Re: Wrong error message when user having is_staff=False tries to login to admin

2011-03-14 Thread Rohit Sethi
To re-iterate, you would get this message iff you have the correct credentials for an end user who is not an admin user. You seem to be referring to Response Information Discrepancy Information Exposure (http://cwe.mitre.org/data/definitions/204.html) which is generally about differentiating

Re: Ticket 14261 - add basic clickjacking protection to Django

2011-03-13 Thread Rohit Sethi
I personally like the idea of a decorator On Mar 13, 12:30 pm, Ryan N wrote: > I personally do not believe XFrameOptionsMiddleware should be on by > default. There are plenty of folks using Django for simple static > sites or RESTful APIs where clickjacking doesn't

Re: Ticket 14261 - add basic clickjacking protection to Django

2011-03-13 Thread Rohit Sethi
This is awesome - very progressive and I hope other frameworks follow suite. Have you done a poll of users to see how many would be affected by a "SAMEORIGIN" setting? Maybe that would be a good place to start. Is there some other way to test the overall impact of this prior to committing to it

Re: Wrong error message when user having is_staff=False tries to login to admin

2011-03-13 Thread Rohit Sethi
To summarize - if I understand correctly the only way a more specific error message can result in a problem is the following scenario: 1) An attacker correctly guesses credentials for a user on the admin site 2) The attacker does not try to authenticate with the same credentials on the regular

Re: Brute force attacks

2011-03-08 Thread Rohit Sethi
that brute-force prevention doesn't come out of the box. Does that sound fair? On Mar 8, 4:10 am, Michael Radziej <m...@spieleck.de> wrote: > On Mon, 7 Mar 2011 18:11:19 -0800 (PST), Rohit Sethi <rkli...@gmail.com> > wrote: > > Luke, I guess the real question is what's the risk of

Re: Brute force attacks

2011-03-07 Thread Rohit Sethi
here are wrong. On Mar 7, 6:48 pm, Luke Plant <l.plant...@cantab.net> wrote: > On 04/03/11 21:56, Rohit Sethi wrote: > > > Hi all, I wanted to revisit a key security discussion. Brute force > > attacks are the 7th most prevalent attack by number of incidents in >

Re: Brute force attacks

2011-03-06 Thread Rohit Sethi
Ok, we'll go ahead with researching this. Expect to hear back from us within the next 2-3 weeks (if not this upcoming week) Thanks, Rohit On Mar 5, 8:40 am, Rohit Sethi <rkli...@gmail.com> wrote: > Hi Russell, here are my thoughts on your points: > > 1. I do believe there shou

Re: Brute force attacks

2011-03-05 Thread Rohit Sethi
wrote: > On Sat, Mar 5, 2011 at 5:56 AM, Rohit Sethi <rkli...@gmail.com> wrote: > > Hi all, I wanted to revisit a key security discussion. Brute force > > attacks are the 7th most prevalent attack by number of incidents in > > the Web Hacking Incidents Database (http://p

Brute force attacks

2011-03-04 Thread Rohit Sethi
Hi all, I wanted to revisit a key security discussion. Brute force attacks are the 7th most prevalent attack by number of incidents in the Web Hacking Incidents Database (http://projects.webappsec.org/w/ page/13246995/Web-Hacking-Incident-Database), which tracks publicly disclosed breaches in web

Re: Your thoughts on the Secure Web Application Framework Manifesto

2011-02-28 Thread Rohit Sethi
Hi Jacob, just as an FYI I messaged you last week about this off list - my email was from my first name @securitycompass.com. Just wanted to make sure you got it Thanks, Rohit On Feb 24, 6:55 am, Jacob Kaplan-Moss wrote: > Hi Rohit -- > > I had a skim of the document, too,

Re: Your thoughts on the Secure Web Application Framework Manifesto

2011-02-22 Thread Rohit Sethi
tail you've gathered on any individual item if I so choose. > > Either way, thank you for providing an interesting resource. > > All the best, > >     - Gabriel Hurley > > On Feb 21, 5:09 pm, Rohit Sethi <rkli...@gmail.com> wrote: > > > > > > >

Re: Your thoughts on the Secure Web Application Framework Manifesto

2011-02-21 Thread Rohit Sethi
russ...@keith-magee.com> wrote: > On Mon, Feb 21, 2011 at 11:21 PM, Rohit Sethi <rkli...@gmail.com> wrote: > > Django devs, I wanted to thank you for a truly awesome framework. > > Programming with Python, and web app dev in Django, is truly a > > pleasure. Our c

Re: Your thoughts on the Secure Web Application Framework Manifesto

2011-02-21 Thread Rohit Sethi
One more point - if any of you have questions for somebody who leaves and breathes web application security every day, please feel free to fire them off to me: rohit at securitycompass.com On Feb 21, 10:21 am, Rohit Sethi <rkli...@gmail.com> wrote: > Django devs, I wanted to

Your thoughts on the Secure Web Application Framework Manifesto

2011-02-21 Thread Rohit Sethi
. Thanks in advance, Rohit Sethi @rksethi -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com. To unsubscribe from this group, send email to django-developer