-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 11/06/2011 01:04, Nick FitzGerald wrote: > mrx wrote, > >> I am a little frightened that my web app will be owned and user >> credentials exposed. ... > > Keep that attitude when you are no longer a "noob" web-app developer > and the world will be a better place. > > There are far too many "hack" web coders out there, and the evidence > suggests that Sony employs quite a few of them... > >> ... I have read much on SQL injection, XSS, remote >> execution, session hijacking etc. I only think I have all bases >> covered, I am not 100% sure. Is there a definitive text/book/white >> paper on such matters and if so could someone please let me know >> where I can find this? > > I'm not a web-app expert at all -- I live and work in a niche > necessitated by the appalling condition that is "web security" in > general (I'm a malware analyst who spends much of my time looking at > the stuff the bad guys who break poorly configured servers, poorly > configured and/or written web-apps, etc, etc put on those compromised > machines to wreak havoc further down the food chain) -- but if you're a > web-app developer and do not know about OWASP or what the OWASP "Top > 10" is, you're probably a shockingly bad web-app developer (but > probably well able to get plenty of work at the likes of Sony). > > > > Regards, > > Nick FitzGerald
Hi Nick Yes I am on the OWASP mailing list, unfortunately the nearest branch meetings are quite a few miles away so I haven't managed to get to one yet. I did the top 10 and hopefully with my limited experience and knowledge in this field have covered them all. I would like someone smarter than me, which is probably most who read this list to try and hack my app. I have done malware research too, played with reversing, captured stuff in a Honeypot, monitored flow through a Honeywall. I know a bit about a lot of things but not a lot about any one thing in particular. I am pretty pleased with the fact that the last time I had a system infected with malware, that I didn't infect on purpose, was my Amiga with the Saddam virus. I have always been paranoid ;-) IT isn't new to me, but IT security is. I need to focus but there is so much that interests me, I can't do it all but that doesn't stop me from trying. Cheers Dave > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > - -- Mankind's systems are white sticks tapping walls. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEVAwUBTfK4prIvn8UFHWSmAQLTnwgAq/o+S0TLUt8EVOjhEZrO7SQ5yf6EbMMF ZPl0uhbULht9iwYLRUkYBXXAUXUj58J+EKJUrO/XuImLTrz8bpy2r/bSsB5x4jFB Faye5SIaQRzZwFC/STihpgGiqiqAl+3Un1C/Fb2Xdgg2bG9yl/SxbtACMUZcg7Sa HrkwjlVVZyt3Q02JaYT/4JFRcDG3TeogF41KPV5AG1DNdBkXR1kJnRsWCvnO376c cT4ymOBWdhBYFeQvYI/YzTtTe4QoWkE/q8WYbuUE/vpGY13KA5Qd/JLLIL+oKxAw xpHkql+iYDpCK3pLD3XeleuZAD1BJojVtpfQ97UiyBoj9P/nbRiHeQ== =q5So -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
