Web Application Session Auditing Part 3: Exploitation

The idea here is to determine your goals. Typically in our web app assessment engagements, our primary goal is to identify all the weaknesses in the application. While this isn't necessarily the goal of a malicious attacker, it is helpful to our clients. Attackers will typically stop at the first found vulnerability that they can exploit to achieve their goals. Remember that time, motivation and resources are determined by the attacker or the attacker's clients. I'll try to cover most of the interesting attack vectors, but the primary goal for a web app session attack is to gain control of that session and hopefully completely compromise the user's account.

Read More

Web Application Session Auditing

Web application session handling is one of the most difficult things to do right. As we move more and more towards standard web frameworks (django,rails, etc.) to handle the basic functionality of a custom web application, this becomes a smaller issue. Unfortunately, there are engineers and developers that insist on going it alone in this realm. There are also legacy applications that require backward compatiblility and then there are just plain old out of date applications that still serve publicly.

Read More

Self-Assessment Questionnaire C-VT Explained

With the newest version of the PCI DSS came a new SAQ type - SAQ C-VT. This particular SAQ form is geared toward a special branch of merchant. Even though SAQ C-VT qualifying merchants use the Internet to process credit card data, they do it in such a way that most of the responsibility of security is off-loaded to a third party. In order to qualify for SAQ C-VT, merchants must use a third party virtual terminal to process all credit card transactions.

Read More

Self-Assessment Questionnaire B Explained

Self-Assessment Questionnaire B is probably the most popular of all the SAQ types provided by the PCI SSC. SAQ B applies to the majority of small business retail stores. SAQ B applies to the most basic and traditional methods of processing credit card payments. It basically addresses the simplest processing methods, from old style card imprint machines to the basic telephone dial-up card terminals. With only a few more requirements over what is needed for SAQ A, SAQ B is a simple and straight forward questionnaire for reporting your PCI compliance.

Read More


Call us at (214) 556-6613 or   CONTACT US