KeepItLocked.net - All Comments

Microsoft Anti-Cross Site Scripting Library V3.1发布

Web应用安全观察站 — Fri, 18 Sep 2009 09:07:20 GMT

MSAnti-XSSLib实在是一个非常好的工具库，从3.0版本开始就内含了一个SRE(SecurityRuntimeEngine)，SRE实现为一个HttpModule。现在3.1版本也...

re: SSL Warning Messages – Expired Certificates and Mismatched Sub-Domains

jcrawfordor — Wed, 08 Jul 2009 18:50:07 GMT

I've always had an issue with the extremely dire warnings on self-signed SSL certs. With companies like Verisign running the show, CA-signed certificates can be prohibitively expensive, particularly for temporary situations. When a CA-signed cert is not available, it's still preferably to at least have confidentiality and integrity, without authentication, rather than having none of the three. But browser warnings make people tend to immediately distrust servers with self-signed certificates, when browsers don't throw any warning about servers that are not encrypting at all.

I once heard an anecdote about a server at DEFCON (or some other security event, I forget which) which was operating an e-commerce deal selling memorabilia. Because it was a temporary setup it was using a self-signed SSL cert to protect payment info. However, the SSL warnings led many non-security-professionals (reporters etc...) to instead use a completely unencrypted connection!

I've seen this happen in my workplace as well - users see the dire warnings about self-signed certs and think that it is safer to use an unencrypted connection. Particularly in FF and IE where the warnings are particularly frightening, and in the case of FF, difficult to get past.

re: Command Injection Impossible in Java and .NET?

Dan Cornell — Fri, 08 May 2009 00:49:51 GMT

Yet another follow-up. I was uneasy with my previous test results because I remembered that WebGoat had an example of command injection in Java. So I looked at some code and updated my test program to run the Java tests on Windows. Blog post with the results is here:

denimgroup.typepad.com/.../command-injection-in-java-on-windows-100-proven-that-it-is-100-possible.html

--Dan

re: Command Injection Impossible in Java and .NET?

Dan Cornell — Wed, 06 May 2009 13:11:00 GMT

I did the same thing for .NET with similar results. Looks like .NET is reasonably safe, too. Blog post is online here:

denimgroup.typepad.com/.../command-injection-in-net-82-proven-that-is-98-impossible.html

--Dan

re: Command Injection Impossible in Java and .NET?

Dan Cornell — Wed, 06 May 2009 01:32:22 GMT

Yeah that link should have been:

denimgroup.typepad.com/.../command-injection-in-java-80-proven-that-it-is-100-impossible.html

My attempt to make it more clickable added a > at the end. D'Oh!

--Dan

dan _at_ denimgroup.om