The start of the “Hands on Series”, which means that there are actual
hands on excersises to go along with these shows.

 

 Standard Podcast [58:03m]: Play Now | Play in Popup | Download

 

 Code Monkey - Played during podcast [3:07m]: Play Now | Play in Popup | Download

I feel that its time to go beyond the concepts, the chatter about what bad guys can do,
and actually show you directly. Let you see for yourself the saying goes.

I recommend that you listen to these episodes while viewing the hacking test site and
have the show notes visible and ready to cut and paste from.

• http://hackme.ntobjectives.com/ – The new site setup for you to practice web app hacking.

  Includes detailed notes and samples that can be used to practice with.

• Web App Hacking Toolkit – Collection of tools and links helpful for web security.
• Jonathan Coulton’s Things a Week – Where the Code Monkey song came from.

Read the rest of this entry »

In this podcast I discuss a type of attack that allows users to basicly do things they are not supposed to do, without ever having to hack the admin type of accounts. So without having to figure out the admin password it is often possible to do administrative functions by simply attempting them.

The problem is around validation against access controls at every point of execution. Too often the access controls are done to control the navigational structure, meaning that the menus do not have links to the admin functionality, but if you know what the URL is then you can just type it into your browser and get there. Thats bad design in the app, and it is VERY common.

 

 Standard Podcast [20:55m]: Play Now | Play in Popup | Download

In this edition of the Mighty Seek podcast I give a rundown of podPress and list out some ideas for the future podcasts. The site now has a forum for the podcast and general web application security discussion.

 

 Standard Podcast [39:40m]: Play Now | Play in Popup | Download

In part 2 we discuss the planning and deliverables involved when doing a security engagement. Most of the discussion demonstrates the importance of understanding the boundaries, requirements and deliverables from the start.

 

 Standard Podcast [59:26m]: Play Now | Play in Popup | Download

The first of two shows featuring my co-workers, Joe and Scott.
This show was recorded in the evening at our hotel room, so the sound quality is less than ideal. We are onsite in Texas doing a security engagement for a client, and get tired and wacky but wanted to share what goes into doing a security audit for a client.

 

 Standard Podcast [51:52m]: Play Now | Play in Popup | Download

In this podcast I ramble on about what network security is, and then how web application security is an entirely different kind of beast.

 

 Standard Podcast [41:11m]: Play Now | Play in Popup | Download

With Cross Site Scripting (XSS) the focus changes away from server attacks to user attacks facilitated by the server. This podcast covers the issues involved and additional show notes will be coming shortly.

While your waiting, here is a great resource.

http://www.cgisecurity.com/articles/xss-faq.shtml

 

 Standard Podcast [35:26m]: Play Now | Play in Popup | Download

Software Development Life Cycle (SDLC) is a major buzz word in the industry right now, but what many are still ignoring is how well a security design/plan can be integrated. This podcast and slideshow hopes to explain how this gets done.

 

 Standard Podcast [36:31m]: Play Now | Play in Popup | Download
 Ebook: Download

In this podcast we have our first guest lecturer by way of a previously recorded slideshow from Mike Shema. In the presentation he gives an overview of SQL Injection attacks and has a few examples. I think the the content is still valuable even without the slides, but for the full experience of the presentation you may want to see it for youselves.

Free whitepapers and presentations about web application security, by NT OBJECTives.

 

 Standard Podcast [20:26m]: Play Now | Play in Popup | Download

A discussion to show that a database administrator must not shirk his duties over to the web application developer, and the web application developer should not seize full control over the database as is normally the case. Database administrator have a key role to play when developing a secure and robust web application.

 

 Standard Podcast [11:22m]: Play Now | Play in Popup | Download