April 25th, 2008 Anthony Towry
Michael Eddington recently posted some interesting information regarding the differences in request validation being used in ASP.NET 1.1 vs. ASP.NET 2.0. In addition to the information he's posting, which are good things to know, I think this should raise a point.
I can't stress this enough, do not rely on framework built-ins for your security. It's easy for developers to get going down the road of relying on framework features. Don't do it. Remember to practice defense in depth and do your own IO validation and encoding in addition to whatever your framework of choice offers.
Thanks Michael.
Posted in Programming, Security, Web development | No Comments »
April 21st, 2008 Anthony Towry
This weekend I finished the Syngress Publishing book Open Source Fuzzing Tools. The book didn't take long. Part of the reason is that there really isn't a ton of technical information in the book to hold up the reader in lab exercise. It's not completely devoid of detailed fuzzer usage, but it's not wall to wall "let's go break some software" either. Read the rest of this entry »
Posted in Uncategorized | No Comments »
April 20th, 2008 Anthony Towry
A new contest is making it's way to Defcon 16 this year. The contest titled "Race to Zero" is challenging reversers and malcode analysts to modify viruses and malware to see if they can't slip it by several scanning engines. The contest's website racetozero.net has tips on creating a proper participant environment for analyzing the beasties.
This looks like a very cool contest for taking a look at how malware is identified by popular scanning engines. I'm already getting stoked.
Posted in Uncategorized | No Comments »
April 16th, 2008 Anthony Towry
A recent post to thedailywtf.com details a long running hole in an Oklahoma Department of Corrections web application. It appears that their Sexual and Violent Offender registry was wide open to SQL injection via a specially crafted query string.
Now, SQL injection can get pretty damn creative, but come on, this is 2008. There's no reason to be open to this class of vulnerability. Shouldn't we be past creating dynamic SQL queries? So let's say you're nutso bongo enough to be creating dynamic SQL, these guys aren't even making the attacker interact with the form to discover the hole. It's a security through obscurity thing for sure (and as such just one shade of crap less offensive), but being on the hit list by way of a Google dork is just sad.
Developers don't all have to be security experts, but an understanding of the OWASP top 10 isn't too much to ask. Get out there, parameterize those queries, sanitize input and make sure that data stays data and doesn't suddenly make the jump to code!
Posted in Uncategorized | No Comments »
April 13th, 2008 Anthony Towry
Some of you may know that I'm currently working on a fingerprinting application that will attempt to expose a variety of frameworks and libraries that are being used by a given web app. The only thing I've seen out up to this point is Net-Square's ajaxfinger, which is a quick little regex matcher for known filenames. Read the rest of this entry »
Posted in Projects | No Comments »
April 8th, 2008 Anthony Towry
Yesterday I attended the mini-launch put on by the Oklahoma City Developer's Group and several sponsors. It was held out at Francis Tuttle Technology Center with an excellent showing of local .Net talent. Read the rest of this entry »
Posted in Community, Programming | No Comments »
