Jul 17

Security auditing dissertation

Web applications No Comments »

I have always been interested in web security since web applications offer a big attack surface and I am personally fascinated by the creativity and passion the attackers show.
Therefore you will read much more about security on this blog in the near future. ;-)

Yesterday I visited a dissertation arranged by the Java User Group Karlsruhe in the building of the University of Karlsruhe. Software Architect Patrick Schemitz from Netpioneer GmbH talked about Web Application Security Auditing.

Here are my notes:

  • In case of non-targeted attacks, your server or application does not have to be absolute secure, just more secure than others. ;-)
  • The German Federal Ministry has defined an interesting security layer model (PDF, german).
  • Parallel to this layer is the layer of responsibility: from IT services over software developers to the end user.
  • Techniques

    1. Server

      • SQL injection
      • Code injection (buffer overflow)
      • SMTP injection
    2. Client

      • Cross side scripting
      • Session hijacking
      • Session riding
  • Demos

    1. Server

      • PHP: register_globals, eval()
      • Perl: system()
      • SQL: two queries are build on one, skipping code by using a SQL comment
    2. Client

      • Reflected XSS: Manipulate input through URL to poison HTML sent from server
      • Persistent XSS: Manipulate input which is stored on server and can be delivered every time
      • Session hijacking if session data is stored in URL
  • Counteractions

    1. Do not trust the user input.
    2. Filter input in different ways for database and frontend.
    3. Avoid eval() and system().
    4. Search for dangerous files (backups with different file extension, test files etc.) in the webserver's document root.
    5. Security analytic tools do not find many holes.
Jul 12

qooxdoo 0.8-alpha2 released

qooxdoo No Comments »

Yesterday we released qooxdoo 0.8-alpha2. This is another important step forward to the 0.8 final. The release does not offer many new features (most new features are ported widgets), but a polished and improved APIs instead.
My personal favors are the newly introduced sub-control handling and state inheritance. You can see the latter in action in the Spinner demo inside the demobrowser. If you toggle the button labeled "Custom style" the Spinner's child widgets will inherit the state from its parent and get styled as defined in the theme.

Be sure to read the release notes for details.
Happy coding. :-)

Jul 01

Hidden browser gems – Part II: Searchable list for JavaScript files in open document

Hidden Browser Gems 2 Comments »

Today's hidden gem is a little extraordinary: it is not about a browser technique and it is only available in Firefox with installed Firebug extension. But I expect my target audience having a Firefox as butter and bread tool (thanks for this phrase, Thomas ;-)) fully loaded with extensions and custom settings...

The gem is a search able list which contains all JavaScript files used in the current document. This is perfect if you need to set or modify breakpoints or just want to get a quick overview about the used scripts in the page. If you are dealing with a large amount of JavaScript files, this list is absolutely useless and it gets worse if you are dealing with long paths. And here comes the search able feature in the play: just start typing in the open list and only matching file names are shown.

JavaScript files used in current document
JavaScript files names containing "queue"

WordPress Theme & Icons by N.Design Studio
Entries RSS Comments RSS Log in