Skip to content

My new article on heise Security

Here is my newest article, published on heise Security.
This time it’s about the Web-Security tool "CSRFTester" from The Open Web Application Security Project (OWASP). It’s a short overview how to use the CSRFTester to identify "Cross Site Request Forgery" vulnerabilites in web applications.
Here is the link to the article:
Enjoy yourself!

HAKIN9 IT Security Magazin - 12/2011

Well, here is my next article for the German HAKIN9 IT Security Magazin. This time it’s about Web-Security and it holds three examples (XSS, SQL-Injection and Blind SQL-Injection) about, how to identify and fix vulnerabilites in web applications. Tools used for this one are Netsparker Community Edition from mavitunasecurity, Arachni and sqlmap.
And of course not to forget, a big special THANKS to Dr. Philip Walter for his great support!
Well, enough of the words, here are the links: HAKIN9 IT Security Magazin – 12/2011 or here
Enjoy yourself!

Cross-site scripting (XSS) - What's that and how to identify them?

On my blog are some vulnerabilities called "Cross-site scripting" or "XSS", but what exactly is a Cross-site scripting?

A Cross-site scripting attack is a type of a html injection and the problem is always when a web application accept user input and generates the output without validating or encoding it. This flaw makes it possible for an attacker to inject a malicious script – like javascript – to access cookies, session tokes or some other sensitive information stored in the user’s browser, because it thinks the script came from a trusted source.  

They are some different possibilties to identify XSS vulnerabilities:

- use a web security scanner, like xsser, arachni, Nikto
- test/review the code for places with user input which possibly ends into HTML output
(contact forms, search forms …)
Continue reading "Cross-site scripting (XSS) - What's that and how to identify them?"

Network Security - Check Point IPS SoftwareBlade - HTTPS Inspection

With the R75.20 release, a Check Point Security Gateway is ready for HTTPS inspection (Supported blades: Data Loss Prevention (DLP), Anti Virus, Application Control, URL Filtering, and IPS).
I wrote a short howto about the configuration and here are the links to the PDF and to the Wiki
Further information can be found here:
Enjoy yourself!


HAKIN9 IT Security Magazin - 07/2011

My second article "Mobile security – Secure workspaces with Check Point Abra" is published in the latest edition of the security magazine hakin9.
So, here’s the free download –
Further information, about Check Point Abra, can be found on the Check Point website –
Enjoy yourself ;) !
Imprint | Contact | Privacy Statement