Re: Application Security Hacking Videos

[pagvac <unknown.pentester () gmail com>]

Another example of input validation being implemented *only* on the
client side!!

Modifying client-side source code is cool when you don't have any
additional software installed on your machine, but I still like MITM
proxies better since you can modify HTTP requests before they get to
the server, hence bypassing all client-side restrictions.

Keep the videos coming dude! :-D

On 5/27/06, Joel R. Helgeson <joel () helgeson com> wrote:
> Mr. King,
> On the contrary, I am not trying to besmirch Microsoft. I want people to
> understand that the Microsoft SQL video is proof positive that the Web
> Applications MUST provide the protection to the database and all back end
> services.  If your web application wasn't written to protect the back end,
> then it is facilitating the attack on the back end.  At which point, you
> have two choices, re-write the web application or put an application
> firewall in front of it.
>
> I have made the video's and my website content available to all so that
> everyone, including management and non-technical people can better
> understand and appreciate these vulnerabilities, especially how easy they
> are to discover and to exploit.
>
> Yes, I was hired to do a security audit for the college, part of which
> included the web server security assessment.
> I performed the web assessment on day 1 of the audit, I showed the video to
> the college on day two, and by lunch time we had installed the WebScurity
> web application firewall and it is protecting the site to this day. They
> have agreed to be a reference for both Appiant and WebScurity.
>
> Joel
> ----- Original Message -----
> From: "Dave King" <davefd () davewking com>
> To: <full-disclosure () lists grok org uk>
> Sent: Saturday, May 27, 2006 12:14 PM
> Subject: Re: [Full-disclosure] Application Security Hacking Videos
>
>
> > I'm not sure what the clips from Microsoft are trying to show. To me it
> > seems like they're intended to show that microsoft doesn't have a good
> > fix for the problem at hand. From what I gathered from the training they
> > were trying to show some ways to seriously lock down a SQL Server 2000,
> > which would help mitigate some risks, while causing some usability
> > problems. Microsoft has been an advocate of strong server side input
> > validation (ASP.Net even has some nice features to help you with this).
> > The video was just showing another layer in a good layered security
> > approach.
> >
> > Lastly, I'm of the opinion that ticks should be allowed in a password. I
> > don't like restricting characters in a password. However best practices
> > should be followed. If for example, in the video the college had been
> > storing the password as a secure hash, then hashing the password that
> > was input and comparing them (preferably using a stored proc to do the
> > sql stuff), then the attack would have failed.
> >
> > Dave King
> >
> > http://www.thesecure.net
> > http://www.remotecheckup.com
> >
> >
> >
> > Joel R. Helgeson wrote:
> >> With college campuses being hacked into on a seemingly daily basis,
> >> and student information being stolen and used for Identity Theft; I
> >> thought you might like to see how the hacks are being done, and how
> >> astoundingly easy they are. I have produced a video of a security
> >> audit I performed on a local college website that shows how easy these
> >> exploits are. There is also a brief training on the homepage that
> >> introduces non-experts to SQL injection concepts in a fashion that
> >> makes it easy to understand.
> >> Below is the link to the video of me hacking into the college web site
> >> using SQL injection:
> >> http://www.appiant.net/exploit.wmv
> >>
> >> Other videos related to application security can be viewed from the
> >> home page as well: www.appiant.net <http://www.appiant.net/>
> >>
> >> It's not available from the web page, but if you want to see the video
> >> of Microsoft's response to application security by securing the database:
> >> http://www.appiant.net/sql_security.wmv
> >>
> >> No, that video is not a fake; the entire video can be accessed from
> >> Microsoft's website – the original is over an hour long, I just edited
> >> it down to ~5 minutes so you could get the point in a shorter timeframe.
> >> http://www.microsoft.com/emea/itsshowtime/sessionh.aspx?videoid=31
> >>
> >> Any questions, feel free to ask…
> >>
> >> Regards,
> >>
> >> Joel R. Helgeson
> >> President
> >> Appiant, Inc.
> >> 1402 County Road C2 W
> >> Saint Paul, MN 55113
> >> (952) 858-9111
> >> ------------------------------------------------------------------------
> >>
> >> _______________________________________________
> >> Full-Disclosure - We believe in it.
> >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> >> Hosted and sponsored by Secunia - http://secunia.com/
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/


--
pagvac
[http://ikwt.com]

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/