Abusing HTTP Status Codes to Expose Private Information
Ignoring the privacy implications for a second, as a website developer, you might like to know if your visitors are logged into GMail; you could use that information to automatically fill the email fields in your forms with “@gmail.com”… Perhaps you might want to make your Facebook “like” buttons more prominent if you can tell your visitor is logged into Facebook at the moment? Here’s how I achieve this.
Facebook’s Instant Personalization: An Analysis of Fundamental Privacy Flaws « 33 Bits of Entropy
Instant Personalization allows a partner website to automatically learn the identity of a visitor (as well as some data about them) without any explicit user action, provided that the visitor is a logged-in Facebook user. It is probably the most privacy-intrusive change introduced by the company this year, and could lead to a profound change in how the web works and is perceived.
Chroma-Hash allows you to quickly compare the contents of two secure text fields. It’s common for a signup flow to ask you to type your password twice (to make sure you didn’t mistype it). With this visualization, a user can instantly check to see if what she typed was the same each time, without having to submit the form.
skipfish – Project Hosting on Google Code
A fully automated, active web application security reconnaissance tool. Key features:
* High speed: pure C code, highly optimized HTTP handling, minimal CPU footprint – easily achieving 2000 requests per second with responsive targets.
* Ease of use: heuristics to support a variety of quirky web frameworks and mixed-technology sites, with automatic learning capabilities, on-the-fly wordlist creation, and form autocompletion.
* Cutting-edge security logic: high quality, low false positive, differential security checks, capable of spotting a range of subtle flaws, including blind injection vectors.
The tool is believed to support Linux, FreeBSD 7.0+, MacOS X, and Windows (Cygwin) environments.
Side-Channel Leaks in Web Applications | Freedom to Tinker
Secure web connections encrypt traffic so that only your browser and the web server you’re visiting can see the contents of your communication. Although a network eavesdropper can’t understand the requests your browser sends, nor the replies from the server, it has long been known that an eavesdropper can see the size of the request and reply messages, and that these sizes sometimes leak information about which page you’re viewing, if the request size (i.e., the size of the URL) or the reply size (i.e., the size of the HTML page you’re viewing) is distinctive.
So here it is: Don’t hash secrets. Never. No, sorry, I know you think your case is special but it’s not. No. Stop it. Just don’t do it. You’re making the cryptographers cry.
PHPIDS » Web Application Security 2.0
PHPIDS (PHP-Intrusion Detection System) is a simple to use, well structured, fast and state-of-the-art security layer for your PHP based web application. The IDS neither strips, sanitizes nor filters any malicious input, it simply recognizes when an attacker tries to break your site and reacts in exactly the way you want it to. Based on a set of approved and heavily tested filter rules any attack is given a numerical impact rating which makes it easy to decide what kind of action should follow the hacking attempt. This could range from simple logging to sending out an emergency mail to the development team, displaying a warning message for the attacker or even ending the user’s session.
Currently only for MySQL and Microsoft SQL Server, some ORACLE and some PostgreSQL. Most of samples are not correct for every single situation. Most of the real world environments may change because of parenthesis, different code bases and unexpected, strange SQL sentences.
What a Botnet Looks Like – CSO Online – Security and Risk
Researcher David Vorel mapped interconnected, bot-infected IP addresses and created this geometric representation; CSO contributor Scott Berinato annotated the map and added interactive controls so you can zoom in and explore botnets’ inner workings.
CrypTool makes it fun and easy to learn about classic and modern cryptography and cryptanalysis. It is used at universities and schools as well as in national and international companies and agencies for educational purposes.
Amazon S3 Signature Tester in JavaScript
This tool is designed to help developers validate their code for signing requests to Amazon S3. Common problems include constructing the \\”string-to-sign\\” incorrectly, using code that generates a signature incorrectly, and not properly URL encoding signatures (for query strings only).
* In the closed-source world, you have a bunch of black-hats trying to find exploits in the software, sometimes by reverse engineering the product and sometimes using source code that has been accidentally leaked. Opposing them are a limited number of white-hats that work for the closed-source company that controls the software. As an administrator, you’re dependent on the technical talent of the closed-source company, it’s budgets, and finally the politics of its PR decisions (see CiscoBlackHat2005) as to whether bugs are found, fixed, and reported to you.
* In the open-source world, you have a bunch of black-hats trying to find exploits in the software using the source-code itself. In contrast to the closed-source world, however, you also have an almost unlimited number of white-hats doing the same thing. Those white hats are not limited by the technical talent, budgets, or politics of a single company. As a result, more bugs are found, fixed, and reported more quickly. You get more information, faster, in order to keep your network secure.
What You Should Know About AJAX Security
A nice collection of security related Ajax articles.
HTTP Authentication with HTML forms : Paul James
The main reason people walk away from using HTTP authentication is that they want control over the look of the login form and most browsers display an awful looking dialog box. So what we need is a way for HTML forms to pass HTTP auth data when it’s submitted. The HTML spec provides HTML forms as a way to create queries and to POST urlencoded data to a URL, but can we subvert it?
With the power of javascript we can.
super simple http authentication the ajaxian way.
Five common Web application vulnerabilities
This article looks at five common Web application attacks, primarily for PHP applications, and then presents a case study of a vulnerable Website that was found through Google and easily exploited. Each of the attacks we’ll cover are part of a wide field of study, and readers are advised to follow the references listed in each section for further reading.
Security Myths and Passwords
An article that explains why periodically changing passwords is pointless.
Cross Site scripting questions and answers
What is Cross Site scripting, and how to protect dynamic websites against it
Securing a windows XP Webserver
Good instructions for securing IIS 5.1
PGPfone – Pretty Good Privacy Phone
PGPfone (Pretty Good Privacy Phone) is a software package that turns your desktop or notebook computer into a secure telephone. It uses speech compression and strong cryptography protocols to give you the ability to have a real-time secure telephone conversation.