With web applications now a primary attack vector, SANS has received thousands of requests to provide more information to help the infosec community adapt traditional defense in depth techniques at the network layer to include more focus on the application layer. This set of working papers will provide up to date information from industry thought leaders and enterprise pros already leading the application security charge in the trenches. If you are interested in contributing a paper for consideration, please send an email to spa@sans.org.

In addition to the working papers, SANS is now providing a variety of application security and secure coding training. To provide a way to measure skills of suppliers and employees, GIAC has also developed several critical certifications for pen testers, web app security and developers.

Projects like the Top 25 Most Dangerous Programming Errors and the Consensus Audit Guidelines are also providing guidelines and content.

SANS attempts to ensure the accuracy of information, but papers are published "as is". Errors or inconsistencies may exist or may be introduced over time as material becomes dated. If you suspect a serious error, please contact webmaster@sans.org.

AppSec - Cross Site Request Forgery: What Attackers Don't Want You to Know

Authors: Jason Lam and Johannes B. Ullrich

- click here

XMLHttpRequest is the backbone of Web 2.0 applications. It is a powerful JavaScript function that allows the flexible creation of HTTP requests. Lately, with Internet Explorer 8, XDomainRequest was released, which extends and refines the creation of HTTP requests in JavaScript. Both functions had a defined impact on the development of Web standards. However, both functions are also frequently cited for their usefulness in attack tools. We will investigate the evolution of these functions and how these functions evolved to mitigate the harm done. We found that security requirements put forward by the standard are not implemented consistently across different browsers. Developers need to be aware of these inconsistencies to protect applications from cross site request forgery.

AppSec - Protecting Your Web Apps: Two Big Mistakes and 12 Practical Tips to Avoid Them

Authors: Ed Skoudis and Frank Kim

- click here

Many web application vulnerabilities are a direct result of improper input validation and output filtering, which leads to numerous kinds of attacks, including cross-site scripting (XSS), SQL injection, command injection, buffer overflows and many others. This article describes some of the best defenses against such attacks, which every Web application developer should master.