Hands On Series – SQL Injection Part 1

Posted by Dan Kuykendall
on April 28, 2006

The start of the “Hands on Series”, which means that there are actual
hands on excersises to go along with these shows.

Standard Podcast [ 58:03 ] Play Now | Play in Popup | Download (13612)

I feel that its time to go beyond the concepts, the chatter about what bad guys can do,
and actually show you directly. Let you see for yourself the saying goes.

I recommend that you listen to these episodes while viewing the hacking test site and
have the show notes visible and ready to cut and paste from.

http://hackme.ntobjectives.com/- The new site setup for you to practice web app hacking.Includes detailed notes and samples that can be used to practice with.
Web App Hacking Toolkit – Collection of tools and links helpful for web security.
Jonathan Coulton’s Things a Week – Where the Code Monkey song came from.

Continue reading “Hands On Series – SQL Injection Part 1” »

InformationWeek | Web App Hack Incidents Are Up

Posted by Dan Kuykendall
on April 14, 2006

InformationWeek | Web Application Security | Web App Hack Incidents Are Up As Businesses Take Cover | April 12, 2006

First a bug ‘duh!”
And then I get to move into the “finally someones talking about this in the mainstream press”.

Not that Information Week is read by grandma or the average joe on the street, but for info tech community its pretty well known.

The things I like about the article is that they get it. The problems are basicly bad coding practices that are at the root of the problem. This is of course the primary topic in my podcast, so start listening and following my advice to deal with these issues!

Privilage Escalation Attacks

Posted by Dan Kuykendall
on April 14, 2006

Standard Podcast [ 20:55 ] Play Now | Play in Popup | Download (10780)

In this podcast I discuss a type of attack that allows users to basicly do things they are not supposed to do, without ever having to hack the admin type of accounts. So without having to figure out the admin password it is often possible to do administrative functions by simply attempting them.

The problem is around validation against access controls at every point of execution. Too often the access controls are done to control the navigational structure, meaning that the menus do not have links to the admin functionality, but if you know what the URL is then you can just type it into your browser and get there. Thats bad design in the app, and it is VERY common.

Catching up and a preview of future shows

Posted by Dan Kuykendall
on April 13, 2006

Standard Podcast [ 39:40 ] Play Now | Play in Popup | Download (7007)

In this edition of the Mighty Seek podcast I give a rundown of podPress and list out some ideas for the future podcasts. The site now has a forum for the podcast and general web application security discussion.