[thelist] Website Database Security
Raymond Camden
jedimaster at macromedia.com
Thu May 3 13:42:19 CDT 2001
> Chris (and everyone) - I gave a presentation this February on web site
> security. It wasn't "deep", ie, it didn't cover network stuff like closing
> ports and stuff, but it didn't cover web application mistakes, like not
> checking url parameters, not encrypting cookies w/ special
> information, etc.
As a side note, I also call this my "Anti-Sneaky Bastard" presentation. It
made me feel real good when every now and then I saw someone wince when my I
mentioned a particular point. ;)
Here is something else to consider. Again, I'm no security expert, but I've
always heard that you should try to deny as much info as possible to the
hacker, since every little piece helps. So, I asked the crowd, how many
people use:
www.mysite.com/admin
as their administration folder. A good 10 or so hands rose. I mentioned that
even if that folder was password protected, it was still a bad idea to have
an obvious name like that. If I were to find another hole on your server
(and I found one like this at a major .com site a few months back) that
allowed me to read arbitrary files, I could sneak into that folder.
=======================================================================
Raymond Camden, Principal Spectra Compliance Engineer for Macromedia
Email : jedimaster at macromedia.com
ICQ UIN : 3679482
"My ally is the Force, and a powerful ally it is." - Yoda
More information about the thelist
mailing list