Wednesday, May 31, 2006
Security Developer Center: Application Threat Modeling: Download details: Threat Analysis & Modeling v2.0 RC1, Microsoft Application Threat Modeling Blog : [VIDEO] What is Microsoft Application Threat Modeling?, RockyH - Threat modeling V2, Channel9 Wiki: HomePage: "Welcome to patterns & practices Security Wiki" (Channel9 Wiki: SecurityTrainingModules: "Input and Data Validation"), Microsoft Application Threat Modeling Blog : What is Microsoft Threat Analysis & Modeling?
Jerry Bryant's Security Blog : STRIDE model of threat categories: "At Microsoft, we have developed what we call the STRIDE model for categorizing software threats. These are used in security bulletins to describe the nature of a security vulnerability." (S – Spoofing Identity, T – Tampering with data, R – Repudiation, I – Information Disclosure, D – Denial of Service, E – Elevation of Privilege)
Security - MSDN - Microsoft UK: Building Secure ASP.NET Applications: Authentication, Authorization, and Secure Communication (PDF)... Improving Web Application Security: Threats and Countermeasures (PDF)
CommunitySecureSoftwareGuide.HomePage: "Welcome to the Threats and Countermeasures Community Knowledge Base" (Google cache)
Tuesday, May 30, 2006
Benjamin Livshits: Research Overview: "Static and Runtime Solutions for Web Application Vulnerabilities. (April 2006)... Using Eclipse to Detect Security Errors in Web Applications. (March 2005)" & The Griffin Software Security Project: Stanford SecuriBench - "is a set of open source real-life programs to be used as a testing ground for static and dynamic security tools. Release .91a focuses on Web-based applications written in Java."; Stanford SecuriBench Micro - "Unlike Securibench, which contains large, real-life applications, Securibench Micro is a series of small test cases designed to excercise different parts of a static security analyzer. Each test case in Securibench Micro comes with an answer, which simplifies the comparison process."
Fortify Software: "Identify, track and manage your software vulnerabilities to mitigate risk... Secure Coding Plug-ins are available to support leading Integrated Development Environments (IDEs) such as Microsoft Visual Studio, Borland JBuilder, and Eclipse"
Enterprise Java Community: TheServerSide @ JavaOne 2006 - Day 4: "Twelve Java Technology Security Traps and How to Avoid Them... (The full slides, including code examples, can be downloaded from https://www28.cplan.com/cb_export/PS_TS-1660_277660_124-1_FIN_v2.pdf)." & Day 3 & Day 2 & Day 1
AMIS Technology blog » Blog Archive » JavaOne 2006 has started - get the hand-outs for the presentations now: "To download the PDF documents with this year’s JavaOne presentations, go to: The JavaOne Session Catalog Tool. You can search by author, topic, track and type of presentation. When the download starts, you have to provide a username and password; these are: contentbuilder/doc789"
Large-scale Servlet Programming: What is Session Data, Anyway?: "This article examines the key scalability issue of storing client data on the server and some approaches for making your servlets perform in a high-traffic environment.... Table 1 details the different options for handling session state that we have evaluated, and the advantages and disadvantages of each. There is no one best solution to this problem. You have to carefully consider the advantages and disadvantages of each solution and choose the one that is best for your particular problem."
Per Brinch Hansen - Wikipedia, the free encyclopedia: "Danish-American computer scientist known for concurrent programming theory."
Monday, May 29, 2006
anonymous, surfing, anonymous surfing, anonymous web surfing, proxy, web, proxy server & PROXY lists & WAY more Proxy Lists like this one: Proxy 4 Free: Proxy List - Page 1 & THE BEST START IS John Resig - Anonymous Proxy List - How to browse Anonymously article for Firefox Web Browser. Make sure to read the comments with links to many lists!
Find broken links on your site with Xenu's Link Sleuth: "checks Web sites for broken links. Link verification is done on 'normal' links, images, frames, plug-ins, backgrounds, local image maps, style sheets, scripts and java applets. It displays a continously updated list of URLs which you can sort by different criteria." & Guide to Using Xenu's Link Sleuth
Sunday, May 28, 2006
Saturday, May 27, 2006
Ministry of Natural Resources Publications: "
"
 | Urban Fishing Opportunities in Toronto & Surrounding Areas (Size: 1.4 Mb) |
 | Fish Ontario An overview of where and how to experience Ontario's great sportfishing. (Size: 3.9 Mb) |
 | Take a Kid Fishing Guide (Size: 2.7 Mb) |
TORONTO FISHING | Toronto Fishing - in Toronto, Ontario, Canada: "When Toronto fishing for pike keep in mind that most of the canals will have pike cruising around, or try the lagoons around Ward’s Island. Try to get over there before the fish spawn & again after they are done for the best Toronto fishing. You'll find good pike Toronto fishing usually during the first two weeks in April. Warm sunny days with a slight breeze are best for Toronto fishing because this warms the water & stimulates the pike to move and look for spawning areas. Toronto fishing for bass & various panfish is best in the weed beds..." & City of Toronto: Toronto Island Park: "Download the 2006 Toronto Island Map (PDF)" & City of Toronto: Ferry Schedule Summer
The Center for Education and Research in Information Assurance and Security: Tools & Resources, CERIAS Weblogs » More Useful Firefox Security Extensions (PasswordMaker...) & Useful Firefox Security Extensions & Using mod_security to block PHP injection attacks
Privoxy - Home Page: "a web proxy with advanced filtering capabilities for protecting privacy, modifying web page content, managing cookies, controlling access, and removing ads, banners, pop-ups and other obnoxious Internet junk."
Friday, May 26, 2006
James Strachan's Weblog - Rails and Ajax get on the bus. Go ActiveMessaging!: "aving both a good Rails story and a good Ajax story which worth work great with JMS and .Net, the world of messaging is getting easier and more powerful all the time."
SQL on Rails - Taking the VC out of MVC: "Rails is a short-stack framework for developing database-contained web applications according to the Model-Model-Model pattern. From the Ajax in the model, to the request and response in the model, to the domain model wrapping the database, Rails gives you a pure-SQL development environment. Finally!"
BeanFlow: "a lightweight Java library for building workflows using beans to orchestrate events. You can think of BeanFlow as a simple alternative to BPEL where the workflows are all specified and implemented using Java code rather than declarative XML." (via James Strachan's Weblog: "POJO based Orchestration; an introduction to BeanFlow")
Blogging Roller: JavaOne: putting the web back in web services: "I think I got the point across that Atom protocol is generic, not just for blogs and applicable to a wide range of problems. I also made a point of promoting Marc Hadley's work on WADL and his talk on RESTful web services with JAX-WS." & GigaOM : » The Myth, Reality & Future of Web 2.0: "A more indepth discussion on this can be read on Peter Rip’s blog, where he writes, “Web 2.0 is a lighter weight version of SOA. RSS/REST is the new EAI.” Dion Hinchcliffe, makes a very compelling and coherent argument in favor of what Rip is saying."
SkypeOut: How to get calling: "Calling any phone within the US and Canada is free until the end of the year."
Creating Passionate Users: Do something scary - "You must do the things you think you cannot do." & Don't give in to feature demands! & Out-spend vs. out-inspire the competition
GISuser.com GIS, GPS, LBS, CAD, mapping news, jobs, software, data, community - Free Tools and TrialWare
Denim Group, Ltd.: AJAX Security: Here We Go Again: "True it is harder to spoof POST requests than it is to spoof GET requests, but either type of request CAN be spoofed, so you have to take that into account on the server side. Checking the 'Referrer' header adds essentially NO security to an application because anything in the request is just bits coming across the wire. 'Referrer' headers, cookies and any HTTP parameters (GET or POST) can be faked, so the server applications themselves need to be designed around this. Security starts - and ends - on the server side when it comes to ANY web application... open source tool called "sprajax" that will help with assessment and auditing of AJAX applications." & Google Groups: comp.security.misc - protecting a Web server by signing every URL: "If a user tries to modify a single character in the URL from his browser, then the front controller servlet will dispatch to a special page indicating that URL has been 'faked' and fill the logs accordingly." (via AJAX: Is your application secure enough? »: "As for “ease of spoofing” of GET versus POST. POST isn’t much harder, especially when you cheat and use the TamperData Firefox plugin, which is by-far the most usefull plugin for AJAX developers.")
James Strassburg: HOWTO: Tunneling HTTP over SSH with DD-WRT, DynDNS and Putty: "I happen to work at a company that doesn't allow use of anonymous proxies (which is fine) but I don't necessarily want them viewing my web traffic either. Here is how I set up an HTTP tunnel to my home network from work."
InfoQ - Pitchfork: EJB 3 Interception & Injection to WebLogic using Spring: " Last week it was announced that the EJB 3 implementation in the BEA WebLogic EJB 3 Tech Preview was being built with Spring, using a joint project called Pitchfork, led by Spring framework founder Rod Johnson and WebLogic core engineer Michael Chen. The use of Spring to do injection and interception, as well as the integration with Kodo allowed BEA to get its Tech Preview out faster. Pitchfork can also be re-used by other appserver vendors or open source projects that want to offer EJB 3 interception and dependency injection." & JeeWithSpringAndBea - Spring IDE - Trac: "Implementing JEE with Spring 2.0 and BEA WebLogic"
Thursday, May 25, 2006
Nokia, Google detail Linux tablet collaboration: "Additionally, the open source Maemo community has created about 120 stable applications for the platform, including an instant messaging client based on GAIM."
FTPOnline - VSLive! Toronto 2006 - The Future of Programming Languages: "John Lam is the creator of RubyCLR, a bridge that brings the power of Ruby to the .NET platform."
Make Java DB Your Client-side Portable Database: "By embedding Java DB in your Java application, you provide a portable database that launches and shuts down as the application does. If that's not enough, you can create XML schemas on the fly using XML files and insert rows into a table without using SQL too. "
Web-based Day Rental Calendar - The Code Project - ASP.NET
: "I found Paul Apostolos' excellent article, "Building an Event Calendar Web Application". This became my starting point."
: "I found Paul Apostolos' excellent article, "Building an Event Calendar Web Application". This became my starting point."
MySQL 5 C# sample code using ObjectDataSources - The Code Project - ASP.NET: "A simple example using MySQL 5 and stored procedures with ObjectDataSources and Generics, in ASP.NET 2.0."
The new reporting horizons with Microsoft Reporting Services 2005 - The Code Project - ASP.NET: "How to use a Webservice as a data source"
Wednesday, May 24, 2006
Amazon Mechanical Turk - Wikipedia, the free encyclopedia: "enables computer programs to co-ordinate the use of human intelligence to perform tasks which computers are unable to do. Requesters, the human beings that write these programs, are able to pose tasks known as HITs (Human Intelligence Tasks), such as choosing the best among several photographs of a storefront, writing product descriptions, or identifying performers on music CDs; Providers can then browse among existing tasks and complete them for a monetary payment set by the requester. To place HITs, the requesting programs use an open Application Programming Interface."
Miniature Java Web Server: "throttle file - allows to reduce speed accessing to particular files and improve overall performance of a server... Run it on WindowsCE based PDA: A base TJWS runs perfectly on PDAs under IBM's J9 VM. Make sure that you installed Personal Profile 1.1 VM to your PDA following IBM's instruction. In this case you can run TJWS out of the box, just copying webserver.jar and servlet.jat to your PDA."
NewsForge | A free education: "GCompriX is a live CD specifically designed to run GCompris on modest computer hardware -- even on an original Pentium CPU with a mere 64MB of RAM. The CD does not modify the installed operating system, so it can be used on school computers without concern. On systems with a large amount of RAM it is even possible to load the entire GCompriX disc into memory for incredibly fast operation."
If It's Not Nailed Down, Steal It: "Pattern Matching, S-Expressions, and Domain Specific Languages in Ruby"
Thursday, May 18, 2006
Application Security Software, Consulting, and Services Solutions from NT OBJECTives: "ntoweb is a freeware vulnerability assessment plug-in for NTO's renowned ntoinsight 2.0 tool that scans for the more than 3100 known vulnerability signatures in the Nikto database"
Enterprise Java Community: News : Google Web Toolkit: "Java software development framework for writing AJAX applications like Google Maps and Gmail."
rootkit.com: "Rootkits are powerful tools to compromise computer systems without detection. Learn why virus scanners and desktop firewalls are not enough. Learn how attackers can get in and stay in for years, without detection."
SourceForge.net: owasp-testing: "Sensepost's EoR application?" & E-Or: A web application scanner Usage documentation (via Information Security News Desk)
Neohapsis Archives - Pen-Test - #0066 - Re: Sensepost Wikto vs E-Or: "In the past couple of months it became clear that these type of testing is very much related - e.g. the lines between application and server is blurring more and more. As such SensePost will be releasing an appplication that will combine the efforts put into Wikto, E-Or and Crowbar into a single application - this will be called the SensePost Suru WebProxy and is due for release at BlackHat Las Vegas 2006. Wikto, E-Or and Crowbar can be found at http://www.sensepost.com/research/"
Summary of my "SQL Injection and Oracle" links:
- http://www.securityfocus.com/infocus/1644
- http://www.securityfocus.com/infocus/1646
- http://www.net-security.org/article.php?id=633
- http://www.oracle.com/technology/oramag/oracle/05-jan/o15asktom.html
- http://asktom.oracle.com/pls/ask/f?p=4950:8:::NO::F4950_P8_DISPLAYID:31670728929866
- http://security-papers.globint.com.ar/oracle_security/sql_injection_in_oracle.php
NGS Software: Security Advisories - 20/04/06: "NGSSoftware has discovered multiple critical and high risk vulnerabilities in Oracle's Database Server" & Whitepapers: "30/09/05 » Data-Mining With SQL Injection and Inference ; 26/04/05 » Stopping Automated Attack Tools; 06/02/02 » Hackproofing Oracle Application Server (A Guide to Securing Oracle 9);..." & Oracle Database Security Checklist & Oracle Security, Oracle Applications Security, SAP Security, PeopleSoft Security - Integrigy Security Resources
Wednesday, May 17, 2006
Wake Up to iBATIS, the Hibernate Alternative for Spring: "As great as Hibernate is, a lesser-known Java persistence solution called iBATIS actually may be a superior technology for your Spring development in certain situations. Find out which." (finally :-)
portlets : Message: Re: Forum portlets?: "I have not tried these, but the folks at Jahia have a few potentials... http://www.jahia.net/jahia/page571.html. They appear to have JForum (a java port of phpBB) and Jive setup as 168 servlets."
Paros Scanning Report: "SQL Injection Fingerprinting: Do not trust client side input even if there is client side validation. In general:
- If the input string is numeric, type check it.
- If the application used JDBC, use PreparedStatement or CallableStatement with parameters passed by '?'
- If the application used ASP, use ADO Command Objects with strong type checking and parameterized query.
- If stored procedure or bind variables can be used, use it for parameter passing into query. Do not just concatenate string into query in the stored procedure!
- Do not create dynamic SQL query by simple string concatentation.
- Use minimum database user privilege for the application. This does not eliminate SQL injection but minimize its damage. Eg if the application require reading one table only, grant such access to the application. Avoid using 'sa' or 'db-owner'.
OWASP Guide to Building Secure Web Applications and Web Services, Chapter 9: Authentication: "Use AUTOCOMPLETE=off to prevent browsers from caching the password locally..." & Introduction to Forms: "AutoComplete Security"
0x90.org // // project()++;: "Absinthe (1.4) - A gui-based tool for Automated Blind SQL Injection of web applications.; Mezcal (1.1) - HTTP/HTTPS brute force request tool; Napkin (1.0) - Simple encoder/decoder" & Kookaburra Software: "Cookie Pal wins PC Magazine Editors' Choice Award Again!" & The Limit Software, Inc. - Home of Cookie Crusher® & CyberClean: "named a PC World Best Bet/Top Pick (Feb. '02) and an All-Star Utility (Oct. '02);" & Download websites using BlackWidow: "Internet scanning and downloading tool for the expert and the novice."
Regulator: "is an advanced, free regular expressions testing and learning tool... Regex Visualizers for Visual Studio 2005 RTM are now available for free download"
Monitoring Apache with mod_status & Apache Security - Apache httpd Tools: "I wrote a number of tools for the book, and some I am still writing." (from Apache Security book by Ivan Ristic author of ModSecurity) & Apache 2 on Windows Community :: View topic - Apache MRTG statistics available.: "a perl script that interfaces the output from mod_status with mrtg"
F-Secure: Weblog, A Day in the Life of an Information Security Investigator, SmoothWall - open source firewall ISO CD Image (all 3 via (IN)SECURE Magazine issue 1.4)
Tuesday, May 16, 2006
WinHTTrack download and review - offline browser from SnapFiles & Net-Square: httprint: "is a web server fingerprinting tool"
A list of open-source HTTP proxies written in python: "SPIKE Proxy is a professional-grade tool for looking for application-level vulnerabilities in web applications. SPIKE Proxy covers the basics, such as SQL Injection and cross-site-scripting, but it's completely open Python infrastructure allows advanced users to customize it for web applications that other tools fall apart on."
Anywhere, Anytime Storage and Retrieval with Amazon's S3: "adds to the already-long list of places for storing data—but provides the advantages of location-independent, always-available access. Build this S3 client application and perform your own storage tests. "
Celestia: Home: "The free space simulation that lets you explore our universe in three dimensions." (via CoMagz-Proportions - How Small We Are | Linkadelic Magazine)
GHH - The "Google Hack" Honeypot: "is the reaction to a new type of malicious web traffic: search engine hackers."
Foundstone, a division of McAfee, Inc.: SiteDigger 2.0: "searches Google’s cache to look for vulnerabilities, errors, configuration issues, proprietary information, and interesting security nuggets on web sites" & Google tools for automated hacking tests (via How to Google hack Windows servers) & Google hacking - Are you vulnerable?: "The Google Hacking Database [GHDB] is located at http://johnny.ihackstuff.com. More information about Google hacking can be found on: Google Hacking Mini-Guide > Basic Search Techniques... The Acunetix Web Vulnerability Scanner scans for SQL injection, Cross site scripting and many more vulnerabilities." [#5 on Google Directory - Computers > Security > Internet > Products and Tools > Security Scanners]
An Introduction to Security Testing with Open Source Tools > The Accidental Tester: "The first trick to learning security testing is selecting an application to help you find security bugs—without getting arrested. One such application, WebGoat, is a full J2EE web app developed and maintained by the Open Web Application Security Project (OWASP)... The second tool we'll consider is the Web Developer extension for Mozilla Firefox. For a number of reasons, Web Developer is a must-have for any web application tester, but in this article we'll just look at some of the features that help test security... WebScarab (also by OWASP) is a framework written in Java for analyzing applications that communicate using the HTTP and HTTPS protocols. WebScarab records the requests and responses that it observes, and allows you to review them in various ways. The real work is done using security testing plug-ins. At the time of this article, WebScarab had the following plug-ins available..." - START
MARC: Mailing list ARChives: "Information Security Security Tools and Advisory Lists: owasp-webscarab": 'Re: [OWASP-WEBSCARAB] SessionID Analysis' & 'Re: [OWASP-WEBSCARAB] Re: Webscarab, SessionID analysis and regexp usage' & 'jsessionid problem fix for weblogic servers' thread & dev2dev: Neil Smithline's Blog: JSESSIONID Values and Web Application Vulnerability Analysis Tools
OWASP AppSec FAQ: "The following are some tools that guess passwords of web applications: Brutus - http://www.hoobie.net/brutus/ WebCracker - http://www.securityfocus.com/tools/706... If the code replaces the special characters by the following before displaying the output, XSS can be prevented to some extent. [<, >, (, ), #, &] Gunter Ollmann has written an excellent paper on the use of special characters in XSS attacks..." & OWASP Papers: Security of Payment cards (Credit/Debit) in E-Commerce applications, Securing Enterprise Web Applications at the Source, ModSecurity for Apache, Design Review Checkllist,...
Most Useful Firefox Extensions - Aviran’s Place & Tamper Data :: Mozilla Add-ons :: Add Features to Mozilla Software: "Security test web applications by modifying POST parameters." & SwitchProxy Tool :: Mozilla Add-ons :: Add Features to Mozilla Software: "lets you manage and switch between multiple proxy configurations quickly and easily. You can also use it as an anonymizer to protect your computer from prying eyes" & McAfee SiteAdvisor - Firefox Extension Download
Monday, May 15, 2006
johnny.ihackstuff.com :: I'm j0hnny. I hack stuff.: "Welcome to the Google Hacking Database (GHDB)!" - PDF
Foundstone, a division of McAfee, Inc. - SASS Tools: "Foundstone’s Software Application Security Services (SASS) services help clients define, design, develop, deploy and maintain reliable and secure software" (Hacme Books, Hacme Bank, SSLDigger,...) - START!
Sunday, May 14, 2006
Federal Publications Inc. - Ordering & TRAK Marine Ontario Lakes for Garmin® GPS: "Compatible with Garmin GPS receivers that accept background charts, they offer a high degree of detail with bathymetry and navigational information presented in degraded blue. Includes navigation, buoys, hazards, services, access and fishing spots."
JavaRanch Big Moose Saloon: Security Workbench Development Environment for Java: "A major problem facing Java developers and system administrators is determining the set of Java 2 permissions an application, library, OSGi bundle or Eclipse plug-in will need at run time when security is enabled. This becomes particularly challenging when the program is large and complex. SWORD4J can be used to identify and configure the required permissions and to manage keystores and digital certificates."
Help - Eclipse Platform: "New Features introduced in MyEclipse 4.1 GA - MyEclipse 4.1 introduces a number of new features including the following:
- Web 2.0 Tool Platform Features (Windows only, except where noted)
- Web 2.0 Workbench - a separate workbench window that manages MyEclipse Web 2.0 tools (Pro)
- JavaScript Editor with validation and improved code-assist (All platforms)
- Integrated debugger(Pro)
- Web 2.0 browser compatible with Mozilla (Pro)
- DOM Inspector view (Pro)
- UML Improvements
- Sequence Diagram Support
- Java->UML reverse-engineering improvements
- 10X performance increase
- Java 5 parsing support..."
PMD - Products/books related to PMD: "QALab - Aggregates PMD + Checkstyle + FindBugs and tracks problems over time. XRadar - Using PMD, CPD, and lots of other projects to give measurements on standard software metrics such as package metrics and dependencies, code size and complexity, code duplications, coding violations and code-style violations..." - NICE
Google Directory - Computers > Programming > Languages > Java > Development Tools > Performance and Testing > Static Checkers: "1) PMD - Scans source code and looks for potential problems possible bugs, unused and suboptimal code, over-complicated expressions and duplicate code. [Open Source, BSD license] 2) Extended Static Checker for Java - Retrieves common programming errors at compile time that ordinarily are not detected until run time e.g. null dereference, array bounds or type cast errors and race conditions. By Compaq. (PDF) [Free for non-commercial use] 3) Lint4j - A static Java source code analyzer that detects locking and threading issues, performance and scalability problems, and checks complex contracts such as Java serialization by performing type, data flow, and lock graph analysis. [Freeware]"
Saturday, May 13, 2006
Cgisecurity.com: Web Application Penetration Testing & A Guide to Building Secure Web Applications & CERT/CC Understanding Malicious Content Mitigation For Web Developers & Chapter 3. Hunting Applied: "Problems related to Fuzzing" & An Introduction to Security Testing with Open Source Tools > The Accidental Tester & Introduction to non functional testing & Web Application Penetration Checklist: "The files are available for download on the OWASP download page"
Adam: java Archives: "mc4j rocks - finally found the tool to chart my weblogic 8.1 ejb execution stats"
Wikto - Web Server Assessment Tool download (via How to Break Web Software : Functional and Security Testing of Web Applications and Web Services book)
Paros Proxy 3.2.11 Released - MITM HTTP and HTTPS Proxy »: "One of my favourite proxy options, along side the Burp Proxy (evolved into Burp Suite)."
ModSecurity (mod_security) - Open Source Web Application Firewall: "intrusion detection and prevention engine for web applications" & Got Root : mod_security rules: "How to download/setup/install/configure and use these rules" & Got Root : About mod_security rules: "Simply put, a web application firewall analyzes the connections to your web application to make sure they don't contain attacks, viruses, worms or violate certain rules about normal or acceptable behavior for your web application(s). Our rules protect against all of that, and more, such as SQL injection protection, URI formating protection, meta and null character filtering, path recursion attack protection, buffer and heap overflow defenses, remote file inclusion attack prevention and many many others. This helps to protect your web server, applications, database or anything else your web application(s) have potential access to from attack." & ModSecurity - ModSecurity Rules & ONLamp.com -- What's New in ModSecurity: "Two years ago, almost to the day, O'Reilly Network published my first article, Introducing ModSecurity."
(IN)SECURE Magazine: "a freely available digital security magazine discussing some of the hottest information security topics." (ISSUE 1.6 - March 2006)
Recommended PHP reading list: "Security: PHP enables you to build functional applications quickly. This can lead to inadequate error handling and input verification. Consider these common pitfalls before deploying your site: o Auditing PHP, Part 1 - Chances are that at some point, you've had a concern about the security of a PHP application. When faced with an auditing task, do you know what to look for? This series walks you through PHP and helps you understand it enough to know what to look for when conducting a security audit. Part 1 walks you through understanding the register_globals setting. o PHP Security Consortium - The PHP Security Consortium (PHPSC) is a group of PHP experts who promote best practices for secure PHP development. The PHPSC site contains articles, a PHP security guide, and weekly summaries of PHP security issues. o Top 7 PHP Security Blunders - Pax Dickinson addresses seven common security issues and how to mitigate the risk in your code. o PHP Security Audit HOWTO - Read this talk given by Chris Shiflett to help you analyze your PHP applications for security holes."
Friday, May 12, 2006
developerWorks : WebSphere : Forums : OpenLDAP and WebSphere Portal: "this link tells about one successful configuration..."
Jeff Williams: "Jeff is also the chairman of the non-profit OWASP Foundation (Open Web Application Security Project). With dozens of projects and over 60 chapters around the world, OWASP's mission is to find and fight the causes of insecure applications. Jeff is the primary author of the OWASP Top Ten Web vulnerabilities and the OWASP Secure Software Development Contract Annex, and he leads several OWASP projects:
Thursday, May 11, 2006
Lint4j Overview - Lint4j: "a static Java source and byte code analyzer that detects locking and threading issues, performance and scalability problems, and checks complex contracts such as Java serialization by performing type, data flow, and lock graph analysis."
Polly Glotto Translates and Reads Translations -- ResearchBuzz: "Oh, this is really cute. An animated talking language translator. It's a mashup between Google Translate and SitePal. Polly Glotto is available at http://www.pollyglotto.com/."
SQL Injection Attacks by Example & Data Security: Stop SQL Injection Attacks Before They Stop You -- MSDN Magazine, September 2004 & Updated SQL Injection & SQL Injection Attacks - Parameterized Queries - Regular Expressions - ASP.NET Security Best Practices: Preventing SQL Injection Attacks: "1. Use parameterized queries or stored procedures to access a database as opposed to using string concatenation. 2. Limit the amount of characters in input fields (e.g. username and password fields) to a proper amount. (MaxLength = ??) 3. Validate text input for improper characters ( like ' ). For ASP.NET you would use RequiredFieldValidator and RegularExpressionValidator. 4. Do not display errors to the user that contain all kinds of wonderful hacking information like table names, fields, database drivers, sql statements, etc." & Chris Taylor : SQL Injection - Are parameterized queries safe? & Advanced SQL Injection In SQL Server Applications (PDF) & Advanced SQL Injection in Oracle databases (PDF #1 & PDF #2) & Detecting SQL Injection in Oracle: Protection is better than detection: "Some solutions for protecting against SQL injection were given in the previous papers but for completeness a few of the main ideas are included here again: * Do not use dynamic SQL that uses concatenation. If it is absolutely necessary then filter the input carefully. * If possible do not use dynamic PL/SQL anywhere in an application. Find another solution. If dynamic PL/SQL is necessary then use bind variables. * Use AUTHID CURRENT_USER in PL/SQL so that it runs as the current user and not the owner. * Use least privilege principle and allow only the privileges necessary..." & Hakin9 - Hard Core IT Security Magazine: "Validation filters that only prohibit single quote characters (or some small set of characters) might prevent full exploitation of a vulnerability, but such filters are often inadequate. They may simply obscure more fundamental problems with the application's database connection architecture."
Neohapsis Archives - Pen-Test - #0237 - RE: Web Application Tester: "If it takes one week to manually inspect an application with nikto+wget+webscarab+achilles+spike, and only 1 day using Appscan for the 'grunt' work plus 2 days for the manual refinement, the 4 days I gain are worth more than the ~1,000 dollars I have to spend for a 7-days Appscan license. In the end, I usually prefer to use Paros (free tool), but I think that in some situations AppScan/WebInspect can be at least worth a look, even if their price makes them look unprofitable at first sight." & Neohapsis Archives - Pen-Test - #0245 - Re: Web Application Tester: "There is a paper from BlackHat which showed that automatic scanning solves half a problem. It's a must for any tester to dig into the web application to analyse it manually."
Apache Shale Takes JavaServer Faces to the Next Level: "the newest sibling of the Struts framework, leverages JavaServer Faces to enable componentized presentation-tier development. Get started with Shale's Dialog Manager, Validations, and JNDI services."
Wednesday, May 10, 2006
Channel 9: ARCast with Ron Jacobs (via Enterprise .NET Community: SOA patterns in .NET): "ARCast is an ongoing podcast series created by the Microsoft Architect Strategy Team with the goal of spawning insightful, enlightening and sometimes contentious conversations about the hottest topics in Architecture today. Each new series will host five Architects from the community, both internal Microsoft and external folks. Panelists are free to discuss their own personal opinions about the topics and drive conversation to an open forum built for discussion and persuasion."
Tuesday, May 09, 2006
Introduction to Kismet: "Earlier this month we looked at NetStumbler, an application for surveying wireless networks. While NetStumbler is the most popular tool of its kind for Windows machines, users of Linux, BSD and Mac OS X have Kismet, a roughly analogous – though some would say more thorough – utility for discovering wireless networks."
Monday, May 08, 2006
Parosproxy.org - for web application security assessment: "We wrote a program called 'Paros' for people who need to evaluate the security of their web applications. It is free of charge and completely written in Java. Through Paros's proxy nature, all HTTP and HTTPS data between server and client, including cookies and form fields, can be intercepted and modified." (via Paranoid Penguin - Seven Top Security Tools | Linux Journal) & CERT-In:Indian Computer Emergency Response Team - SECURITY TOOLs: "Spike Proxy is an open source HTTP proxy for finding security flaws in web sites. It is part of the Spike Application Testing Suite and supports automated SQL injection detection, web site crawling, login form brute forcing, overflow detection, and directory traversal detection." (IMMUNITY : Knowing You're Secure) & Neohapsis Archives - Pen-Test - #0226 - RE: Web Application Tester: "According to my previous search on a Web pen-test tools, AppScan, WebInspect and Scando are all much more expensive than AppDetective. If cost is a concern, it might be possible to combine a selection of free tools such as: Nessus - Nikto - WebScarab - Achilles. But this would involve a lot of Manual works." & Neohapsis Archives - Pen-Test - #0229 - Re: Web Application Tester: "His list looks similar to mine: firefox + switchproxy, livehttpheaders, googlebar, others = ^^" & Exodus - a web application review tool: "Comparison of various proxy-based HTTP security tools" - START
vvdiff - Recursive Diff Script For ClearCase: "The vvdiff script comes in bash and perl versions. Both versions use the excellent diff'ing tool (xxdiff), with ClearCase." & xxdiff: Graphical File And Directories Comparator And Merge Tool & Helper Scripts for xxdiff
ClearCase CheatSheet & IBM - How to list all view-private files in a dynamic view & IBM - Listing view private files in snapshot view: "Because the command cleartool lsprivate is not usable in a snapshot view, you must use an alternative method for finding view-private files: cleartool ls -recurse -view_only" & IBM - How do I determine -- in a trigger -- if the current view is a snapshot view? & ClearCase: The ten best scripts - TIPS
Sunday, May 07, 2006
ONJava.com: Configuration Management in Java EE Applications Using Subversion: "JavaSVN is a pure-Java Subversion client library. It offers APIs for Java applications to interact with Subversion. JavaSVN offers low-level APIs that can directly interact with a repository or high-level APIs to manage working copies checked out from a repository."
ThinkingPHP » An Ajax file upload progressbar: "My solution consists out of a bunch of JS, a CakePHP component and the modified Perl script from Uber Uploader."
Saturday, May 06, 2006
GMapViewer - Unauthorized J2ME Google Maps viewer: "Update [2005-11-07]: There haven't been any updates here in many months. I've moved on to other things, so there won't be any more updates to GMapViewer here. If you find GMapViewer is not to your liking, Mobile GMaps is a similar but unrelated project. Also, Google now has their own J2ME-based client, Google Local for mobile." & Google Maps: "To download, visit www.google.com/gmm on your mobile phone's web browser." & Mobile GMaps - Google Maps, Yahoo! Maps and Windows Live Local on your mobile phone!: "Mobile GMaps is a FREE application that displays Google Maps, Yahoo! Maps, Windows Live Local (MSN Virtual Earth) and Ask.com Maps and satellite imagery on Java J2ME-enabled mobile phones, PDAs and other devices." & Google Maps on Treo 650 & J2MEMAP: "a small interface to GoogleMap"
Friday, May 05, 2006
eBay Developers Program: Cool Alerts For Your Phone: "The UnWired Buyer service, which is currently available for free, calls your cell phone whenever there is an item on your watch list that is ending in three minutes. You can get the current price of the item, and you can check the status of an existing bid, but here is the killer feature: you can actually bid from your phone, using the phone’s keypad." & eBay Developers Program: Cool eBay Info from your Phone: Mpire Researcher Mobile: "allows users to access data about items sold on eBay from anywhere by using their web-enabled mobile phone. The general idea is to enable eBay buyers and eBay sellers to use historical market data from millions of eBay listings to make better buying and selling decisions. eBay buyers can find out useful data, such as Average Selling Price and % sold. eBay sellers can use the service for recommendations on how to price their items and which listing upgrades have worked best in the past."
Upgrading to Drupal 4.7 | Lullabot: "And you want to be cool, right, and be able to say “Well my site does podcasting and AJAX”. That’s what you get with Drupal 4.7 : buzzword compliance and geek notoriety"
Thursday, May 04, 2006
Wednesday, May 03, 2006
Using Java DB in Desktop Applications: "Sun Microsystems recently announced that it is distributing and supporting Java DB based on the 100 percent Java technology, open-source Apache Derby database."
Tuesday, May 02, 2006
Visualize with Rational Application Developer: "A tour of Rational Application Developer's Visual Diagramming Tools" (PDF)
Monday, May 01, 2006
Artho Software - Jlint: "will check your Java code and find bugs, inconsistencies and synchronization problems by doing data flow analysis and building the lock graph." (PDF) & New Jlint download page
To start using WebLogic Ant task from Eclipse combine the information form the article: Building and Deploying Applications with Ant ("Before we can start, we need to set up the environment. Ant is included in WebLogic.") and my old Tomcat related weblog entry: "If you'd rather use Eclipse's built-in Ant, you'll need to add junit.jar to its classpath. To do this, go to Window → Preferences → Ant → Runtime. Then click the "Add JARs" button and select junit.jar from appfuse/lib/junit3.8.1/lib/junit.jar. Click OK until you arrive back at the workbench view. Next, add the catalina-ant.jar"
Subscribe to:
Posts (Atom)
Atom