OWASP AppSec Asia 2008: Proxy Caches and Web Application Security


 
Thread Tools Search this Thread
Special Forums News, Links, Events and Announcements Complex Event Processing RSS News OWASP AppSec Asia 2008: Proxy Caches and Web Application Security
# 1  
Old 10-03-2008
OWASP AppSec Asia 2008: Proxy Caches and Web Application Security

Tim Bass
10-03-2008 04:05 AM
Back to travelling a bit, I have accepted an invitation from Wayne Huang, Chapter Leader, OWASP Taiwan,* to give the following presentation at OWASP AppSec Asia 2008, October 27 - 28, 2008, in Taipei:

Proxy Caches and Web Application Security
Abstract:* Proxy caches, combined with poorly written session management code, can easily lead to serious Internet security breaches. Web application developers cannot know whether their content is consumed directly or via a proxy cache. Developers cannot assume that the HTTP responses will be delivered to the intended browser. Moreover, developers cannot be sure that the intended browser even receives the intented content. Consequently, proxy caches are a serious theat to web application security. *In the presentation, we will discuss the recent security breach Tim found in Google Docs and review web application security and session management topics related to proxy caching.

Source...
Login or Register to Ask a Question

Previous Thread | Next Thread
Login or Register to Ask a Question
cachemgr.cgi(8) 					      System Manager's Manual						   cachemgr.cgi(8)

NAME
cachemgr.cgi - squid HTTP proxy manager interface SYNOPSIS
http://your.server/cgi-bin/cachemgr.cgi DESCRIPTION
The cache manager (cachemgr.cgi) is a CGI utility for displaying statistics about the Squid HTTP proxy process as it runs. The cache man- ager is a convenient way to manage the cache and view statistics without logging into the server. FILES
./cachemgr.conf @DEFAULT_CACHEMGR_CONFIG@ The access configuration file defining which Squid servers may be managed via this cachemgr.cgi program. Each line specifies a server:port followed by an optional description The server name may contain shell wildcard characters such as *, [] etc. A quick selection dropdown menu is automatically con- structed from the simple server names. Specifying :port is optional. If not specified then the default proxy port is assumed. :* or :any matches any port on the target server. SECURITY
cachemgr.cgi calls the requested server on the requested port using HTTP and returns a formatted version of the response. To avoid abuse it is recommended to configure your web server to restrict access to the cachemgr.cgi program. Configuration examples for many common web servers can be found in the Squid FAQ. SEE ALSO
squid(8) The Squid FAQ, Chapter 9 The Cache Manager Squid Web Proxy 3.1.20 cachemgr.cgi(8)