| ||
Reference | Link |
---|---|
General References | |
"Brute Force Exploitation of Web Application Session IDs" by David Endler | http://downloads.securityfocus.com/library/SessionIDs.pdf |
"Session Fixation Vulnerability in Web-based Applications" by ACROS Security | http://www.acros.si/papers/session_fixation.pdf |
Role Based Access Control | http://csrc.nist.gov/rbac/ |
PHP Security | http://www.php.net/manual/security.php |
Apache Authn/Authz Resources | |
Apache 2.2 Authentication, Authorization and Access Control | http://httpd.apache.org/docs/2.2/howto/auth.html |
Apache suEXEC, approximates impersonation | http://httpd.apache.org/docs/1.3/suexec.html |
IIS Authn/Authz Resources | |
"IIS Authentication" from MSDN | http://msdn.microsoft.com/library/default.asp?url=/library/en-us/vsent7/html/vxconIISAuthentication.asp |
"How IIS Authenticates Browser Clients" | http://support.microsoft.com/?kbid=264921 |
"How To Configure IIS Web Site Authentication in Windows Server 2003" | http://support.microsoft.com/kb/324274/ |
"NTLM Authentication Scheme for HTTP" | http://www.innovation.ch/personal/ ronald /ntlm.html |
"How To: Use Windows Authentication in ASP.NET 2.0" (good technical coverage of authz) | http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/paght000025.asp |
"How To: Protect Forms Authentication in ASP.NET 2.0" | http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/paght000025.asp |
"How To: Encrypt Configuration Sections in ASP.NET 2.0 Using DPAPI" | http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/paght000005.asp |
"How To: Encrypt Configuration Sections in ASP.NET 2.0 Using RSA" | http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/paght000006.asp |
Microsoft Authorization Manager (AzMan) whitepaper | http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/management/athmanwp.mspx |
.NET ViewState Overview | http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnaspnet/html/asp11222001.asp |
Tools | |
Offline Explorer Pro | http://www.metaproducts.com |
WebScarab | http://www.owasp.org/software/webscarab.html |
SPI Dynamics' SPI ToolKit | http://www.spidynamics.com/products/webinspect/toolkit.html |
Cookies | |
RFC 2109, "HTTP State Management Mechanism" (The Cookies RFC) | http://www.ietf.org/rfc/rfc2109.txt |
Paper detailing cookie analysis, focuses on authentication | http://cookies.lcs.mit.edu/pubs/webauth:sec10.pdf |
CookieSpy | http://www.codeproject.com/shell/cookiespy.asp |
| ||