24 Aug 2010

Directory Traversal Attacks By: Yasser ABOUKIR

  Directory Traversal Attacks Attackers use directory traversal attacks to read arbitrary files on web servers, such as SSL private keys and password files. Some web applications open files based on HTTP parameters (user input). Consider  this simple PHP application that displays a file in many languages: Assume that this PHP page is accessible through http://test.wablab.com/morocco/static.php?language=main-en; an attacker can read arbitrary files from the web server by inserting some st...

24 Aug 2010

Understanding Business Logic Security Holes By: Yasser ABOUKIR

All web applications employ logic in order to deliver their functionality. Writing code in a programming language involves at its root nothing more than breaking down a complex process into very simple and discrete logical steps. Translating a piece of functionality that is meaningful to human beings into a sequence of small operations that can be executed by a computer involves a great deal of skill and discretion. Doing it in an elegant and secure fashion is even harder still. When large numb...