Every once in awhile I try and find out if anyone is noticing my podcast. Well I stumbled on a mention of the SQL Injection hands on episode on hype-free.

Today I had the pleasure of meeting up with a celeb of the web app sec world…. rsnake of the ha.ckers.org website. I hope you enjoy the interview, but I made a huge mistake with the recording. Here I was with my first interview, I hook up my mic and load up the recording software and then completely forget to switch to the mic input to my good mic, and end up doing the recording on the lame mic thats built into my laptop.

In any case, here ya go.

 

 Standard Podcast [41:57m]: Play Now | Play in Popup | Download (10827)

In this episode is discuss PHP security. Up till this point I have talked about web app sec in general, but I break from this in honor of the Month Of PHP Bugs that is going on through March.

PHP has frequently been blamed for security problems in applications written in PHP which really is no fault of the language and engine itself. It would be like everyone blaming C and C++ as being insecure, and the cause of tons of security problems. Most of the time the problem is the developers who use the languages, not the languages themselves. However, there are security problems in the PHP codebase which need to be fixed and is what is being highlighted by the Month Of PHP Bugs.

So in this episode I discuss these issues, some of my past projects and some various other issues in PHP… Its so good to be back at the mic, even tho I am still recovering from the flu and had my voice start failing me at the end.
Enjoy!

 

 Standard Podcast [65:34m]: Play Now | Play in Popup | Download (6769)

The “Hands on Series” continues!

 

 Standard Podcast [38:10m]: Play Now | Play in Popup | Download (9139)

CSS = Cascading Style Sheets
XSS = Cross Site Scripting

Cross Site Scripting is a technique used to add script to a trusted site that will be executed on other users browsers.
A key element to XSS is that one user can submit data to a website that will later be displayed for other users.
It is nessesary that the bad guy NOT mess up the HTML structure, otherwise the result will be web defacement rather then attacking other users.

The hackme site has been updated and improved (more about that in a moment)

and now includes a section for XSS which we will be using in this episode.

Read the rest of this entry »

A quick in between to the Hands On Series, I chat about some news and issues of the day.

Turkish Hacker defaces 38,000 websites hosted on GoDaddy

Flawed USC admissions site allowed access to applicant data

Breach case could curtail Web flaw finders

Man charged with accessing USC student data

Tsunami appeal site ‘hacker’ found guilty

 

 Standard Podcast [33:50m]: Play Now | Play in Popup | Download (4597)

Network Security Blog: Network Security Podcast, Episode 28

Tonight I appear as co-host/guest of the Network Security Podcast with Martin McKeay. This podcast is a fellow Security Round Table podcast, and I had alot of fun being able to discuss more general security issues.

James Woodcock will be interviewing me in the coming days, and so posted this on the forums.

Click here to get to the forum topic

Dan (Mighty Seek) developer of the PodPress plugin for Wordpress, will be interviewed in one of my future blogcasts on my website.

If you have any questions you would like him to answer about either his PodPress plugin or security, please ring my automated (non-premium) voicemail on UK: 0207 193 3092 or Worldwide: +44 207 193 3092 or for free on skype id: glidem

The best questions will be included in the show…..
__________________
>> Hear more about PodPress, in my audio interview with Dan Kuykendall <<

http://www.jameswoodcock.co.uk - My personal online diary covering the internet that I find of interest including audio interviews, music, gaming, technology, gadgets, websites, free downloads and general articles.

The start of the “Hands on Series�, which means that there are actual
hands on excersises to go along with these shows.

 

 Standard Podcast [58:03m]: Play Now | Play in Popup | Download (7305)

 

 Code Monkey - Played during podcast [3:07m]: Play Now | Play in Popup | Download

I feel that its time to go beyond the concepts, the chatter about what bad guys can do,
and actually show you directly. Let you see for yourself the saying goes.

I recommend that you listen to these episodes while viewing the hacking test site and
have the show notes visible and ready to cut and paste from.

• http://hackme.ntobjectives.com/ - The new site setup for you to practice web app hacking.

  Includes detailed notes and samples that can be used to practice with.

• Web App Hacking Toolkit - Collection of tools and links helpful for web security.
• Jonathan Coulton’s Things a Week - Where the Code Monkey song came from.

Read the rest of this entry »

In this podcast I discuss a type of attack that allows users to basicly do things they are not supposed to do, without ever having to hack the admin type of accounts. So without having to figure out the admin password it is often possible to do administrative functions by simply attempting them.

The problem is around validation against access controls at every point of execution. Too often the access controls are done to control the navigational structure, meaning that the menus do not have links to the admin functionality, but if you know what the URL is then you can just type it into your browser and get there. Thats bad design in the app, and it is VERY common.

 

 Standard Podcast [20:55m]: Play Now | Play in Popup | Download (4650)

In this edition of the Mighty Seek podcast I give a rundown of podPress and list out some ideas for the future podcasts. The site now has a forum for the podcast and general web application security discussion.

 

 Standard Podcast [39:40m]: Play Now | Play in Popup | Download (3862)