<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><div>I've found that chaining SoapUI with burp suite as it's proxy helps a lot during WS testing</div><div><br>
</div><div>IBM Appscan have a tool for testing WS as well<br><br>Cheers,</div><div><br>Mario</div><div><br>El 20/11/2013, a las 05:26 p.m., Pawel Krawczyk <<a href="mailto:pawel.krawczyk@hush.com">pawel.krawczyk@hush.com</a>> escribió:<br>
<br></div><blockquote type="cite"><div><meta http-equiv="Content-Type" content="text/html charset=windows-1252"><div>Fully subscribe to Brett’s comment. </div><div><br></div><div>Web services are very sensitive to a specific standard and implementation. One family is SOAP, which is multilayer protocol so even a simple service looks very complex. This is why there are no “point-and-click” SOAP security scanners - each scanner is actually a client for specific service and needs to be implemented from scratch. If you have WSDL, it’s quite easy. You can code it in Java, .NET, Python or SoapUI. One of the commercial scanners also has a built-in SOAP client, similar to SoapUI (I don’t remember which - IBM AppScan or HP WebInspect).</div>
<div><br></div><div>At the end of the day you actually get a fuzzer and what you’re looking for are all kind of standard issues - unhandled exceptions, error messages etc. The good side is that SOAP programmes rarely sanitise their error messages in a fully justified belief that no normal human will look at these responses :)</div>
<div><br></div><div>It’s more challenging if the service uses advanced features such as digital signature or encryption, because as far as I’ve seen this domain can be not fully standardised. If you get there, you’ll practically need to reimplement the service’s client. And you might find out that there’s no good library for that in your favourite programming language, or there’s no library apart from one delivered by a vendor. Welcome to the murky world of proprietary business protocols… For Java there’s a book that helped me a lot with understanding the SOAP world  - “Building web services with Java” (<a href="http://amzn.to/1auRwqA">http://amzn.to/1auRwqA</a>)</div>
<div><br></div><div>A separate class of applications using web services are client-facing apps with most of the presentation logic implemented in JavaScript (e.g. AngularJS) and just pulling data from the server over AJAX or REST. I like them because it’s easy to draw a trust boundary, the HTTP communications are easy to read and the APIs are also rather simple and clear to understand. Most of the manual testing tools such as BurpSuite will handle them pretty well.</div>
<div><br></div><div>Typical issues you’ll find in headless web services alone will be related to SQL, broken authentication and access controls. In case of modern AJAX apps, you’ll actually need to look at two sides: one is the web service, the other is the presentation layer. DOM-based XSS is prevalent here, but if you properly tested the API, you can be pretty confident that you’ll not get a data breach as all data goes through the API. Which is also a wonderful situation from secure coding perspective - e.g. in Spring (Java) the API definitions can be stored in single place, which makes code review and possible fixes much easier.</div>
<div><br></div><div><br></div><div><div>On 20 Nov 2013, at 21:56, Brett Knuth <<a href="mailto:brett.knuth@healthdirect.org.au">brett.knuth@healthdirect.org.au</a>> wrote:</div><br class="Apple-interchange-newline">
<blockquote type="cite"><div lang="EN-AU" link="blue" vlink="purple" style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px">
<div class="WordSection1" style><div style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><span style="font-size:11pt;font-family:Calibri,sans-serif">For what it’s worth ……</span></div>
<div style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><span style="font-size:11pt;font-family:Calibri,sans-serif"> </span></div><div style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif">
<span style="font-size:11pt;font-family:Calibri,sans-serif">We always take a risk based approach and map the possible threats to the web app depending on its specific components</span></div><div style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif">
<span style="font-size:11pt;font-family:Calibri,sans-serif">Build an attack tree or a threat table XLS, an example below</span></div><table class="MsoNormalTable" border="0" cellspacing="0" cellpadding="0" width="918" style="width:688.25pt;border-collapse:collapse">
<tbody><tr style="height:15.75pt"><td width="124" nowrap valign="bottom" style="width:92.9pt;border-style:solid;border-color:windowtext windowtext windowtext black;border-width:1pt;background-color:white;padding:0cm 5.4pt;height:15.75pt;background-repeat:initial initial">
<div style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif;text-align:center"><b><span style="font-size:11pt;font-family:Calibri,sans-serif">Injection</span></b></div></td><td width="123" nowrap valign="bottom" style="width:92.15pt;border-style:solid solid solid none;border-top-color:windowtext;border-right-color:windowtext;border-bottom-color:windowtext;border-top-width:1pt;border-right-width:1pt;border-bottom-width:1pt;background-color:white;padding:0cm 5.4pt;height:15.75pt;background-repeat:initial initial">
<div style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><span style="font-size:11pt;font-family:Calibri,sans-serif">SQL Injection</span></div></td><td width="189" nowrap valign="bottom" style="width:5cm;border-style:solid solid solid none;border-top-color:windowtext;border-right-color:windowtext;border-bottom-color:windowtext;border-top-width:1pt;border-right-width:1pt;border-bottom-width:1pt;background-color:white;padding:0cm 5.4pt;height:15.75pt;background-repeat:initial initial">
<div style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><span style="font-size:11pt;font-family:Calibri,sans-serif">Web logs/application logs</span></div></td><td width="482" nowrap valign="bottom" style="width:361.45pt;border-style:solid solid solid none;border-top-color:windowtext;border-top-width:1pt;border-bottom-color:windowtext;border-bottom-width:1pt;border-right-color:black;border-right-width:1pt;background-color:white;padding:0cm 5.4pt;height:15.75pt;background-repeat:initial initial">
<div style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><span style="font-size:11pt;font-family:Calibri,sans-serif">HTTP request (GET/POST request, source IP, UserAgent, referrer, date/time)</span></div>
</td></tr></tbody></table><div style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><span style="font-size:11pt;font-family:Calibri,sans-serif"> </span></div><div style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif">
<span style="font-size:11pt;font-family:Calibri,sans-serif"> </span></div><div style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><span style="font-size:11pt;font-family:Calibri,sans-serif"> </span></div>
<div style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><span style="font-size:11pt;font-family:Calibri,sans-serif">Once documented and risk assessed we then vulnerability and pen test, remediating the most critical risk assessed</span></div>
<div style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><span style="font-size:11pt;font-family:Calibri,sans-serif"> </span></div><table class="MsoNormalTable" border="0" cellspacing="0" cellpadding="0" width="695" style="width:521.25pt">
<tbody><tr><td style="padding:0cm"><table class="MsoNormalTable" border="0" cellspacing="0" cellpadding="0" width="695" style="width:521.25pt"><tbody><tr><td width="361" valign="top" style="width:270.75pt;padding:0cm"><table class="MsoNormalTable" border="0" cellspacing="0" cellpadding="0" width="361" style="width:270.75pt">
<tbody><tr style="height:56.25pt"><td style="border-style:none none solid;border-bottom-color:rgb(153,153,153);border-bottom-width:1pt;padding:0cm;height:56.25pt"><div style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif">
<b><span style="font-size:10.5pt;font-family:Arial,sans-serif;color:rgb(153,30,0)">Brett Knuth</span></b><span style="font-size:9pt;font-family:Arial,sans-serif;color:rgb(102,102,102)"><br>Security Manager<br><br></span><b><span style="font-size:8.5pt;font-family:Arial,sans-serif;color:rgb(153,30,0)">P.</span></b><span style="font-size:9pt;font-family:Arial,sans-serif;color:rgb(102,102,102)"><span class="Apple-converted-space"> </span>xxxxxxxxxxx <span class="Apple-converted-space"> </span></span><b><span style="font-size:8.5pt;font-family:Arial,sans-serif;color:rgb(153,30,0)">M.</span></b><span style="font-size:9pt;font-family:Arial,sans-serif;color:rgb(102,102,102)"><span class="Apple-converted-space"> </span>0402 891 533<span class="Apple-converted-space"> </span></span><b><span style="font-size:8.5pt;font-family:Arial,sans-serif;color:rgb(153,30,0)">F.</span></b><span style="font-size:9pt;font-family:Arial,sans-serif;color:rgb(102,102,102)"><span class="Apple-converted-space"> </span>02 9283 9180</span></div>
</td></tr><tr style="height:18.75pt"><td style="border-style:none none solid;border-bottom-color:rgb(153,153,153);border-bottom-width:1pt;padding:0cm;height:18.75pt"><div style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif">
<b><span style="font-size:8.5pt;font-family:Arial,sans-serif;color:rgb(153,30,0)">MAIL.</span></b><span style="font-size:9pt;font-family:Arial,sans-serif;color:rgb(102,102,102)"><span class="Apple-converted-space"> </span>Suite 3, Level 19, 133 Castlereagh St Sydney NSW 2000</span></div>
</td></tr><tr style="height:18.75pt"><td style="border-style:none none solid;border-bottom-color:rgb(153,153,153);border-bottom-width:1pt;padding:0cm;height:18.75pt"><div style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif">
<b><span style="font-size:8.5pt;font-family:Arial,sans-serif;color:rgb(153,30,0)">E.<span class="Apple-converted-space"> </span></span></b><span style="font-size:9pt;font-family:Arial,sans-serif;color:rgb(102,102,102)"><a href="mailto:brett.knuth@healthdirect.org.au" style="color:purple;text-decoration:underline">brett.knuth@healthdirect.org.au</a></span></div>
</td></tr></tbody></table></td><td width="334" valign="top" style="width:250.5pt;padding:0cm"><div style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><span><image002.jpg></span></div>
</td></tr></tbody></table></td></tr><tr style="height:18.75pt"><td valign="bottom" style="border-style:none none solid;border-bottom-color:rgb(204,204,204);border-bottom-width:3pt;padding:0cm;height:18.75pt"><p class="MsoNormal" style="margin:0cm 0cm 3pt;font-size:12pt;font-family:'Times New Roman',serif">
<i><span style="font-size:7pt;font-family:Arial,sans-serif">Please consider the environment before printing this email</span></i></p></td></tr><tr><td style="padding:0cm"><p class="MsoNormal" style="margin:3pt 0cm 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif">
<span style="font-size:7pt;font-family:Arial,sans-serif;color:rgb(153,153,153)">Important notice: This message and any attachments are confidential and may contain legally privileged or copyright material. Any confidentiality or privilege is not intended to be waived or lost by mistaken delivery to you. If you are not the intended recipient, any unauthorised use is strictly prohibited. If you have received this email in error, please notify us and destroy the original transmission and any copies. It is your responsibility to check any attachments for viruses and defects before opening them or sending them on.</span></p>
</td></tr></tbody></table><div style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><span style="font-size:11pt;font-family:Calibri,sans-serif"> </span></div><div style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif">
<span style="font-size:11pt;font-family:Calibri,sans-serif"> </span></div><div style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><b><span lang="EN-US" style="font-size:10pt;font-family:Tahoma,sans-serif">From:</span></b><span lang="EN-US" style="font-size:10pt;font-family:Tahoma,sans-serif"><span class="Apple-converted-space"> </span>websecurity [<a href="mailto:websecurity-bounces@lists.webappsec.org" style="color:purple;text-decoration:underline">mailto:websecurity-bounces@lists.webappsec.org</a>]<span class="Apple-converted-space"> </span><b>On Behalf Of<span class="Apple-converted-space"> </span></b>Seth Art<br>
<b>Sent:</b><span class="Apple-converted-space"> </span>Thursday, 21 November 2013 6:44 AM<br><b>To:</b><span class="Apple-converted-space"> </span>Info Sec<br><b>Cc:</b><span class="Apple-converted-space"> </span><a href="mailto:websecurity@lists.webappsec.org" style="color:purple;text-decoration:underline">websecurity@lists.webappsec.org</a><br>
<b>Subject:</b><span class="Apple-converted-space"> </span>Re: [WEB SECURITY] Web Service Security</span></div><div style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"> </div><div><div>
<div style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif">Info Sec,</div></div><div><div style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"> </div>
</div><div><div style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif">That is a hard question to answer.  There are different types of Web Services, each type has multiple implimenations, and each implimetnation allows for different configuration options.  </div>
</div><div><div style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"> </div></div><div><div style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif">
The security testing is different depending on type, the implimentation, and the configuration of each web service. </div></div><div><div style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif">
 </div></div><div><div style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif">For a high level overview of Web Service Security, I have found the following document helpful: <a href="http://csrc.nist.gov/publications/nistpubs/800-95/SP800-95.pdf" style="color:purple;text-decoration:underline"><span style="color:rgb(0,102,204)">http://csrc.nist.gov/publications/nistpubs/800-95/SP800-95.pdf</span></a></div>
</div><div><div style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"> </div></div><div><div style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif">
Some tools that you can use to test web services are:</div></div><div><div style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"> </div></div><div><div style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif">
Any web proxy (Burp Suite, Fiddler, ZAP, etc) - For all web services</div></div><div><div style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif">SoapUI - for SOAP based web services where you have access to the WSDL</div>
</div><div><div style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif">Oyedata - For RESTful web services that use OData</div></div><div><div style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif">
 </div></div><div><div style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif">Good luck.  Hopefully someone else on the list can provide more information.  </div></div><div><div style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif">
 </div></div><div><div style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif">-Seth</div></div><div><div style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif">
 </div></div></div><div><p class="MsoNormal" style="margin:0cm 0cm 12pt;font-size:12pt;font-family:'Times New Roman',serif"> </p><div><div style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif">
On Tue, Nov 19, 2013 at 6:51 AM, Info Sec <<a href="mailto:infosecm@gmail.com" target="_blank" style="color:purple;text-decoration:underline">infosecm@gmail.com</a>> wrote:</div><div><div style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif">
Hi !,</div><div><div style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"> </div></div><div><div style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif">
I'm looking for resources help me to identify web service security issues, and how to fix them.</div></div><div><div style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"> </div></div>
<div><div style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif">I just found OWASP Web Service Security Cheat Sheet talking about this matter.</div></div><div><div style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif">
I know that web service security issues is very similar to web applications, but there is always something you unaware of.</div></div><div><div style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif">
 </div></div><div><div style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"> </div></div><div><div style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif">
OWASP Web Service Security Cheat Sheet:</div></div><div><div style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><a href="https://www.owasp.org/index.php/Web_Service_Security_Cheat_Sheet" target="_blank" style="color:purple;text-decoration:underline">https://www.owasp.org/index.php/Web_Service_Security_Cheat_Sheet</a></div>
</div><div><div style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"> </div></div><div><div style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif">
 </div></div><div><div style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif">Regards,</div></div><div><div style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif">
 </div></div></div><p class="MsoNormal" style="margin:0cm 0cm 12pt;font-size:12pt;font-family:'Times New Roman',serif"><br>_______________________________________________<br>The Web Security Mailing List<br><br>WebSecurity RSS Feed<br>
<a href="http://www.webappsec.org/rss/websecurity.rss" target="_blank" style="color:purple;text-decoration:underline">http://www.webappsec.org/rss/websecurity.rss</a><br><br>Join WASC on LinkedIn<span class="Apple-converted-space"> </span><a href="http://www.linkedin.com/e/gis/83336/4B20E4374DBA" target="_blank" style="color:purple;text-decoration:underline">http://www.linkedin.com/e/gis/83336/4B20E4374DBA</a><br>
<br>WASC on Twitter<br><a href="http://twitter.com/wascupdates" target="_blank" style="color:purple;text-decoration:underline">http://twitter.com/wascupdates</a><br><br><a href="mailto:websecurity@lists.webappsec.org" style="color:purple;text-decoration:underline">websecurity@lists.webappsec.org</a><br>
<a href="http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org" target="_blank" style="color:purple;text-decoration:underline">http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org</a></p>
</div><div style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"> </div></div><div style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><br>______________________________________________________________________<br>
This email has been scanned by the Symantec Email Security.cloud service.<br>For more information please visit<span class="Apple-converted-space"> </span><a href="http://www.symanteccloud.com/" style="color:purple;text-decoration:underline">http://www.symanteccloud.com</a><br>
______________________________________________________________________</div></div><br clear="both">______________________________________________________________________<br>This email has been scanned by the Symantec Email Security.cloud service.<br>
For more information please visit<span class="Apple-converted-space"> </span><a href="http://www.symanteccloud.com/" style="color:purple;text-decoration:underline">http://www.symanteccloud.com</a><br>______________________________________________________________________<br>
_______________________________________________<br>The Web Security Mailing List<br><br>WebSecurity RSS Feed<br><a href="http://www.webappsec.org/rss/websecurity.rss" style="color:purple;text-decoration:underline">http://www.webappsec.org/rss/websecurity.rss</a><br>
<br>Join WASC on LinkedIn<span class="Apple-converted-space"> </span><a href="http://www.linkedin.com/e/gis/83336/4B20E4374DBA" style="color:purple;text-decoration:underline">http://www.linkedin.com/e/gis/83336/4B20E4374DBA</a><br>
<br>WASC on Twitter<br><a href="http://twitter.com/wascupdates" style="color:purple;text-decoration:underline">http://twitter.com/wascupdates</a><br><br><a href="mailto:websecurity@lists.webappsec.org" style="color:purple;text-decoration:underline">websecurity@lists.webappsec.org</a><br>
<a href="http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org" style="color:purple;text-decoration:underline">http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org</a><br></div>
</blockquote></div><br><div>
<div style="color:rgb(0,0,0);font-family:Helvetica;font-size:medium;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:-webkit-auto;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;word-wrap:break-word">
<br class="Apple-interchange-newline">-- </div><div style="color:rgb(0,0,0);font-family:Helvetica;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:-webkit-auto;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;word-wrap:break-word">
Pawel Krawczyk<br><a href="mailto:pawel.krawczyk@hush.com">pawel.krawczyk@hush.com</a> +44 7462 166716</div><div style="color:rgb(0,0,0);font-family:Helvetica;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:-webkit-auto;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;word-wrap:break-word">
CISSP, OWASP<br><br><br></div>
</div>
<br></div></blockquote><blockquote type="cite"><div><span>_______________________________________________</span><br><span>The Web Security Mailing List</span><br><span></span><br><span>WebSecurity RSS Feed</span><br><span><a href="http://www.webappsec.org/rss/websecurity.rss">http://www.webappsec.org/rss/websecurity.rss</a></span><br>
<span></span><br><span>Join WASC on LinkedIn <a href="http://www.linkedin.com/e/gis/83336/4B20E4374DBA">http://www.linkedin.com/e/gis/83336/4B20E4374DBA</a></span><br><span></span><br><span>WASC on Twitter</span><br><span><a href="http://twitter.com/wascupdates">http://twitter.com/wascupdates</a></span><br>
<span></span><br><span><a href="mailto:websecurity@lists.webappsec.org">websecurity@lists.webappsec.org</a></span><br><span><a href="http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org">http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org</a></span><br>
</div></blockquote></body></html>