edit]

  OWASP and WASC AppSec Conference is over and it was by far the best conference i have ever been to. I was able to meet up with so many fantastic people, some of them i have exchanged emails with before and was good to see them in person. The conference topics and the presentation were really good. It was also my first time moderating a panel and it was a great experience. With such a sensitive
• 

  Who are the real culprits for PCI compliance?

  Posted: November 7th, 2007, 5:50am CST by Anurag Agarwal

  Tags:    [edit]

  There was an article in SearchSecurity today on TJX issue.Don't blame PCI DSS for TJX troubles, IT pros sayhttp://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1280854,00.html?track=sy160&asrc=RSS_RSS-10_160Here is an excerpt from the articleThe auditor said TJX passed a PCI DSS check-up, but that the auditor failed to notice some key problems."They had no network monitoring and
• 

  Panel discussion on Website Vulnerability Disclosure during AppSec Conference on Nov 15

  Posted: November 5th, 2007, 10:30am CST by Anurag Agarwal

  Tags:    [edit]

  As most of you know that OWASP-WASC AppSec Conference is held in ebay between Nov12-Nov15 including the training sessions. There are very many exciting topics to look forward to in the conference and not to forget the vendor parties at the end of the day. One of the things i am excited about is the panel discussion on Website Vulnerability Disclosure (which i will be moderating). We have some
• 

  WASC meetup on Nov 8

  Posted: November 1st, 2007, 5:42am CDT by Anurag Agarwal

  Tags:    [edit]

  Its time for another WASC Meet-Up. As usual this will be an informal gathering. No agenda, slide-ware, or sponsors. Just some like minded people from the security industry getting together to share their stories over beer. Everyone is welcome and it should be a really fun time!Please RSVP by email ASAP, if you haven't done so already, so we can make the proper reservations: anurag dot agarwal at
• 

  OWASP & WASC AppSec 2007

  Posted: September 4th, 2007, 8:45am CDT by Anurag Agarwal

  Tags:    [edit]

  The OWASP/WASC Black Hat cocktail party was so successful it only made sense to join forces again, this for an upcoming conference. OWASP & WASC AppSec 2007 is scheduled for Nov 12 – 15 @ eBay campus in San Jose, California. This will be an entire conference dedicated to web application security and something not to be missed. In fact, we’re a little nervous because the venue might be able to fit
• 

  WASC Meetup at IT Security World Conference on Sep 17

  Posted: September 4th, 2007, 8:40am CDT by Anurag Agarwal

  Tags:    [edit]

  WASC is organizing another Meet-Up during the IT Security World Conference (Sep 17-18) in San Francisco @ O'Neills). As usual this will be an informal gathering. No agenda, slide-ware, or sponsors. Baysec is also organizing a meetup during that time and we are hoping to meet other security professionals from Bay Area. Everyone is welcome and it should be a really fun time!Please RSVP by email
• 

  WASC WASSEC Project - Update

  Posted: August 22nd, 2007, 9:04am CDT by Anurag Agarwal

  Tags:    [edit]

  Thank you all for your patience. We have received an overwhelming response from the WASSEC (Web Application Security Scanner Evaluation Criteria) project. To proceed with the project please1. Please email wasc-wassec-subscribe@webappsec.org and reply to confirmation email.2. It is moderated subscription so every contributor has to be approved to send messages to the list.3. Once you are
• 

  WASC Announcement: 'WASSEC Project' Call for Participants

  Posted: August 13th, 2007, 1:49pm CDT by Anurag Agarwal

  Tags:    [edit]

  WASC has announced a new project WASSEC (Web Application Security Scanner Evaluation Criteria). Currently WASC is seeking volunteers from various sections of the community including penetration testers, scanner vendors, security researchers and also end users to contribute to the project.A brief description of the projectThe Web Application Security Evaluation Criteria is a set of guidelines to
• 

  Did WebApp developers learn from Samy worm?

  Posted: August 12th, 2007, 9:17am CDT by Anurag Agarwal

  Tags:    [edit]

  At the Mozilla Pyjama party during Blackhat, Me and Jeremiah met up with Bubba Gump and he shared with us an interesting story on how he was able to do something similar like Samy worm on another social networking site. His story just goes to show that there are so many other websites which are still getting hacked the same way but either have no clue or are in a denial mode. We asked him to
• 

  My experience at BlackHat and DefCon

  Posted: August 12th, 2007, 8:47am CDT by Anurag Agarwal

  Tags:    [edit]

  I came back from blackhat and defcon last Sunday. I was there for the entire 9 days (combined blackhat and defcon) and when i came back, I realized why people said 9 days of Vegas are toooo long. It was my first time to Vegas so I didn’t see it earlier but now i have learnt my lesson. :)It had been a very enjoyable experience. Though the party really took off on Tuesday night when most of the
• 

  Reflection on Dinis Cruz

  Posted: July 2nd, 2007, 5:58am CDT by Anurag Agarwal

  Tags:    [edit]

  In the last episode of reflection, we have someone who has become a pillar of OWASP. Dinis Cruz is a chief OWASP evangelist and a part of the OWASP board. At OWASP, he organizes events such as the OWASP Autumn of Code, delivers keynotes and advanced technical presentations on OWASP Conferences and leads the OWASP .Net Project where (amongst others) he created the tools: OWASP Report Generator,
• 

  Reflection on Cesar Cerrudo

  Posted: June 24th, 2007, 4:28pm CDT by Anurag Agarwal

  Tags:    [edit]

  This week on reflection we have someone who has done a lot of database research and published several advisories and presented at Blackhat, CanSecWest and other conferences on database security. Cesar Cerrudo works for his own company “Argeniss” and has contributed a lot to some of the databases to be more secure today. He has also identified a lot of vulnerabilities in Microsoft Windows,
• 

  Reflection on Alex Stamos

  Posted: June 18th, 2007, 9:58am CDT by Anurag Agarwal

  Tags:    [edit]

  This week on reflection we have Alex Stamos from iSEC Partners Inc. Alex has been involved in webappsec for sometime now and has presented at Blackhat, ToorCon, OWASP, ISACA, etc. He is a founder and Vice President of Professional Services at iSEC. He is a leading researcher in the field of web application and web services security and is also a co-author of an upcoming book Hacking Exposed Web
• 

  Reflection on pdp

  Posted: June 10th, 2007, 4:23pm CDT by Anurag Agarwal

  Tags:    [edit]

  This week on reflection we have Petko D Petkov (popularly known as pdp). pdp has been active in the webappsec community for sometime now. He has written many articles and published many tools. Two of his more popular tools are Attack API and Technika (firefox extension). He is also a co-author of the book XSS Exploits: Attacks and Defense. Recently he presented on Advanced Web Hacking Revealed
• 

  WASC meetup in Blackhat USA 2007

  Posted: June 6th, 2007, 12:07pm CDT by Anurag Agarwal

  Tags:    [edit]

  OWASP and WASC have joined hands to have a combined meetup at Blackhat USA 2007 in Las Vegas which was earlier planned as a WASC meetup. Breach Security has stepped forward to sponsor the event. Please click on the image to see a larger version of the invite. Come and join us for a drink and meet other like minded people from the industry. NOTE: Those who have already RSVPed need not to RSVP
• 

  Any java developers in bay area?

  Posted: June 5th, 2007, 6:21am CDT by Anurag Agarwal

  Tags:    [edit]

  Any java developers in bay area who are interested in working together on some of the research ideas i have in web application security. Most of the development would be in java. Knowledge of javascript is a plus. Knowledge of webapp security field is optional. Interested? contact me on anurag.agarwal@yahoo.com
• 

  Reflection on Saumil Shah

  Posted: June 4th, 2007, 8:04am CDT by Anurag Agarwal

  Tags:    [edit]

  This week on reflection we have Saumil Shah from net-square Solutions. Saumil has been involed in webappsec community for a long time and is a regular presenter at Blackhat. He focuses on researching vulnerabilities with various e-commerce and web based application systems, system architecture for Net-Square's tools and products, and developing short term training programmes. He specializes in
• 

  Reflection on Stefano Di Paola

  Posted: May 28th, 2007, 6:35am CDT by Anurag Agarwal

  Tags:    [edit]

  This week on reflection we have Stefano Di Paola who caught everyone’s attention through his paper Subverting Ajax which talked about acrobat reader plugin vulnerability and javascript prototype exploit. Those of you who remember, there was a lot of commotion on WASC mailing list at the beginning of this year. Tons of emails going back and forth on a vulnerability which was identified in
• 

  WASC Meetup at Black Hat (USA 2007)

  Posted: May 25th, 2007, 9:47am CDT by Anurag Agarwal

  Tags:    [edit]

  For the third year in a row WASC will be organizing a web application security meet-up during the BlackHat USA (2007) conference. There's going to be a lot of webappsec presentations and people in attendance, likely more than ever, so it's a good opportunity for those in the community to get together and share some food and drinks. This email will serve as a way to gauge the level of
• 

  Reflection on ryan barnett

  Posted: May 21st, 2007, 6:13am CDT by Anurag Agarwal

  Tags:    [edit]

  This week on reflection we have Ryan Barnett from breach security. Ryan is a well respected figure in web application security and is well known for his book “Preventing Web Attacks with Apache”. He is a faculty member for SANS institute and a WASC officer. He is also the Project Lead for the Center for Internet Security Apache Benchmark Project. Ryan has a passion for web application security
• 

  Reflection on Caleb Sima

  Posted: May 14th, 2007, 5:19pm CDT by Anurag Agarwal

  Tags:    [edit]

  This week on reflection we have caleb sima from SPI dynamics. He is the co-founder and CTO of SPI dynamics. He has been involved with internet security since its very early age and is widely respected in the industry. He is often quoted in various magazines and is called upon for his expert opinions. Caleb’s story tells us we can be what we want to be if only we put our minds to it and channel
• 

  Phishing using google ads

  Posted: May 13th, 2007, 5:14pm CDT by Anurag Agarwal

  Tags:    [edit]

  I received an interesting phishing email today. Whenever I receive any such email I hover my mouse over the link to see the actual url behind the link. In this particular case, it caught my attention. It was pointing to google.com. I was a little bit surprised then I copied the actual url behind the link separately to see where is it pointing. Be careful before you click on the url. Here is a
• 

  Reading cookies from the server using Java

  Posted: May 6th, 2007, 5:06pm CDT by Anurag Agarwal

  Tags:    [edit]

  Last two posts have been about running TRACE on the host server. Running TRACE on the server using Java from within the browser Part 1 http://myappsecurity.blogspot.com/2007/04/using-java-from-within-browsers.html Running TRACE on the server using Java from within the browser Part 2 http://myappsecurity.blogspot.com/2007/05/running-trace-on-server-using-java-from.html In this post, we will see
• 

  Running TRACE on the server using Java from within the browser Part 2

  Posted: May 6th, 2007, 5:01pm CDT by Anurag Agarwal

  Tags:    [edit]

  In the previous post on running TRACE on the server using java from within the browser, the approach was using java.net.Socket. In this approach, we are using java.net.UrlConnection There are certain limitations with this approach 1.If the TRACE is disabled on the server, firefox will give PrivilegeException 2.It the HTTP is disabled on the web server then it will give PrivilegeException 3.It
• 

  Reflection on Bill Pennington

  Posted: May 6th, 2007, 2:55pm CDT by Anurag Agarwal

  Tags:    [edit]

  This week on reflection, we have Bill Pennington from Whitehat Security. Bill had been involved in web application security for a long time and has performed numerous web application assessments and is currently involved in research and development at Whitehat Security. He has spoken at industry events like blackhat, ISSA LA and OWASP Silicon Valley chapter and has contributed to or co-authored