Abusing HTTP Status Codes to Expose Private Information
Category:
Abusing HTTP Status Codes to Expose Private Information
Ignoring the privacy implications for a second, as a website developer, you might like to know if your visitors are logged into GMail; you could use that information to automatically fill the email fields in your forms with "@gmail.com"... Perhaps you might want to make your Facebook "like" buttons more prominent if you can tell your visitor is logged into Facebook at the moment? Here's how I achieve this.

Facebook’s Instant Personalization
Category:
Facebook’s Instant Personalization: An Analysis of Fundamental Privacy Flaws « 33 Bits of Entropy
Instant Personalization allows a partner website to automatically learn the identity of a visitor (as well as some data about them) without any explicit user action, provided that the visitor is a logged-in Facebook user. It is probably the most privacy-intrusive change introduced by the company this year, and could lead to a profound change in how the web works and is perceived.

Chroma-Hash revisited
Chroma-Hash revisited
Chroma-Hash allows you to quickly compare the contents of two secure text fields. It’s common for a signup flow to ask you to type your password twice (to make sure you didn’t mistype it). With this visualization, a user can instantly check to see if what she typed was the same each time, without having to submit the form.

skipfish
Category:
skipfish - Project Hosting on Google Code
A fully automated, active web application security reconnaissance tool. Key features:

* High speed: pure C code, highly optimized HTTP handling, minimal CPU footprint - easily achieving 2000 requests per second with responsive targets.

* Ease of use: heuristics to support a variety of quirky web frameworks and mixed-technology sites, with automatic learning capabilities, on-the-fly wordlist creation, and form autocompletion.

* Cutting-edge security logic: high quality, low false positive, differential security checks, capable of spotting a range of subtle flaws, including blind injection vectors.

The tool is believed to support Linux, FreeBSD 7.0+, MacOS X, and Windows (Cygwin) environments.

Side-Channel Leaks in Web Applications
Category:
Side-Channel Leaks in Web Applications | Freedom to Tinker
Secure web connections encrypt traffic so that only your browser and the web server you're visiting can see the contents of your communication. Although a network eavesdropper can't understand the requests your browser sends, nor the replies from the server, it has long been known that an eavesdropper can see the size of the request and reply messages, and that these sizes sometimes leak information about which page you're viewing, if the request size (i.e., the size of the URL) or the reply size (i.e., the size of the HTML page you're viewing) is distinctive.

Don’t Hash Secrets
Category:
Benlog » Don’t Hash Secrets
So here it is: Don’t hash secrets. Never. No, sorry, I know you think your case is special but it’s not. No. Stop it. Just don’t do it. You’re making the cryptographers cry.

PHPIDS
Category:
PHPIDS » Web Application Security 2.0
PHPIDS (PHP-Intrusion Detection System) is a simple to use, well structured, fast and state-of-the-art security layer for your PHP based web application. The IDS neither strips, sanitizes nor filters any malicious input, it simply recognizes when an attacker tries to break your site and reacts in exactly the way you want it to. Based on a set of approved and heavily tested filter rules any attack is given a numerical impact rating which makes it easy to decide what kind of action should follow the hacking attempt. This could range from simple logging to sending out an emergency mail to the development team, displaying a warning message for the attacker or even ending the user’s session.

SQL Injection Cheat Sheet
Category:
SQL Injection Cheat Sheet
Currently only for MySQL and Microsoft SQL Server, some ORACLE and some PostgreSQL. Most of samples are not correct for every single situation. Most of the real world environments may change because of parenthesis, different code bases and unexpected, strange SQL sentences.

What a Botnet Looks Like
Category:
What a Botnet Looks Like - CSO Online - Security and Risk
Researcher David Vorel mapped interconnected, bot-infected IP addresses and created this geometric representation; CSO contributor Scott Berinato annotated the map and added interactive controls so you can zoom in and explore botnets' inner workings.

CrypTool
Category:
CrypTool
CrypTool makes it fun and easy to learn about classic and modern cryptography and cryptanalysis. It is used at universities and schools as well as in national and international companies and agencies for educational purposes.