Comments for Miscellaneous Security

Comment on Cross-Site Scripting in 37Signals Writeboard Application by Brett Hardin

Brett Hardin — Wed, 03 Feb 2010 20:34:51 +0000

It should be noted. I really don’t care about finding XSS vulnerabilities. They are everywhere, get over it. What I am more interested in is the concept of “rush” to development mentality and how that affects the security community.

Comment on Insecure Cryptographic Storage by Aaron Grattafiori

Aaron Grattafiori — Wed, 30 Sep 2009 04:09:05 +0000

Also.. People that store hashes of CC #s without properly salting them can be asking for trouble, the “keyspace” for of CC numbers isn’t very big.

Comment on Insecure Cryptographic Storage by Aaron Grattafiori

Aaron Grattafiori — Wed, 30 Sep 2009 04:05:36 +0000

Bruce Schneier in one of his books wrote something along the lines of: “The person that invents their own crypto algorithm (I think he said primitive) is either a genius, or a fool. Looking at the typical ratio, the odds aren’t good.”. I thought that was a clever way to do it and honestly quite truthful.

Comment on Writing Secure Code by Roy

Roy — Thu, 24 Sep 2009 20:17:53 +0000

This is one of those good, simple ideas that can really take off.

This is a great way for programmers to practice thinking about security, since, you’re quite correct, we don’t as often as we should.

Comment on Insecure Cryptographic Storage by BrettH

BrettH — Mon, 21 Sep 2009 17:08:50 +0000

I hope that the team lead and the project manager realized this was a bad idea and changed the way that passwords are being encrypted.

These are the types of security problems that should have maximum visibility to the whole business unit.

Comment on Insecure Cryptographic Storage by Nitin Reddy Katkam

Nitin Reddy Katkam — Mon, 21 Sep 2009 16:42:22 +0000

I recently hear a conversation in which the project manager asked a lead developer, “How are we encrypting passwords while storing them in the database?” The response was, “I don’t know. We downloaded a Microsoft Enterprise Library block from the Internet and are using it through the membership provider in ASP.NET.”

Even if we are using a very weak algorithm with a private key copy-pasted directly off a web page on the Internet, the response by the team lead created a pretty good sense of security for the project manager. :-D

Comment on Understanding Cookies by Brett Hardin

Brett Hardin — Fri, 04 Sep 2009 00:03:16 +0000

No comment. :)

Wanted to see if anyone was paying attention.

Comment on Understanding Cookies by Matt

Matt — Thu, 03 Sep 2009 16:25:32 +0000

It may just be me being over zealous but I thought the cookie looked a little base64 encoded so being the over zealous time that I am I fed it into “echo cookie | openssl base64 -d” and checked the output.

I won’t paste it here, but it certainly was interesting.

Care to comment on this ?

Comment on Information Leakage and Improper Error Handling by Kevin S.

Kevin S. — Thu, 13 Aug 2009 16:13:51 +0000

Hey Brett good post. It’s important to remember that information can leak client side as well so its important to do all the stupid things like autocomplete=”off” and properly setting cache headers. almost all malware checks common cache locations for passwords so its up to the developers to ensure that this information isnt stored in the first place.

Comment on Insecure Direct Object Reference by Jeff Williams

Jeff Williams — Wed, 22 Jul 2009 23:41:38 +0000

Love the series. You should probably update this article with the most common form of direct object reference, the database key. Virtually every site has urls with parameters like acctid=12048434 or fileid=8CF8. These are often the best way to access unauthorized data.