Login credentials and session id security

Hi All,

Can someone please tell what is the most secure way of
sending login 
credentials to the server. The possible ways that I am
familiar with are:

- get method
- post method
- hidden form fields

By using an encrypted connection we cannot sniff the
credentials, but 
still it is very easy to capture or manipulate these
credentials 
using a web proxy from any of these methods. So I am looking
to find 
a method to transport the credentials to the server so that
the 
security of these credentials can't be compromised even by
deploying 
a web proxy.

Also once a session id is generated, what is the best way to
maintain 
the security of a session id.

Any help would be much appreciated.

Regards
Vishal


------------------------------------------------------------
-------------
Sponsored by: Watchfire

The Twelve Most Common Application-level Hack Attacks
Hackers continue to add billions to the cost of doing
business online 
despite security executives' efforts to prevent malicious
attacks. This 
whitepaper identifies the most common methods of attacks
that we have seen, 
and outlines a guideline for developing secure web
applications. 
Download today!

https://www.watchfire.com/securearea/whi
tepapers.aspx?id=701500000008rSe
------------------------------------------------------------
--------------

If you are that concerned about a man in the middle attack,
you should
consider two-factor auth.  IMO get vs post there is no
security
difference if MITM is your worry.  Also make sure that you
implement a
configurable lockout on failed login attempts, both for a
specific
userid as well as from a specific IP or even from a whole
subnet or
domain if you are truly paranoid of the proxies.  You may
want to
display a "Your last successful login was: " and a
"Your last failed
login was: " to the user.

As for two-factor, for ease of deployment & management I
have been
using the token solution from http://www.mypw.com - it's
like a hosted
securid product but at a much lower cost.  If you need
contact info,
contact me off-list.

Good luck.

-Scott C. Sanchez, CISSP




On 6/6/07, Vishal Garg <vishalfirstbase.co.uk >
wrote:
> Hi All,
>
> Can someone please tell what is the most secure way of
sending login
> credentials to the server. The possible ways that I am
familiar with are:
>
> - get method
> - post method
> - hidden form fields
>
> By using an encrypted connection we cannot sniff the
credentials, but
> still it is very easy to capture or manipulate these
credentials
> using a web proxy from any of these methods. So I am
looking to find
> a method to transport the credentials to the server so
that the
> security of these credentials can't be compromised even
by deploying
> a web proxy.
>
> Also once a session id is generated, what is the best
way to maintain
> the security of a session id.
>
> Any help would be much appreciated.
>
> Regards
> Vishal
>
>
>
------------------------------------------------------------
-------------
> Sponsored by: Watchfire
>
> The Twelve Most Common Application-level Hack Attacks
> Hackers continue to add billions to the cost of doing
business online
> despite security executives' efforts to prevent
malicious attacks. This
> whitepaper identifies the most common methods of
attacks that we have seen,
> and outlines a guideline for developing secure web
applications.
> Download today!
>
>  https://www.watchfire.com/securearea/whi
tepapers.aspx?id=701500000008rSe
>
------------------------------------------------------------
--------------
>
>

------------------------------------------------------------
-------------
Sponsored by: Watchfire

The Twelve Most Common Application-level Hack Attacks
Hackers continue to add billions to the cost of doing
business online 
despite security executives' efforts to prevent malicious
attacks. This 
whitepaper identifies the most common methods of attacks
that we have seen, 
and outlines a guideline for developing secure web
applications. 
Download today!

https://www.watchfire.com/securearea/whi
tepapers.aspx?id=701500000008rSe
------------------------------------------------------------
--------------

Hi,

GET and POST are just HTTP verbs (i.e. ways that the browser
can communicate
with the server). A hidden form field is just part of your
HTML document.

Neither of which is any more secure than the other, because
none of these is
specifically geared towards being an authentication
mechanism, or a security
mechanism. Instead, they are geared towards transporting
data between your
browser and webserver.

What you are trying to do is say that certain data is
"sensitive" and that
you don't want that compromised. Well, HTTP and HTML doesn't
really provide
for any such distinction between sensitive data, and
non-sensitive data.

So, what are your options?

Now, SSL/TLS is a security mechanism. It's designed to
encrypt data, and
protect against man-in-the-middle attacks. That allows you
to send data using
a GET/POST request, without worrying too much about attacks
on the data
in-transit (you still need to secure the endpoints).

Alternatively, you can look at robust authentication
technologies (e.g.
Kerberos, Client Certificates) that are designed to provide
a secure
authentication mechanism (obviously your HTTP data isn't
protected).

Cheers
Ken

-----Original Message-----
From: listbouncesecurityfocus.com [mailto:listbouncesecurityfocus.com] On
Behalf Of Vishal Garg
Sent: Wednesday, 6 June 2007 7:42 PM
To: webappsecsecurityfocus.com
Subject: Login credentials and session id security

Hi All,

Can someone please tell what is the most secure way of
sending login 
credentials to the server. The possible ways that I am
familiar with are:

- get method
- post method
- hidden form fields

By using an encrypted connection we cannot sniff the
credentials, but 
still it is very easy to capture or manipulate these
credentials 
using a web proxy from any of these methods. So I am looking
to find 
a method to transport the credentials to the server so that
the 
security of these credentials can't be compromised even by
deploying 
a web proxy.

Also once a session id is generated, what is the best way to
maintain 
the security of a session id.

Any help would be much appreciated.

Regards
Vishal


------------------------------------------------------------
-------------
Sponsored by: Watchfire

The Twelve Most Common Application-level Hack Attacks
Hackers continue to add billions to the cost of doing
business online
despite security executives' efforts to prevent malicious
attacks. This
whitepaper identifies the most common methods of attacks
that we have seen,
and outlines a guideline for developing secure web
applications.
Download today!

https://www.watchfire.com/securearea/whi
tepapers.aspx?id=701500000008rSe
------------------------------------------------------------
--------------

Vishal,
Best way to protect the proxy,MITM and DNS poisoning attacks
is use of
One time tokens.
But they are also prone to Active MITM attacks.In order to
achieve a
fool proof method better surrender yourself to
cryptography(Zero
Knowledge proofs )  SRP(http://srp.stanford.edu/
) based implementation
is a good start in which you dont effectively send the
password.
This article will give some insights of how  to protect the
webapplication from session
hijacking.(http://technicalinfo.net/papers/WebBasedSessionMan
agement.html)
Hope this Helps
Regards
AK
On 6/6/07, Vishal Garg <vishalfirstbase.co.uk> wrote:
> Hi All,
>
> Can someone please tell what is the most secure way of
sending login
> credentials to the server. The possible ways that I am
familiar with are:
>
> - get method
> - post method
> - hidden form fields
>
> By using an encrypted connection we cannot sniff the
credentials, but
> still it is very easy to capture or manipulate these
credentials
> using a web proxy from any of these methods. So I am
looking to find
> a method to transport the credentials to the server so
that the
> security of these credentials can't be compromised even
by deploying
> a web proxy.
>
> Also once a session id is generated, what is the best
way to maintain
> the security of a session id.
>
> Any help would be much appreciated.
>
> Regards
> Vishal
>
>
>
------------------------------------------------------------
-------------
> Sponsored by: Watchfire
>
> The Twelve Most Common Application-level Hack Attacks
> Hackers continue to add billions to the cost of doing
business online
> despite security executives' efforts to prevent
malicious attacks. This
> whitepaper identifies the most common methods of
attacks that we have seen,
> and outlines a guideline for developing secure web
applications.
> Download today!
>
> https://www.watchfire.com/securearea/whi
tepapers.aspx?id=701500000008rSe
>
------------------------------------------------------------
--------------
>
>

------------------------------------------------------------
-------------
Sponsored by: Watchfire

The Twelve Most Common Application-level Hack Attacks
Hackers continue to add billions to the cost of doing
business online 
despite security executives' efforts to prevent malicious
attacks. This 
whitepaper identifies the most common methods of attacks
that we have seen, 
and outlines a guideline for developing secure web
applications. 
Download today!

https://www.watchfire.com/securearea/whi
tepapers.aspx?id=701500000008rSe
------------------------------------------------------------
--------------

Using Post method is considered more secure of the three
options. You
may encrypt the credentials at the client, with a script on
the client
browser. This won't make it completely resistant (when the
proxy is
sniffing and decrypting SSL, as per the scenario) but will
increase the
work factor because now the attacker has to get to the key
and then
decrypt to get the credentials.

Session id is generally stored in the cookie. It should be
random and
cookie marked secure but given the proxy able to sniff, it
can be
compromised, in this setting. You may want to ensure other
controls like
expiring the session after certain time period.

Also, you might want to include a detective control on your
application,
showing the user last time they logged in so that of anyone
had stolen
the credentials and used it, they could detect (agreed not
all users pay
attention but it's better than not having one)

Regards

Aman Raheja, CISSP
http://www.techquotes.com



Vishal Garg wrote:
> Hi All,
> 
> Can someone please tell what is the most secure way of
sending login
> credentials to the server. The possible ways that I am
familiar with are:
> 
> - get method
> - post method
> - hidden form fields
> 
> By using an encrypted connection we cannot sniff the
credentials, but
> still it is very easy to capture or manipulate these
credentials using a
> web proxy from any of these methods. So I am looking to
find a method to
> transport the credentials to the server so that the
security of these
> credentials can't be compromised even by deploying a
web proxy.
> 
> Also once a session id is generated, what is the best
way to maintain
> the security of a session id.
> 
> Any help would be much appreciated.
> 
> Regards
> Vishal
> 
> 
>
------------------------------------------------------------
-------------
> Sponsored by: Watchfire
> 
> The Twelve Most Common Application-level Hack Attacks
> Hackers continue to add billions to the cost of doing
business online
> despite security executives' efforts to prevent
malicious attacks. This
> whitepaper identifies the most common methods of
attacks that we have
> seen, and outlines a guideline for developing secure
web applications.
> Download today!
> 
> https://www.watchfire.com/securearea/whi
tepapers.aspx?id=701500000008rSe
>
------------------------------------------------------------
--------------
> 
> 
> 


-- 

---------------------------------------------
Aman Raheja
Security+, Linux+ Certified.
http://www.techquotes.com
PGP Key http://www.tech
quotes.com/araheja.asc
---------------------------------------------


------------------------------------------------------------
-------------
Sponsored by: Watchfire

The Twelve Most Common Application-level Hack Attacks
Hackers continue to add billions to the cost of doing
business online 
despite security executives' efforts to prevent malicious
attacks. This 
whitepaper identifies the most common methods of attacks
that we have seen, 
and outlines a guideline for developing secure web
applications. 
Download today!

https://www.watchfire.com/securearea/whi
tepapers.aspx?id=701500000008rSe
------------------------------------------------------------
--------------

Vishal,
You should always use the POST method when sending
sensitive
information via HTTP. Hidden fields are not an alternative
to POST or
GET. Ideally, the server should also respond to each POST
request with
a 30x as opposed to a 200.

You cannot prevent a user from "deploying a Web
proxy" to intercept
their own HTTP requests, but why are you worried about your
end users
viewing credentials that they themselves have entered? The
authentication features built into SSL prevent an attacker
from
setting up a Web proxy which will allow them to view the
credentials
of others. Even if the attacker is successful at tricking
the user
into setting up a tunnel which terminates on the attacker's
proxy, the
end user will be warned that the certificate does not match
that of
the target domain provided by their CA.

Session IDs should always be sent to the client using
session cookies
with the Secure flag set, the HTTPOnly flag set (if the
browser
supports it), and path and domain parameters limited as
strictly as
possible. In an ideal world, the session ID is destroyed and
a new one
is sent to the client after only a single use. However, this
is
usually not practical. Sane limits on session expiration
should be set
including a short inactivity timeout and an absolute
timeout. These
timeouts should both be as short as possible without
negatively
impacting user experience. Session IDs should not be
generated and
sent to the client until after a successful authentication
has taken
place. Session IDs should be destroyed and new IDs created
whenever
the privilege level associated with the session changes.
Session IDs
should be explicitly terminated whenever the user leaves
the
application, whether this takes place via an explicit
logout, or the
user closes the browser window or navigates away from the
application.

There are many more specific recommendations that can be
made, but
those are the general answers to your questions that should
apply to
any Web app that you might be building.

-j

On 6/6/07, Vishal Garg <vishalfirstbase.co.uk> wrote:
> Hi All,
>
> Can someone please tell what is the most secure way of
sending login
> credentials to the server. The possible ways that I am
familiar with are:
>
> - get method
> - post method
> - hidden form fields
>
> By using an encrypted connection we cannot sniff the
credentials, but
> still it is very easy to capture or manipulate these
credentials
> using a web proxy from any of these methods. So I am
looking to find
> a method to transport the credentials to the server so
that the
> security of these credentials can't be compromised even
by deploying
> a web proxy.
>
> Also once a session id is generated, what is the best
way to maintain
> the security of a session id.
>
> Any help would be much appreciated.
>
> Regards
> Vishal
>
>
>
------------------------------------------------------------
-------------
> Sponsored by: Watchfire
>
> The Twelve Most Common Application-level Hack Attacks
> Hackers continue to add billions to the cost of doing
business online
> despite security executives' efforts to prevent
malicious attacks. This
> whitepaper identifies the most common methods of
attacks that we have seen,
> and outlines a guideline for developing secure web
applications.
> Download today!
>
> https://www.watchfire.com/securearea/whi
tepapers.aspx?id=701500000008rSe
>
------------------------------------------------------------
--------------
>
>

------------------------------------------------------------
-------------
Sponsored by: Watchfire

The Twelve Most Common Application-level Hack Attacks
Hackers continue to add billions to the cost of doing
business online 
despite security executives' efforts to prevent malicious
attacks. This 
whitepaper identifies the most common methods of attacks
that we have seen, 
and outlines a guideline for developing secure web
applications. 
Download today!

https://www.watchfire.com/securearea/whi
tepapers.aspx?id=701500000008rSe
------------------------------------------------------------
--------------

Hi,

Thanks Rogan and everyone else for replying to my query and
the 
responses were quite helpful. Ok, here I'll give one
scenario to make 
it even more clear if someone could not understand my point
correctly.

Suppose this is an e-commerce application and a user is
trying to 
access it through some shared computer such a Internet cafe
or a 
hotel. Now my worry is that it is possible to capture user 
credentials by deploying a web proxy client, no matter the 
application is using GET or POST methods or is using an
encrypted 
session. Yes, user would get an SSL error message but only
in Firefox 
as I have not seen such message appearing in IE yet (I'm
using IE6).

 From the responses till now, it appears to me that using
salted 
hashes of passwords is the best way as it would not appear
as plain 
text in web proxy. Also server generates a new hash using a
new salt 
every time a user wants to authenticate to avoid replay
attacks.

Any other thoughts or suggestions would be much
appreciated.

Regards
Vishal


At 10:56 6/7/2007, Rogan Dawes wrote:
>Vishal Garg wrote:
>>Hi All,
>>Can someone please tell what is the most secure way
of sending 
>>login credentials to the server. The possible ways
that I am familiar with are:
>>- get method
>>- post method
>
>These are HTTP methods for sending parameters.
>
>>- hidden form fields
>
>This is a technique for defining parameters which will
result in one 
>or other of the GET or POST methods (above) being
executed.
>
>>By using an encrypted connection we cannot sniff the
credentials, 
>>but still it is very easy to capture or manipulate
these 
>>credentials using a web proxy from any of these
methods. So I am 
>>looking to find a method to transport the
credentials to the server 
>>so that the security of these credentials can't be
compromised even 
>>by deploying a web proxy.
>
>The proxy can only be used by someone who accepts the
certificate 
>validation error that appears in the browser. If you are
worried 
>that your users might be trying to subvert your login
process, the 
>odds are good that you are trying to make your login
process too complex!
>
>In the normal event, your users will know their username
and 
>password, so trying to prevent them from intercepting
these same 
>values is completely pointless. If your concern is
regarding 
>cleartext passwords being available on the server (e.g.
you don't 
>ever want clear text passwords to leave the browser),
you may want 
>to consider something like  Secure Remote Password
(SRP). However, 
>this requires a Java applet or ActiveX control for
performing the 
>crypto and generating random numbers, and is unlikely to
be popular.
>
>>Also once a session id is generated, what is the
best way to 
>>maintain the security of a session id.
>
>See htt
p://www.owasp.org/index.php/Session_Management
>>Any help would be much appreciated.
>>Regards
>>Vishal
>
>Hope this helps.
>
>Rogan




------------------------------------------------------------
-------------
Sponsored by: Watchfire

The Twelve Most Common Application-level Hack Attacks
Hackers continue to add billions to the cost of doing
business online 
despite security executives' efforts to prevent malicious
attacks. This 
whitepaper identifies the most common methods of attacks
that we have seen, 
and outlines a guideline for developing secure web
applications. 
Download today!

https://www.watchfire.com/securearea/whi
tepapers.aspx?id=701500000008rSe
------------------------------------------------------------
--------------

On Jun 8, 2007, at 10:55 AM, Aman Raheja wrote:
> Using Post method is considered more secure of the
three options. You
> may encrypt the credentials at the client, with a
script on the client
> browser. This won't make it completely resistant (when
the proxy is
> sniffing and decrypting SSL, as per the scenario) but
will increase  
> the
> work factor because now the attacker has to get to the
key and then
> decrypt to get the credentials.

The key in this scenario has to be publicly available, so
client-side  
encryption of the credentials doesn't add any security to
the system.

-dhs


Dean H. Saxe, CISSP, CEH
deanfullfrontalnerdity.com
"I have always strenuously supported the right of every
man to his  
own opinion, however different that opinion might be to
mine. He who  
denies another this right makes a slave of himself to his
present  
opinion, because he precludes himself the right of changing
it."
     -- Thomas Paine, 1783




------------------------------------------------------------
-------------
Sponsored by: Watchfire

The Twelve Most Common Application-level Hack Attacks
Hackers continue to add billions to the cost of doing
business online 
despite security executives' efforts to prevent malicious
attacks. This 
whitepaper identifies the most common methods of attacks
that we have seen, 
and outlines a guideline for developing secure web
applications. 
Download today!

https://www.watchfire.com/securearea/whi
tepapers.aspx?id=701500000008rSe
------------------------------------------------------------
--------------

Hi Vishal,

Following are my responses to your query,

What is the most secure method of sending the login
credentials to the
server? The answer is "POST" method, as anything
sent using POST is not
cached in the browser's history. On the other hand values
sent using GET can
be seen in the links which are cached in browser's history.


How should the login credentials be encrypted so that they
are not
compromised? Well SSL achieves the encryption requirements
of entire http
data. However as you mentioned, the login credentials can be
captured using
a web proxy or even through the system memory. Here is a
paper which talks
about memory exploits
(http://paladion.net/pdf/Discovering_Passwords_In_Memo
ry.pdf). So the best
way to encrypt and send login credentials is to use
"Salted Hash" technique.
You can read the details salted hash here
(http://plynt.com/blog/2005/07/searching-memory-for-
secrets-w/) and here
(http://w
ww.aspheute.com/english/20040105.asp).

Regarding session management, there are many security
aspects to be looked
into. I may not be able to cover all here, but would
recommend you to go
through the following paper for detailed information
(http://www.sans.org/reading_room/whitepapers/web
servers/1594.php).

Thanks
Abhishek


-----Original Message-----
From: listbouncesecurityfocus.com [mailto:listbouncesecurityfocus.com] On
Behalf Of Vishal Garg
Sent: Wednesday, June 06, 2007 3:12 PM
To: webappsecsecurityfocus.com
Subject: Login credentials and session id security

Hi All,

Can someone please tell what is the most secure way of
sending login 
credentials to the server. The possible ways that I am
familiar with are:

- get method
- post method
- hidden form fields

By using an encrypted connection we cannot sniff the
credentials, but 
still it is very easy to capture or manipulate these
credentials 
using a web proxy from any of these methods. So I am looking
to find 
a method to transport the credentials to the server so that
the 
security of these credentials can't be compromised even by
deploying 
a web proxy.

Also once a session id is generated, what is the best way to
maintain 
the security of a session id.

Any help would be much appreciated.

Regards
Vishal


------------------------------------------------------------
-------------
Sponsored by: Watchfire

The Twelve Most Common Application-level Hack Attacks
Hackers continue to add billions to the cost of doing
business online 
despite security executives' efforts to prevent malicious
attacks. This 
whitepaper identifies the most common methods of attacks
that we have seen, 
and outlines a guideline for developing secure web
applications. 
Download today!

https://www.watchfire.com/securearea/whi
tepapers.aspx?id=701500000008rSe
------------------------------------------------------------
--------------


------------------------------------------------------------
-------------
Sponsored by: Watchfire

The Twelve Most Common Application-level Hack Attacks
Hackers continue to add billions to the cost of doing
business online 
despite security executives' efforts to prevent malicious
attacks. This 
whitepaper identifies the most common methods of attacks
that we have seen, 
and outlines a guideline for developing secure web
applications. 
Download today!

https://www.watchfire.com/securearea/whi
tepapers.aspx?id=701500000008rSe
------------------------------------------------------------
--------------

Some large corporations import and pre-trust client
certificates on
their LAN PCs so that IE won't give a warning to the user
where the SSL
tunnel was terminated and restarted on the gateway/proxy.
You cannot
overcome this unless you use a further symmetric method (say
javascript)
that would allow a payload (of encrypted data) to be sent
encrypted over
SSL, the user-agent would then accept a password and decrypt
and display
the payload, this isn't really practical though, in this
case MITM
attacks cannot really be prevented, you are at the mercy of
the
companies IT policies - which might infringe privacy
legislation (if
there is any). Could you use terms and conditions on your
website to
make the storage and/or use of any data gathered by the
company proxy an
illegal act by the corporation? my $0.02
matt


Vishal Garg wrote:
> Hi,
>
> Thanks Rogan and everyone else for replying to my query
and the
> responses were quite helpful. Ok, here I'll give one
scenario to make
> it even more clear if someone could not understand my
point correctly.
>
> Suppose this is an e-commerce application and a user is
trying to
> access it through some shared computer such a Internet
cafe or a
> hotel. Now my worry is that it is possible to capture
user credentials
> by deploying a web proxy client, no matter the
application is using
> GET or POST methods or is using an encrypted session.
Yes, user would
> get an SSL error message but only in Firefox as I have
not seen such
> message appearing in IE yet (I'm using IE6).
>
> From the responses till now, it appears to me that
using salted hashes
> of passwords is the best way as it would not appear as
plain text in
> web proxy. Also server generates a new hash using a new
salt every
> time a user wants to authenticate to avoid replay
attacks.
>
> Any other thoughts or suggestions would be much
appreciated.
>
> Regards
> Vishal
>
>
> At 10:56 6/7/2007, Rogan Dawes wrote:
>> Vishal Garg wrote:
>>> Hi All,
>>> Can someone please tell what is the most secure
way of sending login
>>> credentials to the server. The possible ways
that I am familiar with
>>> are:
>>> - get method
>>> - post method
>>
>> These are HTTP methods for sending parameters.
>>
>>> - hidden form fields
>>
>> This is a technique for defining parameters which
will result in one
>> or other of the GET or POST methods (above) being
executed.
>>
>>> By using an encrypted connection we cannot
sniff the credentials,
>>> but still it is very easy to capture or
manipulate these credentials
>>> using a web proxy from any of these methods. So
I am looking to find
>>> a method to transport the credentials to the
server so that the
>>> security of these credentials can't be
compromised even by deploying
>>> a web proxy.
>>
>> The proxy can only be used by someone who accepts
the certificate
>> validation error that appears in the browser. If
you are worried that
>> your users might be trying to subvert your login
process, the odds
>> are good that you are trying to make your login
process too complex!
>>
>> In the normal event, your users will know their
username and
>> password, so trying to prevent them from
intercepting these same
>> values is completely pointless. If your concern is
regarding
>> cleartext passwords being available on the server
(e.g. you don't
>> ever want clear text passwords to leave the
browser), you may want to
>> consider something like  Secure Remote Password
(SRP). However, this
>> requires a Java applet or ActiveX control for
performing the crypto
>> and generating random numbers, and is unlikely to
be popular.
>>
>>> Also once a session id is generated, what is
the best way to
>>> maintain the security of a session id.
>>
>> See htt
p://www.owasp.org/index.php/Session_Management
>>> Any help would be much appreciated.
>>> Regards
>>> Vishal
>>
>> Hope this helps.
>>
>> Rogan
>
>
>
>
>
------------------------------------------------------------
-------------
> Sponsored by: Watchfire
>
> The Twelve Most Common Application-level Hack Attacks
> Hackers continue to add billions to the cost of doing
business online
> despite security executives' efforts to prevent
malicious attacks.
> This whitepaper identifies the most common methods of
attacks that we
> have seen, and outlines a guideline for developing
secure web
> applications. Download today!
>
> https://www.watchfire.com/securearea/whi
tepapers.aspx?id=701500000008rSe
>
------------------------------------------------------------
--------------
>
>
>

-- 
Matthew Farey
Web App Sec.
25 The Polygon, Southampton, SO15 2BP, UK
+44(0)2380 631449



------------------------------------------------------------
-------------
Sponsored by: Watchfire

The Twelve Most Common Application-level Hack Attacks
Hackers continue to add billions to the cost of doing
business online 
despite security executives' efforts to prevent malicious
attacks. This 
whitepaper identifies the most common methods of attacks
that we have seen, 
and outlines a guideline for developing secure web
applications. 
Download today!

https://www.watchfire.com/securearea/whi
tepapers.aspx?id=701500000008rSe
------------------------------------------------------------
--------------