Connect With WRD
feed via e-mail
feed via e-mail

Archive for the ‘Security’ Category

On every website, there are 3rd party scripts that track us (for serving ads, generating stats, displaying content, etc.).

Ghostery is a free browser extension that informs us about these scripts on every page.

And, besides informing, it allows us to block them too and this can be made categorically or item-by-item.

Ghostery

As a web user, such a plugin is so nice. And, as a web developer, it is great as we can instantly see which website uses which scripts or enable/disable them to see how sites behave for debugging purposes.

Ghostery is available for all major browsers and even for mobile.

Captchas are still the standard to verify that the user performing an action (like filling forms) is a real human but not a bot.

PlayThru is a free and different alternative to other standard captcha solutions by asking users to play a very short game rather than guessing the scrambled letters (which is also like a game but “so” less fun).

The games are simply drag ‘n’ dropping items to the right places depending on the questions asked.

PlayThru Captcha

No Flash is used, all HTML5 and they work on mobile as well. Also, there are plugins for popular apps (like WordPress, phpBB) and libraries for various scripting languages).

PlayThru is free for unlimited use and paid plans exist for anyone that need more features and customization options.

When creating and maintaining a web application, it is so hard to fully make a manual security test as there are lots of things to check for. And, many different methods exist for exploiting apps.

Netsparker LogoNetsparker is a professional yet user-friendly web application security scanner (runs on Windows OS) which makes it easy for developers of all levels to search and find any flaws in apps.

The application has a simple and intuitive user interface where you can start scanning a web app almost instantly.

Netsparker

But, this simplicity doesn't mean that the application is simple. Rather, it hosts an advanced pack of scanning technologies which analyses the apps deeply. It has full JavaScript/Ajax support, can successfully keep working when authentication is needed (once the auth info is supplied).

Best of all, Netsparker is false-positive free. If it tells that there is a vulnerability than there really is one.

In case you are planning to use it regularly and integrate it into your development environment, it has a command-line interface for easily automating and scheduling tasks.

It is a pretty flexible tool as you can choose what pages/parts of a web app to scan and/or go non-automated but manually. Also, we can customize and/or enable/disable the attacking methods used.

Netsparker Settings

Once a scan is completed, Netsparker produces a report which includes a summary of all the detected vulnerabilities, together with links to additional actionable detail, such as the impact and the remedy of the vulnerability. These reports can also be customized using the Reports API provided.

How to join the giveaway?

In order to get a chance to win the Pro Edition License, just tweet with the #wrdnetsparker hashtag and link back to this post (click to tweet easily).

The winner will be selected randomly from the tweeters 1 week later (9 October 2012).

Good luck to all.

The winner

Here is the winner of Netsparker Pro Edition License: 

  • @themergency

Congratulations and thanks to everyone for joining.

SQL injection, the technique of manipulating SQL queries by sending custom SQL statements using forms or other requests (POST, GET..) to attack databases, is probably the nightmare for many dynamic websites.

Bobby Tables, an online guide to prevent SQL injection, tells "how easy it is to create secure queries" by focusing on 2 facts:

  • not creating SQL statements that include outside data
  • using parameterized SQL calls.

The guide provides information for many popular scripting/programming languages and, for anyone willing to learn more about SQL injection, checking your favorite language is probably a good idea.

Bobby Tables

P.S. The comics is from xkcd.

  • Tags:
  • Filed under: Extras, No License, Security
  • 1 Comment
  • Cryptico.js is an easy-to-use JavaScript library for encrypting text on the client-side.

    It has support for RSA + AES methods and the text can be encrypted with any given bit length (228, 1024, etc.).

    Cryptico.js

    The content is encrypted with a public key and it can only be decrypted with that key (which makes sense if the recipient already has that information).

    Cryptico.js doesn't require any JS frameworks to function and it is well-documented.

    Captchas are usually hard to use and boring. However they help a lot in minimizing headaches on the application-side by making sure that "an action is performed by a human".

    MotionCAPTCHA, a jQuery plugin, offers a different type of captcha by asking the users to draw the shape displayed. It is not only different but also fun and can even be easier to-use for touch devices.

    The project is currently a proof-of-concept considering the captcha is only verified on the client-side and can be manipulated. However, the next version is planned to have server-side and better browser support. Looking forward to it!

    MotionCAPTCHA

    NuCaptcha is a free captcha service that uses motion video to authenticate human web interactions.

    Compared to image-based captchas, it is a harder-to-recognize solution for bots and can be read easier by humans which is great.

    NuCaptcha

    With the help of an API, NuCaptcha can be implemented into any website (sample codes provided) and there is also a WordPress plugin offered.

    The captchas can be customized in means of skin, background and message displayed which helps a better visual integration with the websites.

    Websites are getting more and more complex everyday and there are almost no static websites being built.

    Security GuyToday, the simplest website has at least a contact or newsletter form and many are built with CMS systems or it may be using 3rd party plugins, services, etc. that we don't have an exact control over.

    Even if the website is 100% hand-coded, we trust what we created and think that it is safe, it is still possible that a special character is not sanitized or we are not aware of a new attacking technique.

    So, it is really hard to say "my website is safe" without running tests over it. The good part is there are powerful and free web application security testing tools which can help you to identify any possible holes.

    Before presenting them, let's remind the classic: "something can be secure as only as its weakest link" (which also tells us that it is not always the application and can still be the server it is hosted or that easy to remember FTP password).

    Netsparker Community Edition (Windows)

    Netsparker Community Edition

    This is the free-community edition of the powerful Netsparker which still comes with a bunch of features and also false-positive-free.

    The application can detect SQL Injection + cross-site scripting issues.

    Once a scan is complete, it displays the solutions besides the issues and enables you to see the browser view and HTTP request/response.

    Websecurify (Windows, Linux, Mac OS X)

    Websecurify

    Websecurify is a very easy-to-use and open source tool which automatically identifies web application vulnerabilities by using advanced discovery and fuzzing technologies.

    It can create simple reports (that can be exported into multiple formats) once ran.

    The tool is also multilingual and extensible with the add-on support.

    Read the rest of this entry »

    PHPSecInfo is a PHP environment security auditing tool which can be useful as part of a multilayered security approach.

    The script runs a series of tests to identify potential security issues and offer suggestions.

    PhpSecInfo

    It can be reached easily by calling the "index.php" files after uploading the project folder.

    PHP Security Consortium also has a PHP security guide which you may want to check out.

    P.S. PhpSecInfo is definitely not a replacement for secure coding practices & doesn’t audit PHP code.

  • Tags:
  • Filed under: Extras, Other License, Security
  • 1 Comment
  • VidoopCAPTCHA is a free verification solution that works image-based which is unusual compared to the widely-used text-based ones.

    It aims to be a more user-friendly solution as text-based captchas can sometimes be so hard to read for humans besides bots.

    Image Based Captcha

    VidoopCaptcha is a hosted service & have plugins for WordPress, Ruby on Rails, and Drupal. Also, there are libraries for programming languages such as PHP, Python, and .NET.

    It offers some customization options like category, number of grid squares, color & grid size. For a demo of this security resource, click here.

    Uptime Robot
    feed-holder
    FeedBurner
    PSD2HTML.com