This was a wacky episode and I only was able to turn up toward the end due to some scheduling conflicts, but I think it turned out pretty good in the end.
An Information Security Place Podcast – Episode 28
Reply
Category Archives: Podcasts
An Information Security Place Podcast – Episode 23
I returned as a guest host… looks like I may become a regular part of the cast. I promise I wont keep cross posting these forever, but doing it again since we talked about a blog post I had written yesterday.
Full show notes can be found at The Information Security Place site
MightySeek on InfoSecPlace Podcast
The MightySeek Podcast is returning.
I am starting an effort to have a show posted every 2 weeks, with hopes for a Hands On Series every 2 months.
I will also be joining the An Information Security Place podcast as well. They do a podcast about general information security and I will be the resident webappsec expert to comment on those topics. This post is going to link to that episode 22 of the An Information Security Place podcast. I will not be normally doing this, but am doing it this week to get things rolling.
SQL Injection mention on hype-free
Every once in awhile I try and find out if anyone is noticing my podcast. Well I stumbled on a mention of the SQL Injection hands on episode on hype-free.
MightySeek Interviews rsnake
Today I had the pleasure of meeting up with a celeb of the web app sec world…. rsnake of the ha.ckers.org website. I hope you enjoy the interview, but I made a huge mistake with the recording. Here I was with my first interview, I hook up my mic and load up the recording software and then completely forget to switch to the mic input to my good mic, and end up doing the recording on the lame mic thats built into my laptop.
In any case, here ya go.
PHP Security and the Month of PHP Bugs
In this episode is discuss PHP security. Up till this point I have talked about web app sec in general, but I break from this in honor of the Month Of PHP Bugs that is going on through March.
PHP has frequently been blamed for security problems in applications written in PHP which really is no fault of the language and engine itself. It would be like everyone blaming C and C++ as being insecure, and the cause of tons of security problems. Most of the time the problem is the developers who use the languages, not the languages themselves. However, there are security problems in the PHP codebase which need to be fixed and is what is being highlighted by the Month Of PHP Bugs.
So in this episode I discuss these issues, some of my past projects and some various other issues in PHP… Its so good to be back at the mic, even tho I am still recovering from the flu and had my voice start failing me at the end.
Enjoy!
Hands On Series – Cross Site Scripting (XSS) Part 1
The “Hands on Series” continues!
In this episode we start dealing with Cross Site Scripting (XSS) attacks.
CSS = Cascading Style Sheets
XSS = Cross Site Scripting
Cross Site Scripting is a technique used to add script to a trusted site that will be executed on other users browsers.
A key element to XSS is that one user can submit data to a website that will later be displayed for other users.
It is nessesary that the bad guy NOT mess up the HTML structure, otherwise the result will be web defacement rather then attacking other users.
The hackme site has been updated and improved (more about that in a moment)
and now includes a section for XSS which we will be using in this episode.
Continue reading “Hands On Series – Cross Site Scripting (XSS) Part 1” »
Mighty Seek Podcast #15 – News and Misc Topics
A quick in between to the Hands On Series, I chat about some news and issues of the day.
Turkish Hacker defaces 38,000 websites hosted on GoDaddy
Flawed USC admissions site allowed access to applicant data
Breach case could curtail Web flaw finders
Man charged with accessing USC student data
Tsunami appeal site ‘hacker’ found guilty
Hands On Series – SQL Injection Part 1
The start of the “Hands on Series”, which means that there are actual
hands on excersises to go along with these shows.
I feel that its time to go beyond the concepts, the chatter about what bad guys can do,
and actually show you directly. Let you see for yourself the saying goes.
I recommend that you listen to these episodes while viewing the hacking test site and
have the show notes visible and ready to cut and paste from.
- http://hackme.ntobjectives.com/- The new site setup for you to practice web app hacking.Includes detailed notes and samples that can be used to practice with.
- Web App Hacking Toolkit – Collection of tools and links helpful for web security.
- Jonathan Coulton’s Things a Week – Where the Code Monkey song came from.
Continue reading “Hands On Series – SQL Injection Part 1” »
Privilage Escalation Attacks
In this podcast I discuss a type of attack that allows users to basicly do things they are not supposed to do, without ever having to hack the admin type of accounts. So without having to figure out the admin password it is often possible to do administrative functions by simply attempting them.
The problem is around validation against access controls at every point of execution. Too often the access controls are done to control the navigational structure, meaning that the menus do not have links to the admin functionality, but if you know what the URL is then you can just type it into your browser and get there. Thats bad design in the app, and it is VERY common.