public marks

PUBLIC MARKS from mbertier with tag security

February 2008

Gnu Privacy Guard tutorial, part 1 ||

This article will be a tutorial overview of using Gnu Privacy Guard to generate your own public keys. It will also discuss some of the principles of public key systems.

Automated security updates in Debian « N0T a Blog

by 3 others (via)
Subscribing to the security mailing lists is a must for every sysadmin, but who has the stamina and the determination to actually read them, and then analyze the impact of both the threat and the proposed fix? A more casual user with no life-or-death-critical servers would happily settle for a solution that would download and install the security patches automatically. As always in Linux, there is more than one way of achieving this. cron-apt works for me.

SignServer 3.0 - Home

The SignServer is an application framework performing cryptographic operations for other applications. It's intended to be used in environments where keys are supposed to be protected in hardware but there isn't possible to connect such hardware to existing enterprise applications or where the operations are considered extra sensitive so the hardware have to protected more carefully. Another usage is to provide a simplified method to provide signatures in different application managed from one location in the company.

January 2008

Welcome to REMO | REMO - Rule Editor for ModSecurity

This is a project to build a graphical rule editor for ModSecurity with a positive/whitelist approach.

Jeremiah Grossman: New Flash XSS technique (thousands of websites at risk)

- Move Flash files to a secondary domain – just as is recommended with all third-party / user generated / untrusted content. This solution has promise as it sets up some domain barriers in the event a vulnerable Flash file shows up linked from your website.

December 2007

Suhosin 0.9.21 - XSS Protection - PHP Security Blog

It has been a very long time since the last Suhosin extension has been released, but today this has changed with the release of Suhosin 0.9.21. Among the changes are two new features that will protect applications that put too much trust into the SERVER variables from several XSS (and SQL injection) attacks. These features are suhosin.server.strip and suhosin.server.encode.

November 2007

September 2007

PHPIDS » Web Application Security 2.0 » Index

by 1 other (via)
PHPIDS (PHP-Intrusion Detection System) is a simple to use, well structured, fast and state-of-the-art security layer for your PHP based web application. The IDS neither strips, sanitizes nor filters any malicious input, it simply recognizes when an attacker tries to break your site and reacts in exactly the way you want it to. Based on a set of approved and heavily tested filter rules any attack is given a numerical impact rating which makes it easy to decide what kind of action should follow the hacking attempt. This could range from simple logging to sending out an emergency mail to the development team, displaying a warning message for the attacker or even ending the user’s session.

August 2007

GreenSQL - Open Source Database Firewall Solution

by 4 others
GreenSQL is an Open Source database firewall used to protect databases from SQL injection attacks. GreenSQL works in a proxy mode and has built in support for MySQL. The logic is based on evaluation of SQL commands using a risk scoring matrix as well as blocking known db administrative commands (DROP, CREATE, etc). GreenSQL is distributed under the GPL license

The Usability of Passwords -

by 5 others (via)
Passwords can be made both highly secure and user-friendly.

July 2007

Chris Shiflett: CSRF Redirector

It's a simple tool that makes it easy to test CSRF using POST, hopefully demonstrating how prevalent CSRF vulnerabilities are as well as reducing the misconception that forging a POST request is complicated.

XSS post forwarder

by 1 other (via)
This page is meant to enable people to easily showcase XSS flaws that use POST instead of GET. By linking to this page and providing GETed variables this page will build a form as specified which lets you show users the XSS flaw.

0x000000 ◊ The Hacker Webzine

I've talked about CSRF before, but this time I wanted to show some of the underlying basics of it and explain why it isn't a new trick or something special. It is part of browsers and the way HTTP works, also to remove any argument that POST should be safer then GET. I know this is Internet basics, it still can be refreshing to read it over from time to time.

June 2007

XSS (Cross Site Scripting) Cheat Sheet

by 17 others (via)
This page is for people who already understand the basics of XSS attacks but want a deep understanding of the nuances regarding filter evasion.

HTML Purifier - Filter your HTML the standards-compliant way!

by 19 others
HTML Purifier is a standards-compliant HTML filter library written in PHP. HTML Purifier will not only remove all malicious code (better known as XSS) with a thoroughly audited, secure yet permissive whitelist, it will also make sure your documents are standards compliant, something only achievable with a comprehensive knowledge of W3C's specifications.

March 2007

Beginner's guide to OpenID phishing

by 2 others (via)
OpenID is a web-based, distributed authentication protocol set to become a standard way of signing in to websites. OpenID enables you to keep control over your own identity by separating identity 'providers' and 'consumers'. You register your 'identity' or 'account' at a single OpenID provider and then you have instant access to a vast array of service providers that are OpenID consumers. However, with great power comes great responsibility. OpenID is highly susceptible to phishing attacks unless proper counter-measures are taken by the providers. We will demonstrate how to do a very simple phishing attack that already works for most OpenID providers. We will also give some possible (non-)solutions to the problem.

Dangers of CSRF and XSS / Articles / Community

by 1 other (via)
In this article, we will show you how CSRF and XSS work and how to defend against them. To dispel the myths about these attacks, I will assume the role of a hacker and show how the supposedly harmless injection of tiny bits of HTML can perform amazing things, from stealing the user's identity to a completely transparent rewrite of site content.

February 2007 web application security lab - Archive » Web Application Security Blogs

I’ve had a number of people over the last year or so ask me what good sites are out there for people to learn about web application security.

January 2007

MySQL: Storing Passwords in MySQL

by 2 others (via)
Securing plain text passwords in MySQL is NEVER a good idea. As a DBA you should take great care in protecting the users' information. Fortunately MySQL provides you with several options to protect passwords.

December 2006

BindShell.Net: BeEF

BeEF is the browser exploitation framework. Its purposes in life is to provide an easily integratable framework to demonstrate the impact of browser and cross-site scripting (XSS) issues in real-time.

October 2006

opensso: Home

by 1 other (via)
Open Web SSO project (OpenSSO) provides core identity services to simplify the implementation of transparent single sign-on (SSO) as a security component in a network infrastructure. OpenSSO provides the foundation for integrating diverse web applications that might typically operate against a disparate set of identity repositories and are hosted on a variety of platforms such as web and application servers.

PHP Security Consortium: PHPSecInfo

by 8 others (via)
The idea behind PHPSecInfo is to provide an equivalent to the phpinfo() function that reports security information about the PHP environment, and offers suggestions for improvement. It is not a replacement for secure development techniques, and does not do any kind of code or app auditing, but can be a useful tool in a multilayered security approach.

Checklist for Securing PHP Configuration | Ayman Hourieh's Blog

by 3 others (via)
Inside is a check list of settings that are intended to harden the default PHP installation.

Fail2ban contre l'attaque par brute force - JujuSeb à la recherche de Linux

by 1 other
La configuration par défaut est suffisante pour se protéger des attaques par brute force et c'est d'ailleurs la force de Fail2ban.

mbertier's TAGS related to tag security

advices +   apache +   audi +   audit +   bestpractices +   clevermarks +   database +   debian +   dev +   example +   firefox +   flash +   framework +   groupe:clever age +   hotlinked +   howto +   http +   introduction +   ipcop +   java +   linux +   microsoft +   mozilla +   mysql +   network +   openid +   php +   php5 +   pki +   ruby +   spam +   sql +   sso +   standards +   testcases +   tools +   usability +   web +   web services +   webdav +   webdev +   writing +   xss +