Web Application Security
Alik Levin
The first part didn't brought any knews. The only funny thing is that we pretended to be hacking TechEd website, but he was using an internal webserver while spoofing the adress :-)
The showed us Microsoft Network Monitor 3.1 as a sniffing tool. He made some SQL injection in a search form to reveal the schema of the database and retrieve login and password information.
Alik talked about exploiting over privileged accounts. Applications should only have permissions to access and do what it needs, otherwise some hacker can use the extra privileges to his own needs.
I head about some tools I didn't know and that can be quite useful.
Guidance Explorer - a tools that allows you to navigate in best practices documentation, select topics of your interest and export into a Word document.
Thread Analysis and Modeling tool - a tool where you can describe your application and find out what flaws you may have and how to fix them. It can also produce some useful reports.
FindStr and MSIL Disassembler - These two tools together allows you (for testing) or hackers (for attacking) to find critical data like passwords from .NET assemblies.
Subscrever:
Enviar feedback (Atom)
Sem comentários:
Enviar um comentário