.: web archive
Here is a forum post
describing how to stop hot-linking of images from your website by others, including a means to create a public folder that can be hot-linked from. Pretty useful, and not something that I configure every day, or even every month, but not a tidbit I really want to lose after 12 months either.
by LonerVamp 08.09.04 at 6:28 PM in /web
This is the online book copy of HackNotes: Web Security
, which really looks like a good read. I really like this entire series of books as they are packed with good information.
by LonerVamp 06.01.06 at 9:05 PM in /web
A paper on IIS 6.0 security
. IIS 6.0 is much more secure out-of-the-box than II5, which means the challenge comes in opening 6.0 up enough to make it work (whereas 5.0 needs closed down enough to be secure). This is easier said than done when unfamiliar with what is actually needing to be opened up...
Want to know how to Hack IIS? Then read the Hacking IIS Tutorial
. I have not read this yet, but it looks pretty useful and thorough.
by LonerVamp 06.01.06 at 10:17 PM in /web
Article on attacks against web servers (app level) and mitigations
to stopping them, with full examples on the attacks. Some interesting things to try out someday would be mod_security and Tripwire-like programs to monitor file integrity. I would love to start getting alerts like these on my own systems whenever something changes, even if it is me updating a web page on my site. I also have a project to get some sort of centralized monitoring on my network to check for creation/changes to local user accounts and other things. I'd love to be able to centrally pull my firewall logs (Sygate), but I bet that will require my own scripting. At any rate, the paper is much of the same tried-and-true stuff with security, but the examples are pretty cool.
by LonerVamp 06.24.06 at 9:42 PM in /web
A nice long list of popular firefox security extensions
by LonerVamp 07.12.06 at 10:25 PM in /web
PHP has its share of issues and vulnerabilities. Honestly, it is the weak point of the LAMP architecture because of the potential for misconfigurations and insecure issues. The follow links go into an entry in the SANS Top 20 and the top 5 PHP security settings.
SANS Top 20
php top 5
Since I use PHP I wanted to post this site with some PHP security tips
And this is another nice list of php security issues and configurations
is a php auditing tool that I totally have to try out sometime soon.
by LonerVamp 08.01.06 at 10:14 PM in /web
I certainly cannot condone evading firewalls
and other protections in the workplace or otherwise, since I'm one of those guys trying to stop these people, but these techniques can be useful not only for times when you want it, but also for knowing what people might be doing so that I can stop it. In addition, some of these techniques have the side benefit of being more secure, such as when I am at a hotspot and wanting to make connections privately to public sites.
by LonerVamp 08.08.06 at 11:19 PM in /web
Here is a story about a XSS pen test
along with link to the actual story
. Hopefully I can add more XSS resources here for the future.
by LonerVamp 08.15.06 at 5:57 PM in /web
SecurityMonkey has a post about using SSL to secure access
to a website. Apache + Linux + SSL = limited user access.
by LonerVamp 09.08.06 at 8:12 PM in /web
Macworld passes were hackable.
This just amuses me to no end. While Apple does not directly put on Macworld (IDG World Expo does), it is interesting how security by proxy can work. I would hope IDG World Expo's developers are few in number, underpaid, and overworked to put out something like this. This reflects badly on Apple as well.
Which brings up the question of just how many and how bad can insecure practices be before they take in collateral damage? Can a mistake on IDG's part be prevented by Apple? Should companies VA or pen-test each other? Should Apple have known better? Is there really any recourse for this as we move into the future security-be-damned?
If I find more details on the hack, I'll update this post.
by LonerVamp 01.15.07 at 1:37 PM in /web
Holy crap! Also from SecuriTeam
is an announcement that the OWASP Testing Guide
has been released. This guide looks absolutely PACKED with wepapp testing steps and details.
by LonerVamp 02.23.07 at 8:52 AM in /web
I really appreciate "how-to" sorts of posts as they can give people like myself actual insight in how to do things as opposed to the multitude of posts that teach me how to talk like I know how to do things (without actually doing things). Ack!
. It includes links to other techniques, analyzes how some current techniques are being defeated, and also includes a nice tool at the bottom.
If I were actually more into web application security, I'd totally be eating this up. But that's not really a place I can focus much time right now. Maybe some other year. Until then, I love the hands-on posts. By the way, if you are interesting in webappsec and have a chance to move into that sphere, it's quite the lucrative market right now.
by LonerVamp 03.05.07 at 9:33 AM in /web
Recently I saw an HTTP Request Smuggling alert fly past my IPS. It turned out to be a false positive, but led me down the path of figuring out what that attack actually was. This was one of the bigger things I learned that week. Coincidentally, almost that same day, I browsed backlog quiz questions
from Palisade and came across one about HTTP Request Smuggling. Whoa!
HTTP Request Smuggling is scary for a few reasons.
First, and likely the biggest reason many people don't hear about it, is it is pretty complicated and technical. Do you know the differences in how your application level packet intepreters (cache proxies, firewall proxies...) and your web servers parse HTTP? Me either. But some people do, and I bet they can pilfer some scary stuff without many people knowing..
Third, it sounds difficult to detect in logs and on the wire since the packet parsing needs to be done with awareness of what web server and proxy server is in the communication line are, and how they parse HTTP.
Palisade has a nice write-up on the issue available on both their quiz question
and also their article
. WatchFire has an amazing white paper
on the issue that you can sign up to get (use Pookmail
as your throwaway email address).
by LonerVamp 04.20.07 at 2:16 PM in /web
There isn't much detail posted yet, but it appears the akismet plugin for Wordpress 2.1.3 (and probably others) has some vulnerability
in it. Right now, the only mitigation really is to turn off the plugin unless details/updates are released to see if I am vulnerable (I don't use Wordpress).
Heck, I already get enough spam, and I have been watching as it slowly spreads from a couple core posts to other older posts. Oddly, this weekend about 30 spam comments got through (even as my own comments get moderated!). It's really just a losing proposition in the end, unless someone really babysits their blog or enforces registration (blech!). At least I babysit for now. I should try to go through my junk list (1399 spam comments saved) and see if there is any sort of IP correlation or what. I kinda doubt it, but maybe I can at least filter some more keywords beyond the obvious...
by LonerVamp 05.14.07 at 8:46 AM in /web
An idea for a rainy day (or bored student!): a web proxy "honeypot."
(Snargled from Grossman
.) Now, rather than rolling theirs and instead rolling your own, I suppose it wouldn't be all that hard to stand it up, but it might be a bit harder trying to attract malicious users. Perhaps dropping the open proxy address to some anon proxy lists, astalavista, and perhaps other places you might eventually get some hits...
Running one's own open web proxy might drive home the fact that web proxies may give anonymity to the destination, it does absolutely nothing for the privacy of data or anonymity from the point of view of the proxy device.
Oh, and how fuckin' sweet is it that you can package your wares into a VM and distribute it that way? Copy over the VM, start it up, and bam, all that configuration and setup is pretty much done, just give it an IP!
by LonerVamp 05.14.07 at 1:09 PM in /web
The OWASP Top 10
has been updated. The PDF version is way at the bottom. Top lists of anything are tough because you have to draw lines and qualifications somewhere. I like that the authors mention some items they left out such as input validations and buffer overflows, but I'm a little concerned that those should still have been included. I guess I am not yet satisfied with why they left them out.
Then again, I have yet to give this a deeper read and maybe am just distilling the information a little slowly yet. Overall, love the OWASP stuff and this top 10 is excellent. Got linked to this from Jeremiah
by LonerVamp 05.30.07 at 1:58 PM in /web
There's an endless number of proxies out on the Internet to use for anonymous or filter-bypassing activities. Like using Google translate, you can use this unofficial-looking Google wireless tool
that displays a web page how a mobile use would see it, without needing the mobile device in hand. Kinda cute, and interesting. Saw this from Planet-WebSecurity
who linked to The Hacker Webzine
, and so on...
I should start considering a category called survival skills for the cyber age. This would be part of it...
by LonerVamp 07.20.07 at 1:34 PM in /web
I didn't even know this was around. Blackdust.whitedust.net
is a Google search proxy to anonymize your searches. Of course, if you search for personally identifiable stuff, like your name, that's not necessarily very anonymous anyway, and no proxy will save you. And if I search for "HIV treatments" just before you search for your name, a search anonymized might actually hurt you should the information get out into ignorant hands. Basically you can take it or leave it, but I like the non-standard colors as something new. Saw this over at ComradeSmack
by LonerVamp 07.26.07 at 10:48 AM in /web