[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Absolute Sownage (A concise history of recent Sony hacks)
- To: full-disclosure@xxxxxxxxxxxxxxxxx
- Subject: Re: [Full-disclosure] Absolute Sownage (A concise history of recent Sony hacks)
- From: mrx <mrx@xxxxxxxxxxxxxxxxxxx>
- Date: Sat, 11 Jun 2011 01:36:54 +0100
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 11/06/2011 01:04, Nick FitzGerald wrote:
> mrx wrote,
>
>> I am a little frightened that my web app will be owned and user
>> credentials exposed. ...
>
> Keep that attitude when you are no longer a "noob" web-app developer
> and the world will be a better place.
>
> There are far too many "hack" web coders out there, and the evidence
> suggests that Sony employs quite a few of them...
>
>> ... I have read much on SQL injection, XSS, remote
>> execution, session hijacking etc. I only think I have all bases
>> covered, I am not 100% sure. Is there a definitive text/book/white
>> paper on such matters and if so could someone please let me know
>> where I can find this?
>
> I'm not a web-app expert at all -- I live and work in a niche
> necessitated by the appalling condition that is "web security" in
> general (I'm a malware analyst who spends much of my time looking at
> the stuff the bad guys who break poorly configured servers, poorly
> configured and/or written web-apps, etc, etc put on those compromised
> machines to wreak havoc further down the food chain) -- but if you're a
> web-app developer and do not know about OWASP or what the OWASP "Top
> 10" is, you're probably a shockingly bad web-app developer (but
> probably well able to get plenty of work at the likes of Sony).
>
>
>
> Regards,
>
> Nick FitzGerald
Hi Nick
Yes I am on the OWASP mailing list, unfortunately the nearest branch meetings
are quite a few miles away so I haven't managed to get to one yet.
I did the top 10 and hopefully with my limited experience and knowledge in this
field have covered them all.
I would like someone smarter than me, which is probably most who read this list
to try and hack my app.
I have done malware research too, played with reversing, captured stuff in a
Honeypot, monitored flow through a Honeywall. I know a bit about a
lot of things but not a lot about any one thing in particular. I am pretty
pleased with the fact that the last time I had a system infected with
malware, that I didn't infect on purpose, was my Amiga with the Saddam virus. I
have always been paranoid ;-) IT isn't new to me, but IT
security is.
I need to focus but there is so much that interests me, I can't do it all but
that doesn't stop me from trying.
Cheers
Dave
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
- --
Mankind's systems are white sticks tapping walls.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQEVAwUBTfK4prIvn8UFHWSmAQLTnwgAq/o+S0TLUt8EVOjhEZrO7SQ5yf6EbMMF
ZPl0uhbULht9iwYLRUkYBXXAUXUj58J+EKJUrO/XuImLTrz8bpy2r/bSsB5x4jFB
Faye5SIaQRzZwFC/STihpgGiqiqAl+3Un1C/Fb2Xdgg2bG9yl/SxbtACMUZcg7Sa
HrkwjlVVZyt3Q02JaYT/4JFRcDG3TeogF41KPV5AG1DNdBkXR1kJnRsWCvnO376c
cT4ymOBWdhBYFeQvYI/YzTtTe4QoWkE/q8WYbuUE/vpGY13KA5Qd/JLLIL+oKxAw
xpHkql+iYDpCK3pLD3XeleuZAD1BJojVtpfQ97UiyBoj9P/nbRiHeQ==
=q5So
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/