public marks

PUBLIC MARKS from mbertier with tags webdev & security

2008

Jeremiah Grossman: New Flash XSS technique (thousands of websites at risk)

(via)
- Move Flash files to a secondary domain – just as is recommended with all third-party / user generated / untrusted content. This solution has promise as it sets up some domain barriers in the event a vulnerable Flash file shows up linked from your website.

2007

PHPIDS » Web Application Security 2.0 » Index

by 1 other (via)
PHPIDS (PHP-Intrusion Detection System) is a simple to use, well structured, fast and state-of-the-art security layer for your PHP based web application. The IDS neither strips, sanitizes nor filters any malicious input, it simply recognizes when an attacker tries to break your site and reacts in exactly the way you want it to. Based on a set of approved and heavily tested filter rules any attack is given a numerical impact rating which makes it easy to decide what kind of action should follow the hacking attempt. This could range from simple logging to sending out an emergency mail to the development team, displaying a warning message for the attacker or even ending the user’s session.

0x000000 ◊ The Hacker Webzine

I've talked about CSRF before, but this time I wanted to show some of the underlying basics of it and explain why it isn't a new trick or something special. It is part of browsers and the way HTTP works, also to remove any argument that POST should be safer then GET. I know this is Internet basics, it still can be refreshing to read it over from time to time.

XSS (Cross Site Scripting) Cheat Sheet

by 17 others (via)
This page is for people who already understand the basics of XSS attacks but want a deep understanding of the nuances regarding filter evasion.

Dangers of CSRF and XSS / Articles / Community

by 1 other (via)
In this article, we will show you how CSRF and XSS work and how to defend against them. To dispel the myths about these attacks, I will assume the role of a hacker and show how the supposedly harmless injection of tiny bits of HTML can perform amazing things, from stealing the user's identity to a completely transparent rewrite of site content.

ha.ckers.org web application security lab - Archive » Web Application Security Blogs

(via)
I’ve had a number of people over the last year or so ask me what good sites are out there for people to learn about web application security.

2006

BindShell.Net: BeEF

BeEF is the browser exploitation framework. Its purposes in life is to provide an easily integratable framework to demonstrate the impact of browser and cross-site scripting (XSS) issues in real-time.

Oedipus Web Scanner Project

Oedipus is an open source web application security analysis and testing suite written in Ruby. It is capable of parsing different types of log files off-line and identifying security vulnerabilities. Using the analyzed information, Oedipus can dynamically test web sites for application and web server vulnerabilities.

2005

Web Application Security Reviews | PHP Everywhere

by 2 others (via)
After a while, the requirements are pretty similar, but to pass our first audit wasn't easy. Here's a sampling of what is required

mbertier's TAGS related to tag webdev

accessibility +   ajax +   apache +   audit +   bestpractices +   clevermarks +   css +   database +   design +   django +   dom +   dotclear +   eclipse +   emacs +   email +   encoding +   firefox +   flash +   framework +   greasemonkey +   groupe:clever age +   guide +   hotlinked +   howto +   html +   http +   i18n +   information architecture +   introduction +   javascript +   linkslist +   linux +   list +   mozilla +   open source +   patterns +   performance +   php +   php5 +   python +   rails +   reference +   rest +   ria +   ruby +   security +   slides +   standards +   testing +   tool +   tools +   ui +   usability +   web20 +   widgets +   wiki +   xhtml +   xml +   xmpp +