As it currently stands, this question is not a good fit for our Q&A format. We expect answers to be supported by facts, references, or expertise, but this question will likely solicit debate, arguments, polling, or extended discussion. If you feel that this question can be improved and possibly reopened, visit the help center for guidance.
Closed 10 years ago.
I am interested in learning about how hackers find and exploit vulnerabilities. Specifically about windows hacking and web hacking i.e. I’m NOT interested in linux/unix stuff.
Are there any good websites with technical articles about specifically how to find, exploit and block vulnerabilities with code samples and tools used.
I can do a quick search and there are a load of sites but i'm looking for something with a little more quality geared towards an audience with a programming and web background.
Even a good book but only if it's windows/web specific
Thanks a lot
Smashing the Stack for Fun and Profit is the classic Phrack article on writing buffer overflow exploits.
A good starting point for a web developper would be the Open Web Application Security Project (OWASP). They have a lot of ressources on the subject of Web Application Security and on some on application security in general. You can get some of the wisdom of that side in book form.
Try Simpson Garfinkel's book on web security first.
I highly recommend:
Hacking: The Art of Exploitation
Gray Hat Hacking, Second Edition: The Ethical Hacker's Handbook
I liked the Web Security Testing Cookbook. Some non-Windows stuff in there. The focus is on testing and using tools to find problems.
Subscribe to Schneier on Security. It's a great security blog.
For web hacking I recommend reading the book The Web Application Hacker's Handbook: Discovering and Exploiting Security Flaws (very good book with lots of examples. It also shows you the tools which will get you started).
Also for web hacking I recommend completing and understanding all the challenges you can solve by downloading the WebGoat
See the top 100 network security tools list at http://sectools.org/.
Don't get me wrong but if you really want to understand security stuff, Linux is really the way to go. There, you'll really learn the fundamental, i.e. things that is important everywhere (encryption, ASM, programming, protocols, [etc]). However, on Linux, you'll be able to read real code and use/find real exploit (and of course, send bug fix). You'll also find a lot more documentation and a really nice community.
I know I'm biased toward Linux and you'll probably think I completely missed your question. However, I know friends of mine who asked me the same question and I told them what I've just told you.
Once you know the base, you can easily find the documentation you want (reading RFC, learning new languages, architectures, tools, source code, etc..) This is by far better then to know a procedure to execute an exploit without understanding why it exists.
One last thing, the best hacker does't find exploit by guessing.. they have a perfect understanding on the underlying structure and see something wrong. Then, some exploit it, other send a patch to fix it - this is not the right place to argue about it - however, they are both experts in this domain.
I think what you'll need would be to join some hackers community which would provide many missions where you'd have to find the exploits yourself....
understand that if you have learn hacking you'd have to hack something......
www.enigmagroup.org would be an useful one...
www.securitytube.net from here you can get videos on almost every security related issue...
Related
As it currently stands, this question is not a good fit for our Q&A format. We expect answers to be supported by facts, references, or expertise, but this question will likely solicit debate, arguments, polling, or extended discussion. If you feel that this question can be improved and possibly reopened, visit the help center for guidance.
Closed 10 years ago.
Benchmark
Hacker News Discussion
Hacker News Discussion 2
It's not like Node.js is even really dominant today (except in the Hacker News community of course), it hasn't even had a 1.0 release yet. Funny to be speculating on what might replace it already :)
Performance is nice (though micro-benchmarks are not the right way to judge that) but if that was the only thing that mattered we would all be writing custom web servers in C for every app. One of the other important things is the community support, which Node.js definitely has going for it at the moment. It has a very healthy open source (this being the key) community that has created a large library of tools.
I think Vert.x is interesting and has a different way of looking at things than Node.js which is great. If they are able to continue to make progress, get more people interested in it, and show that it is easier and faster to write web apps then who knows? Maybe in a few years we can have a discussion on what is going to threaten Vert.x's future.
There are some interesting things brought up by this micro-benchmark that may be worth addressing in Node, but it's very important to remember that nobody doing 100's of millions of hits per day (which these benchmarks show) does so on one machine. They do it on many machines.
There are certain levels where faster languages make a difference (see for example Twitter migrating their backend from Ruby to Java), but it's VERY rare to get to that position.
Most people need a language that is clean and easy to program in, and a good ecosystem.
Vert.x has no ecosystem to speak of. If you want a JVM based system you can get plenty of options there. If you want a Javascript based system the best option right now is Node.js. It's that simple.
As it currently stands, this question is not a good fit for our Q&A format. We expect answers to be supported by facts, references, or expertise, but this question will likely solicit debate, arguments, polling, or extended discussion. If you feel that this question can be improved and possibly reopened, visit the help center for guidance.
Closed 10 years ago.
What are the best practices for securing a coldfusion webpage from malicious users? (including, but not limited to, sql injection attacks)
Is cfqueryparam enough?
I use a modified portcullis, and filter all incoming var scopes (URL,FORM,COOKIE) onRequestStart.
http://portcullis.riaforge.org/
Pete Freitag has an awesome blog, especially this post on Hardening ColdFusion
Never trust the client.
The most ColdFusion specific "set and forget" is following server administrator hardening guidelines noted above, keeping the server up-to-date, and following ColdFusion on twitter to learn about any new issues immediately.
For app security, which is common across all languages, you should validate every piece of information that touches your server from the client. Forms are are obvious areas of tight control, but don't forget about URL parameters that you might use for application state management or control. Something like &startRow=10&tag=security which isn't "supposed" to be touched by the user is user input. Even if your application could never break with invalid data, you might not know how that data will be used in the future. Validation could be as simple as ensuring that someone isn't entering a 100 character long first name and doesn't contain programming characters or ensuring that &startRow is always a number. These are the little things that application developers sometimes skip because everything works OK as long as you are using the software as expected.
I believe you can look at the Sony Playstation hacking as an example. Unfortunately, they didn't expect someone to hack the client (playstation console) and manipulate the PlayStation console software to hack the server. The server trusted the client.
Never trust the client.
I would say best practices for ColdFusion are similar to those for programming web applications in any language.
I recently read Essential PHP Security Chris Shiflett and the majority of issues discussed affect ColdFusion as well, though the syntax for dealing with them may be slightly different. I expect there are other (possibly better) language agnostic books which contain principles which can easily be altered for use in ColdFusion.
Although using a prebuilt solution will work, I recommend knowing all the possible issues that must be protected. Check out Hack Proofing ColdFusion at Amazon.
Another great place to learn about security (and all kinds of other topics) is to check out Charlie Arehart's massive list of recorded user group presentations: http://www.carehart.org/ugtv/
Here is information on a good tool that can be used to prevent XSS.
https://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project
http://www.petefreitag.com/item/760.cfm
Fairly easy to implement and Java based.
I recommend you the excellent talk by Justin McLean "ColdFusion Security and
Risk Management". It includes a case study.
PDF presentation http://cdn.classsoftware.com/talks/CFMeetupSecurity.pdf
Video streaming: http://experts.adobeconnect.com/p22718297
CfQueryParam is very important, but not nearly enough.
There is a boxed solution we use at my work: http://foundeo.com/security/. It covers most of the bases. And even if you don't want to buy it, you can take a look at it's feature set and get an idea of the things you should be considering.
You may like to check -
http://help.adobe.com/en_US/ColdFusion/10.0/Developing/WSe61e35da8d3185183e145c0d1353e31f559-8000.html
As it currently stands, this question is not a good fit for our Q&A format. We expect answers to be supported by facts, references, or expertise, but this question will likely solicit debate, arguments, polling, or extended discussion. If you feel that this question can be improved and possibly reopened, visit the help center for guidance.
Closed 11 years ago.
I want to learn more about sandboxing. Not just about it. I want to learn such that I will be able to write a simple sandbox.
Surprisingly, there isn't any information available anywhere. Even the Wikipedia article is not good.
Can any one please suggest me good material. I know that its very advanced level concept. So, what are the prerequisites for learning & mastering it.
read about API hooking, for example sandboxie hooks Windows kernel to filter all api calls to filesystem and redirects it results to sandbox, you could hook APIs and filter it, pass only valid parameters, return errors for invalid calls
for API hooking you will find plenty materials on the net, try on codeproject.com
Google's Chromium uses sandboxing and has several documents about it:
http://dev.chromium.org/developers/design-documents/sandbox
http://code.google.com/p/chromium/wiki/LinuxSandboxing
You might also look at jails in FreeBSD. These are the FreeBSD equivalent of sandboxes.
The source code for jail is available (though you'll have to understand the rest of the FreeBSD code as well.)
A simple sandbox would simply be an environment in which you let 'something' execute, but restrict what it can do.
Typically, this "something" is an already-existing language, like Java, or JavaScript, or C#, or native code. Java has 'sandboxing' apis for applets and so on, and .NET has various 'trust' levels, JavaScript has the bounds placed on it by the interpreters (browsers).
So it's a little weird to "write" your own sandbox unless you also have a language you want to sandbox.
Do you have such a language? What do you want to learn about, specifically?
This is very dependent on what do you want to sandbox. If it is a full-blown system with multiple interfaces/languages available, you really do not want to re-invent the wheel, but run a virtual machine in VirtualBox, QEmu or some other alternative
In any case, a sandbox IS, at least on some level a virtualization of the system you are 'supposed to be' running...
If you need to sandbox applications for a single (interpreted) language, modifying the interpreter sound like a sensible approach.
The answer will likely be language specific. Unfortunately most languages don't have built-in sandboxing capabilities. But functional languages tend to be powerful enough that one can be built from scratch without extending the language.
In Tcl the basic mechanism is to create slave interpreters:
interp create -safe sandbox
interp eval sandbox $set_up_code
set result [interp eval sandbox $unsafe_code]
I wrote an overview of the ways of sandboxing within Linux the other day, which links to a lot of references for the different techniques. Similar methods are applicable in other operating systems. I hope it is helpful - I couldn't find much comprehensively documented either.
As it currently stands, this question is not a good fit for our Q&A format. We expect answers to be supported by facts, references, or expertise, but this question will likely solicit debate, arguments, polling, or extended discussion. If you feel that this question can be improved and possibly reopened, visit the help center for guidance.
Closed 10 years ago.
I have noticed some developers picking up new skills and moving from one platform to the other? How do they do it? How do they justify for the lack of experience in the said platform they get the job?
Is it based on relevance to their previous experience? do they get certified in the target platform and work at a junior level accepting a pay cut? is it simpler if you are into contracting/consulting? Or is it simply a matter of projecting the resume correctly?
Actually, a lot of seemingly different platforms are really very similar, if you understand what goes on "under the hood," as it were. Though I've barely touched a Microsoft platform for well over a decade, for example, I have little difficulty developing things there because deep knowledge of computer systems in general is quite transferable.
For me, moving from LAMP to .Net was a work necessity. The consulting company I work for needed a PHP guy right away which is how I got in, but that project completed abruptly and they did not have an PHP work on the horizon.
In the closing weeks of the PHP project, I took an online O'Reilly course in C# and worked closely with a more experienced developer on a Windows application for the same client. Once the PHP gig completed I was able to start right away on a .Net project and I've had .Net clients ever since.
The key for me was flexibility. I let my employer know immediately that I was interested in different technologies and platforms and have taken the initiative by requesting access to courses and taking advantage of our yearly book allowance to explore different areas. When opportunities arise for investigating new directions like Mobility (PDAs, specialty devices and tablets) I jumped at the chance.
If your employer doesn't have policies which promote this type of self-directed expansion, then try to build a type of application you are familiar with in a new platform. Once you have you have a decent grasp of the tech, get involved with open source projects in your target platform and look for paid outside opportunities (i.e. Craigslist, elance, etc.) while you are still learning.
Most likely it is a result of circumstances. In these touch economic times being able to move outside your comfort zones is crucial
I really haven't seen a lot of reluctance on anybody's part to put developers on platforms that are new to them. Changes in computer language tend to be far more worrisome to managers than platform changes.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
We don’t allow questions seeking recommendations for books, tools, software libraries, and more. You can edit the question so it can be answered with facts and citations.
Closed 1 year ago.
Improve this question
I have been asked to provide information on available techniques for assessing our current, and any future websites for security problems. the request is in the form of
Do you know of any good free one that examines for security holes?
I think our data security is probably worth a small amount of upfront spend so any non-free methods would be appreciated too.
Our systems are a mish mash of mySQL, Oracle, SQLServer, PHP, ASP.NET etc etc systems though I guess that that does not matter too much. All the systems are secured in as much as they are patched and the firewalls are set sensibly so outside people cannot get directly to the database boxes etc.
It is XSS and similar attacks that we wish to prevent.
What do YOU use to give you confidence in your systems? ');DROP TABLE answer;
owasp would be a good place to start. There's too much to cover to include here.
If the security of your site is worth nothing to your company then that's what you should pay. For my company the security of our data and the brand image has quite a high value.
We pay a whole bunch of money for regular scans, we've trained the developers in basic hacking/security of applications, our code reviews include a security review and now we're looking at AppScan from IBM (which is expensive but in the long run probably cheaper than all the pen' testing we pay for).
You get what you pay for. Making sure you understand the owasp issues would be a good start though.
Personally, I choose not to be confident in the security of our systems. I am convinced there is always something that I am missing and thus I keep looking for it.
What you seem to be looking for is something to make others feel confident (even if that confidence is an illusion). Penetration testing is probably the right choice for that. Depending upon the tool, it shows potential vunerabilities in a nice report and then you can report how you mitigated them.
We use IBM AppScan and it is a good tool for this. As with any tester of this type you will find yourself following a lot of bad leads. Most of them are not false postives per se, more just things that might be an issue or appear to be and you will have to investigate and determine if they actually are.
I would not put a lot of faith in this kind of testing. If you app scans clean it really does not mean your app is clean. Does not mean it is worthless, but don't make it out to be more than it is.
The next thing I would look into is static analysis tools in your various languages. A lot of these are free. Hand in hand with that is developer education. That is usually a pretty cheap solution to the issue, just making sure they understand what the risks are.
There is no silver bullet, no simple answer, you need to define security as an EVERYONE problem and make sure it is given both priority and commitment.
Check out dotDefender - they've got versions for IIS/Apache/ISA. I use this app to protect against SQL Injection/XSS/DDOS/probing/encoding attacks. No piece of software will ever be perfect but in my case I run systems with sites being developed in .NET, PHP, and classic ASP with some of our sites being new and others being 5+ years old.
http://www.applicure.com/?page=dotDefender
I do also have a company do penetration testing / social engineering every year or so as well but with dotDefender I'm at least happy that I've got a baseline security blanket to protect my sites.
Of particular interest to me was that their app is fully x64 compatible - necessary since I'm using x64 web servers.