Quite a while back there was an article on Securityfocus by Shreeraj Shah on hacking on web 2.0 apps. It was very basic, but it had some tidbits in there that I wanted to keep an eye on for later. It shows how to use Firebug, which is something I'm a newb at, to inspect web pages for client side logic, validation, XMLHTTPRequests, etc. I'm doing another project on web app security at school and am going to focus on javascript, ajax, XSS, CSRF and look at javascript worms. It should be a fun project and allow me to take a narrower look at part of webapp sec. The article should provide me with a little more guidance as I dig into this further.
http://www.securityfocus.com/infocus/1879
Thursday, May 17, 2007
Some Fuzzing Applications
Today jms in #pauldotcom threw out a link to some fuzzing applications that a friend of his had written or was part of writing. I haven't had a chance to take a look at them yet, but didn't want to lose the link either. So here it is. If anyone has played around with these apps, please let me know what you think.
http://appliedsec.com/resources.html
http://appliedsec.com/resources.html
Tuesday, May 15, 2007
A example of sorry web application "security" measures
So last Saturday I participated in the graduation ceremony at college and was able to don the cap and gown for a hot day in the sun. It was all right, as far as these things go, but I'm a bit biased since it was mine. It was nice to go through, but I still have a few units to finish before I really have my degree. Anyways, as you get your "diploma" you get to shake the hand of the university president and get your picture taken with him. As you hit the bottom of the stage ramp, you get your picture taken again solo. Today I got an email telling me I could order my pictures online and to go take a look. So of course I went to go see how they turned out.
Here's where the web app security comes in. It seems that for $50, they will be happy to email the picture I'm looking at to me. Now that seems a tad bit expensive for something that I know is already on my computer in my browser cache. The preview picture is 430 by 620 pixels, so it's not too tiny. It also has no watermarks on it. So, rather than digging through my cache to find it, how do I just save this picture off to my hard disk? Right click doesn't work. So I go to my menu and do View->Page Source. I read through the source code real quick and see some javascript, which I presume is blocking the right click, and find the URL to the image. The image is hosted on another site and there is no authentication to prevent unauthorized access.
So what was the security measure to prevent me from saving the file? Just that silly javascript. Oh well, they will still make a fair bit of money off of me, since my family was to the right of the stage and I ended up on the left side. Kinda limited the photo ops for them.
Here's where the web app security comes in. It seems that for $50, they will be happy to email the picture I'm looking at to me. Now that seems a tad bit expensive for something that I know is already on my computer in my browser cache. The preview picture is 430 by 620 pixels, so it's not too tiny. It also has no watermarks on it. So, rather than digging through my cache to find it, how do I just save this picture off to my hard disk? Right click doesn't work. So I go to my menu and do View->Page Source. I read through the source code real quick and see some javascript, which I presume is blocking the right click, and find the URL to the image. The image is hosted on another site and there is no authentication to prevent unauthorized access.
So what was the security measure to prevent me from saving the file? Just that silly javascript. Oh well, they will still make a fair bit of money off of me, since my family was to the right of the stage and I ended up on the left side. Kinda limited the photo ops for them.
Subscribe to:
Comments (Atom)