Mighty Seek » Podcasts

SQL Injection mention on hype-free

dan — Fri, 27 Apr 2007 07:35:42 +0000

Every once in awhile I try and find out if anyone is noticing my podcast. Well I stumbled on a mention of the SQL Injection hands on episode on hype-free.

MightySeek Interviews rsnake

dan — Thu, 19 Apr 2007 07:45:27 +0000

Today I had the pleasure of meeting up with a celeb of the web app sec world…. rsnake of the ha.ckers.org website. I hope you enjoy the interview, but I made a huge mistake with the recording. Here I was with my first interview, I hook up my mic and load up the recording software and then completely forget to switch to the mic input to my good mic, and end up doing the recording on the lame mic thats built into my laptop.

In any case, here ya go.

PHP Security and the Month of PHP Bugs

dan — Sat, 10 Mar 2007 01:20:01 +0000

In this episode is discuss PHP security. Up till this point I have talked about web app sec in general, but I break from this in honor of the Month Of PHP Bugs that is going on through March.

PHP has frequently been blamed for security problems in applications written in PHP which really is no fault of the language and engine itself. It would be like everyone blaming C and C++ as being insecure, and the cause of tons of security problems. Most of the time the problem is the developers who use the languages, not the languages themselves. However, there are security problems in the PHP codebase which need to be fixed and is what is being highlighted by the Month Of PHP Bugs.

So in this episode I discuss these issues, some of my past projects and some various other issues in PHP… Its so good to be back at the mic, even tho I am still recovering from the flu and had my voice start failing me at the end.
Enjoy!

Hands On Series - Cross Site Scripting (XSS) Part 1

dan — Mon, 28 Aug 2006 03:57:40 +0000

The “Hands on Series” continues!

In this episode we start dealing with Cross Site Scripting (XSS) attacks.

CSS = Cascading Style Sheets
XSS = Cross Site Scripting

Cross Site Scripting is a technique used to add script to a trusted site that will be executed on other users browsers.
A key element to XSS is that one user can submit data to a website that will later be displayed for other users.
It is nessesary that the bad guy NOT mess up the HTML structure, otherwise the result will be web defacement rather then attacking other users.

The hackme site has been updated and improved (more about that in a moment)

and now includes a section for XSS which we will be using in this episode.

(more…)

Mighty Seek Podcast #15 - News and Misc Topics

dan — Fri, 26 May 2006 22:41:15 +0000

A quick in between to the Hands On Series, I chat about some news and issues of the day.

Turkish Hacker defaces 38,000 websites hosted on GoDaddy

Flawed USC admissions site allowed access to applicant data

Breach case could curtail Web flaw finders

Man charged with accessing USC student data

Tsunami appeal site ‘hacker’ found guilty

Network Security Blog: Network Security Podcast, Episode 28

dan — Wed, 24 May 2006 22:35:32 +0000

Network Security Blog: Network Security Podcast, Episode 28

Tonight I appear as co-host/guest of the Network Security Podcast with Martin McKeay. This podcast is a fellow Security Round Table podcast, and I had alot of fun being able to discuss more general security issues.

Questions for podcast with Dan (PodPress developer)

dan — Thu, 18 May 2006 22:31:14 +0000

James Woodcock will be interviewing me in the coming days, and so posted this on the forums.

Click here to get to the forum topic

Dan (Mighty Seek) developer of the PodPress plugin for Wordpress, will be interviewed in one of my future blogcasts on my website.

If you have any questions you would like him to answer about either his PodPress plugin or security, please ring my automated (non-premium) voicemail on UK: 0207 193 3092 or Worldwide: +44 207 193 3092 or for free on skype id: glidem

The best questions will be included in the show…..
__________________
>> Hear more about PodPress, in my audio interview with Dan Kuykendall <<

http://www.jameswoodcock.co.uk - My personal online diary covering the internet that I find of interest including audio interviews, music, gaming, technology, gadgets, websites, free downloads and general articles.

Hands On Series - SQL Injection Part 1

dan — Fri, 28 Apr 2006 21:56:15 +0000

The start of the “Hands on Series”, which means that there are actual
hands on excersises to go along with these shows.

I feel that its time to go beyond the concepts, the chatter about what bad guys can do,
and actually show you directly. Let you see for yourself the saying goes.

I recommend that you listen to these episodes while viewing the hacking test site and
have the show notes visible and ready to cut and paste from.

http://hackme.ntobjectives.com/ - The new site setup for you to practice web app hacking.
Includes detailed notes and samples that can be used to practice with.
Web App Hacking Toolkit - Collection of tools and links helpful for web security.
Jonathan Coulton’s Things a Week - Where the Code Monkey song came from.

(more…)

Privilage Escalation Attacks

dan — Fri, 14 Apr 2006 17:10:39 +0000

In this podcast I discuss a type of attack that allows users to basicly do things they are not supposed to do, without ever having to hack the admin type of accounts. So without having to figure out the admin password it is often possible to do administrative functions by simply attempting them.

The problem is around validation against access controls at every point of execution. Too often the access controls are done to control the navigational structure, meaning that the menus do not have links to the admin functionality, but if you know what the URL is then you can just type it into your browser and get there. Thats bad design in the app, and it is VERY common.

Catching up and a preview of future shows

dan — Thu, 13 Apr 2006 17:11:47 +0000

In this edition of the Mighty Seek podcast I give a rundown of podPress and list out some ideas for the future podcasts. The site now has a forum for the podcast and general web application security discussion.

Security Engagement Cast Part 2

dan — Sat, 11 Mar 2006 17:13:13 +0000

In part 2 we discuss the planning and deliverables involved when doing a security engagement. Most of the discussion demonstrates the importance of understanding the boundaries, requirements and deliverables from the start.

Security Engagement Cast Part 1

dan — Thu, 09 Mar 2006 17:14:14 +0000

The first of two shows featuring my co-workers, Joe and Scott.
This show was recorded in the evening at our hotel room, so the sound quality is less than ideal. We are onsite in Texas doing a security engagement for a client, and get tired and wacky but wanted to share what goes into doing a security audit for a client.

What makes application security different than network security

dan — Fri, 03 Mar 2006 17:14:52 +0000

In this podcast I ramble on about what network security is, and then how web application security is an entirely different kind of beast.

Cross Site Scripting… Exposing your users to attack, hijacking and data theft

dan — Fri, 10 Feb 2006 17:59:37 +0000

With Cross Site Scripting (XSS) the focus changes away from server attacks to user attacks facilitated by the server. This podcast covers the issues involved and additional show notes will be coming shortly.

While your waiting, here is a great resource.

http://www.cgisecurity.com/articles/xss-faq.shtml

Security during the Software Development Life Cycle

dan — Tue, 10 Jan 2006 17:56:56 +0000

Software Development Life Cycle (SDLC) is a major buzz word in the industry right now, but what many are still ignoring is how well a security design/plan can be integrated. This podcast and slideshow hopes to explain how this gets done.

Intro to SQL Injection Attacks

dan — Fri, 09 Dec 2005 18:02:14 +0000

In this podcast we have our first guest lecturer by way of a previously recorded slideshow from Mike Shema. In the presentation he gives an overview of SQL Injection attacks and has a few examples. I think the the content is still valuable even without the slides, but for the full experience of the presentation you may want to see it for youselves.

Free whitepapers and presentations about web application security, by NT OBJECTives.

Whats the DBA got ta do with it?

dan — Mon, 14 Nov 2005 18:03:53 +0000

A discussion to show that a database administrator must not shirk his duties over to the web application developer, and the web application developer should not seize full control over the database as is normally the case. Database administrator have a key role to play when developing a secure and robust web application.

What is Web App Security?

dan — Wed, 08 Jun 2005 18:05:25 +0000

What is Web Application Security?

In this I attempt to give a very basic explaination of what web app sec is about and why its new and less familiair.

Web App Security 101 - Be paranoid, instead of being a victim

dan — Mon, 02 May 2005 18:09:08 +0000

Discussion about my involvement with podcastalley.com, using castblaster and my excitement with podcasting. Then I kick off a Web App Security 101