Articles in feature

  1. Mallory is More than a Proxy - Raj Umadas and Mike Zusman of Intrepidus Group gave an amazing talk on Mallory last night at the Philadelphia OWASP chapter meeting. At first glance Mallory seems like a simple tool, just a proxy application that sits on the wire. Closer inspection, how
  2. Evaluating CMS Security - When evaluating content management systems (CMS) it is extremely important to include criteria covering security considerations. CMS'es are complex, and extremely powerful web applications, and as such present interesting security challenges. Although m
  3. Hydra Brute Force Utility - Hydra is a powerful, multi-protocol brute force attack tool. Brute force attacks involve guessing authentication credentials in an attempt to gain access to a system. Brute force is, over time, the most successful way to break simple authentication.
  4. Auditing Drupal Modules for XSRF Vulnerabilities - Cross site request forgery (CSRF (pronounced sea-surf) or XSRF) is a trust exploitation that shares many similarities with cross site scripting (XSS).
  5. Using Drupal XML-RPC to Bypass Authentication Failure Detection - Drupal provides robust, and largely ignored, XML remote procedure call (RPC) functionality. This functionality is available through the xmlrpc.php file that is available at the Drupal root in any installation. Any module can provide a hook into the XMLR
  6. Auditing Drupal Modules for XSS Vulnerabilities - Finding cross site scripting vulnerabilities in Drupal modules.
  7. Securing Drupal User Accounts - Securing a default Drupal installation takes some work and forethought. Drupal's native functionality creates a number of vulnerabilities that can only be mitigated through careful configuration.
  8. Brute Forcing Drupal - Brute forcing account credentials for Drupal 5 and 6 sites including a sample script.
  9. Monitoring Drupal for Insecure Settings - The Drupal content management system (CMS) is a wonderful for maintaining multiple, user driven and owned websites. From a security context, however, Drupal can present a challenge.
  10. Exploiting PHP PCRE Functions - An examination of the /e flag in the PHP preg_replace function and how it can lead to vulnerabilities (and exploits).
  11. PHP Null Byte Poisoning - Null byte poisoning can be an extremely dangerous problem in PHP applications. In order to fully understand the PHP null byte issue we have to examine how C handles strings.
  12. Writing OSSEC Custom Rules and Decoders - By default OSSEC monitors many of the programs commonly installed on a machine, but it's real power comes from the ability of system administrators to customize OSSEC.
  13. PHP Arbitrary File Include - File include vulnerabilities in PHP examined, including some defensive strategies.
  14. Using the Google Safe Browsing API from PHP - Google's new Safe Browsing API is a neat service that allows you to poll the MD5 hashes of known malware and phishing sites.
  15. Using SQLMap for Automated Vulnerability Assessment - Vulnerability assessors and code auditors are often faced with situations where a large volume of code needs to be audited quickly to enable a deployment.
  16. LAMP Security Through Virtualization - Splitting up the various layers of the LAMP stack to provide more insulation and defense in depth.
  17. Using and Extending Kojoney SSH Honeypot - Kojoney (http://kojoney.sourceforge.net/) is a wonderful low interaction SSH honeypot written in Python.
  18. Defending Web Applications with PHPIDS - PHPIDS is a very intriguing project that mimics the functionality of much more involved intrusion detection systems.
  19. Security Review of NanoCMS - A brief security evaluation of NanoCMS version 0.4 final revealed a number of notable security vulnerabilities.
  20. Hardening PHP from php.ini - PHP's default configuration file, php.ini contains a host of functionality that can be used to help secure your web applications.
  21. Writing Safer Database Queries from PHP - Both PHP and MySQL include many features that developers can use to create safer web applications.
  22. Defending PHP Web Applications from MySQL - MySQL provides a number of features that can be used to greatly increase the security of your PHP application.
  23. Hardening PHP with Suhosin - Suhosin is an extremely valuable addition to any PHP installation, allowing robust security and easy configuration.
  24. Brute Forcing PHP MD5 Hashed Passwords - Recovering the plain text of an MD5 can be accomplished with a brute force attack with surprising ease.
  25. Exploring JPEG Metadata -
  26. Using Paros for Web Application Auditing and Debugging - Paros is a wonderful free Java based tool that is invaluable for web application auditing, testing, and debugging.
  27. Samurai Web Testing Framework - he Samurai Web Testing Framework is a bootable Linux CD that contains numerous tools specifically designed for web application penetration testing and vulnerability assessment.
  28. Free AntiVirus for Windows - ClamWin runs in your system tray, and can perform regularly scheduled system scans in addition to scanning Microsoft Outlook e-mail, and allowing you to right click any file and scan it.
  29. Writing Windows Buffer Overflows - Writing a buffer overflow attack against a Windows program present several challenges.
  30. Security Researcher Toolkit - When you start working in computer security, as with many computer related fields, you'll find that there are a lot of expensive tools out there to assist in your work.
  31. About Identity Theft - Identity theft is a common topic in the media and in reality these days.
  32. Introduction to Incident Response - The purpose of this tutorial is to provide a basic introduction to incident response.
  33. Web Hacking Lesson 6 - Arbitrary Code Execution Vulnerabilities - Arbitrary code execution vulnerabilities are the most damaging sorts of vulnerabilities to find in web applications.
  34. Web Hacking Lesson 5 - File Upload Vulnerabilities - File upload vulnerabilities (and local file disclosure vulnerabilities) are some of the most devastating vulnerabilities in PHP applications.
  35. Web Hacking Lesson 4 - File Include Vulnerabilities - PHP file include vulnerabilities are some of the most destructive that an attacker can exploit.
  36. Web Hacking Lesson 1 - This is the first in a series of training articles that goes hand in hand with a test site that should be downloaded and installed by the reader.
  37. Web Hacking Lesson 3 - Brute Force - Brute forcing a web application is a method to bypass traditional authentication checks.
  38. Using Blowfish Encryption Between PHP and Perl - I recently wondered if I could use a common encryption algorithm across both PHP and Perl.
  39. Securing User Input in Web Based Applications - Gathering input via a form doesn't guarantee that the only data passed to the form processing script will be passed by the form.
  40. Failing Gracefully with PHP 5 - Failing gracefully is often an application development goal that gets overlooked in pursuit of development.
  41. Firewalls, Filters and NAT - In the arsenal of defensive tools available for network administrators, firewalls probably occupy the most prominent, and vital position.
  42. Writing Buffer Overflows - A brief tutorial on buffer overflow vulnerabilities and developing exploits.
  43. Choosing a PHP Presentation Layer Technology - Considerations when choosing between XML or Smarty as a display layer technology.
  44. Internet Information Discovery and Retention - An exploration of information retrieval and retention on the internet, including tips and tools for anonymizing your online activity.
  45. Computer Security Class - Notes 1 - The notes from the first session of the 'Computer Security' class I taught.
  46. Hubs And Switches, What's the Difference? - A short description of the distinguishing characteristics of hubs and switches. How to choose the best one for your needs.
  47. Linux Bootloaders (LILO vs. GRUB) - An investigation of bootloaders, what they do and which advantages of LILO and Grub.
  48. Typical Computer Users Security Guide - Simple guide to security for home users. Covers easy steps you can take to protect your home system.
  49. Cold Fusion Server Security - Cold Fusion server security. Includes a discussion of accessing the CFIDE administrator function on Cold Fusion servers and RDS security.
  50. Intro to Cable/DSL Routers - Installing, configuring and understanding cable and DSL routers for your home LAN.
  51. Overview of Computer Security Part I - A rather long white paper on all sorts of aspects of computer security. Developed for a training program on computer security.

Top Articles

  1. Installing Nikto on Windows
  2. SSHatter SSH Brute Forcer
  3. PHP Arbitrary File Include
  4. Hardening PHP from php.ini
  5. Web Hacking Lesson 4 - File Include Vulnerabilities
  6. e107 XSS and XSRF Vulnerabilities
  7. Madirish Tutorial 11 (Brute Forcing)
  8. Using the Google Safe Browsing API from PHP
  9. JavaScript Email Validation
  10. Beginners Guide to PHP

Tags

advisory, apache, authentication, brute force, c, certification, cms, computers, database, development, disclosure, drupal, editorial, email, encryption, exploit, feature, firewall, hardening, hardware, honeypot, how-to, incident response, intrusion detection, java, javascript, linux, malware, microsoft, mysql, networking, open source, oracle, ossec, perl, phishing, php, privacy, review, rootkits, security, social engineering, sql injection, ssh, tools, virtualization, virus, vulnerability, website, wireless, xml, xsrf, xss

Links

Sites or researchers I dig

Blog Articles

Advisories