Information Security mostly revolves around defense in depth. Hitherto, we have had ‘Intrusion Detection’ and ‘Intrusion Prevention’ tools and techniques. But the newest technique in securing information assets, ‘Intrusion Deception’, has turned the security concept upside down and relies on counter offensive ‘honey pot’ methodology to protect the information assets in an organization. Continue reading “Intrusion Deception – Counter offense is the best defense”
At the CanSecWest security conference held earlier this year, IE, Firefox, Safari & iPhone were taken down within minutes. The fully patched systems went down to remote exploits which only goes to show how insecure internet facing systems are.
Open Web Application Security Project has come out with the top ten web application security risks for the year 2010. The following table makes a comparative analysis between OWASP Top 10 – 2007 & OWASP Top 10 – 2010
Let’s say that you have been asked by Abcxyz Inc to test their HR web portal. You decide to use fuzzing to check for easily guessable user IDs and passwords. You have collected a list of possible user names and a password dictionary has also been shortlisted by you.
Web applications are those that are accessed using web browsers like Firefox or Internet Explorer. The protocol used by web applications is called Hyper Text Transfer Protocol (HTTP). The secure version of this protocol is HTTPS.
SQL injection is an attack on a web server which targets the database the web application is talking to. The aim of the attack is to trick the database server to run queries constructed by the attacker. These attacks can even effect database update or delete transactions.
A HTTP proxy can help you analyse the data that is sent back and forth between your browser and the websites you visit. It sits between your browser and the website you are visiting and it will hand you all the information that the browser is sending to the website. You have the option to even change the data that is being sent.