Tuesday, October 23, 2007

Current Events

There is so much new stuff constantly going on in webappsec it’s virtually impossible to track let alone write about. When blogging, I try to refrain from just linking to something and going, “check this out”. Personally I prefer to dig in, understand the topic as best I can, and present some original ideas. In this case, though, I’m making an exception. There are three very timely things deserving of attention and needn’t wait for me to post them.

The lucky 13th issue of Insecure Magazine
I read three articles in this issue, that I thought were excellent, (and I learned a lot):
  • Social engineering, social networking services: a LinkedIn example
  • Risk decision making: who calls it?
  • Interview with Zulfikar Ramzan
Gotta hand it to the Help Net Security guys for consistently solid work.

The Web Application Hacker's Handbook
We knew this book was due out for a while and many people were excited about its release. Dafydd Stuttard (PortSwigger) of Burp Proxy fame was kind enough to send me an unreleased sample chapter so I could get a taste of what’s to come. Cool stuff inside. When I buy a brand new tech book, this is my buying criteria – The topic is of interest to me: Check. The Authors are experienced subject matter experts: Check. The ToC or sample chapter is exciting and well-written: Check!

Month of Bugs in Captchas
MustLive is at it again, but this time instead of targeting search engines, he’s going after broken and poorly implemented CAPTCHA systems. MustLive tells me he’s gearing the work to be educational by describing his analytical processes and the various attack techniques used to circumvent their protection. Now if he’s just leave my blog alone that’d make me happy. :) Depending on what MustLive has in store this could be really interesting and I’ll be following along.

1 comment:

Anonymous said...

About The Web Application Hacker's Handbook.

Jeremiah, as I planned to write at RSnake's site message about this book, I have some thoughts about it. And I'll write message when will find time - at ha.ckers.org and at your blog. First I planned to write my message before release of the book, but in result I would write after its release and you could send my words to the author, so he could think about some additions for next edition of the book.

Man, do you like ToCs? :-). Here is ToC of my message:

1. Nice book.
2. About captcha bypassing.
3. About Frame Injection.
4. Some words about XSS.

About leaving your blog alone. Don't even dream about it ;-). Yes, I'll try to not test my captcha bypass methods at your blog too much. But in context of Month of Bugs in Captchas you must understand that I made exploit for Blogger CAPTCHA bypass with your blog ID. And I planning to release exploit with it.

If you have some other interesting blogs in view (at Blogger) you can tell me. But your blog is nice and visitors of my site will like to see it in the project - vulnerable captcha at Jeremiah Grossman's blog sound very designing ;-) (much interesting than captcha at some_dude's blog). I'll make your blog even more popular and main thing that this will increase amount of comments at your site. Comments are very important, so you'll like them :-) - a lot of comments, especially automated ones.