[WEB SECURITY] Application Security Hacking Videos

Dave King davefd at davewking.com
Sat May 27 13:08:50 EDT 2006 

The first thing he says in the video is that he was commissioned to do
the audit.  He also has another video that show the college site after
it was fixed.  Still to me it seems a little strange that he was payed
to audit the site and then makes a video of it and publicizes it all
over the internet.  Most people that I know who want audits want to know
the problems and be able to fix them before word gets out they have a
problem, then they'll fix it and not let anyone know there was ever a
problem.  However I guess if the college gave permission then there's
really no problem.

I'm not sure what the clips from Microsoft are trying to show.  To me it
seems like they're intended to show that microsoft doesn't have a good
fix for the problem at hand.  From what I gathered from the training
they were trying to show some ways to seriously lock down a SQL Server
2000, which would help mitigate some risks, while causing some usability
problems.  Microsoft has been an advocate of strong server side input
validation (ASP.Net even has some nice features to help you with this). 
The video was just showing another layer in a good layered security
approach.

Lastly, I'm of the opinion that ticks should be allowed in a password. 
I'm don't like restricting characters in a password.  However best
practices should be followed.  If for example, in the video the college
had been storing the password as a secure hash, then hashing the
password that was input and comparing them (preferably using a stored
proc to do the sql stuff), then the attack would have failed.

Dave King

http://www.thesecure.net
http://www.remotecheckup.com

Daniel wrote:
> Joel,
>
> Whilst this is a great idea and useful to those who dont understand
> how to go about performing these types of assessments, I question the
> legality of what has been done in the video's
>
> Was this a legitimate application assessment, on behalf of the local
> college, or was this unauthorised? If it was unauthorised, surely you
> have just admitted breaking various computer laws and have offered the
> proof to the police in the form of a video?
>

- Sponsored Advertisement --------------------------------------------------
The Software Security Summit is the only event that addresses security
issues at the application development level. Join us Jun 5-7, Baltimore, MD.
http://www.s-3con.com
----------------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/

More information about the websecurity mailing list