The good people at InfosecWriters.com have announced that they will publish my research paper on the SANS/CWE Top 25 Most Dangerous Programming Errors. Click here for more information on this list from the SANS Website.
I wrote this paper for my Spring 2009 grad school class at ECU as we do pretty much every semester especially for Dr. Lunsford's class. He always asks us to submit for publishing and this time they latched onto mine.
Here is a link to my entry: http://www.infosecwriters.com/texts.php?op=display&id=646
Tuesday, April 21, 2009
Thursday, April 9, 2009
Metasploit - downloading and installing Metasploit framework for a newbie.
I'm doing a small presentation on the Metasploit framework for my Advanced Network Security course at ECU and I thought I'd put my experiences down here.
Getting started, I went to the Metasploit's framework site on the support side and downloaded the user guide (PDF format). This is a pretty good user's guide, about 30 pages long, and easy to read. It tells me that since I am a Windows user, I need to download the last stable Windows version. I see that the current version is an EXE file that lists it at 3.2. I had read that version 3.2 came out in March and in Macworld, they say that two people worked really hard to move the best of the Windows exploits to the Mac. It seems that the Windows version is a little better (probably since there are so many exploits on that platform!)
First problem! Avast, my anti virus software, flags the downloading file as containing a few Trojans. I immediately stopped downloading and went to Google to see if I could find some information. I saw a bunch of hits for Avast and Metasploit. I selected and read a few and basically it sums up to :there aren't any trojans in metasploit.
I stopped Avast and redownloaded the file trepidly! I finished the download and clicked the installer file to install the framework. By that time, I had re-enabled the Avast software. During installation of Metasploit, Avast agained complained a few times about Trojans and I dismissed them (about 5 or so alerts in total).
Start Metasploit launched a DOS Window that scrolled a lot of files, for what seemed 3 minutes. Finally I got the splash screen and Metasploit Framework GUI v3.2.
More information next as I play around and see how it works. I'll also report if I ever find any Trojans. I will run Spybot and Adaware also.
I tried to list a few books from Amazon on using Metasploit but the links failed this morning when I looked at it. Deleting now....
Tuesday, April 7, 2009
New OWASP Cheetsheets.
The Open Web Application Security Project has released two cheatsheets aimed at helping development teams thwart XSS and SQL injection attacks.
XSS : http://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet
SQL Injection: http://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet
The cheatsheets explain how proper output encoding goes a long way to mitigating these types of attacks. And SQL injection is up to about 30% of all malicious attacks on web applications so any protection against these attacks will be worth it to your project.
XSS : http://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet
SQL Injection: http://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet
The cheatsheets explain how proper output encoding goes a long way to mitigating these types of attacks. And SQL injection is up to about 30% of all malicious attacks on web applications so any protection against these attacks will be worth it to your project.
Subscribe to:
Posts (Atom)