Re: checking web applications for exploits

[Madhur Ahuja <ahuja.madhur () gmail com>]

* Make sure you have captcha for the registration form.
* For the login form, make sure you lock the password after some
attempts, otherwise it can be hacked using brute forcing tools such as
Hydra.

Madhur


> On Mon, Jul 25, 2011 at 5:10 AM, Littlefield, Tyler <tyler () tysdomain com> wrote:
> > Hello all:
> > I'm working on a web application that is the registration and management frontend for a database-driven game. I've 
> > created the registration script, and I am on to my login script, but I want to know what sort of exploits and 
> > security problems exist for my current setup. I don't have a huge base, but I'd like to be able to pin these down 
> > and fix them as soon as possible. Is there a way to test these? What sorts of things do I need to look out for in 
> > terms of sessions and the like? I do not know much about security for web applications, so I am worried that I may 
> > have left something open that can be used to make a huge mess.
> > Essentially my security looks like this. I created the user and the database, and I did not give the user a whole 
> > ton of privileges; I add those as-needed. Each input to the web form is validated based on length and a couple other 
> > factors depending on the data being inputted, and -anything- going to the database goes through this function before 
> > it gets validated.
> > function CleanupInput($input)
> > {
> >    return  mysql_escape_string(addslashes($input));
> > }
> > Any other thoughts?
> >
> > --
> >
> > Take care,
> > Ty
> > my website:
> > http://tds-solutions.net
> > my blog:
> > http://tds-solutions.net/blog
> > skype: st8amnd127
> > My programs don't have bugs; they're randomly added features!
> >
> >
> > ------------------------------------------------------------------------
> > Securing Apache Web Server with thawte Digital Certificate
> > In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, 
> > how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, 
> > purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for 
> > set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital 
> > certificates.
> >
> > http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
> > ------------------------------------------------------------------------

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------