Groan Blog

What is an attack?

okio03 — Sat, 12 Jul 2008 04:21:29 +0000

Attacks are the techniques that attackers use to exploit the vulnerabilities in applications. Attacks are often confused with vulnerabilities, so please try to be sure that the attack you are describing is something that an attacker would do, rather than a weakness in an application.

All attack articles should follow the Attack template.

Work to be done here includes

We’re in the process of creating, organizing, and completing the attack articles. If you’d like to help, find some stub articles in this category and fill in the details.

Creating articles for the following topics:

Unauthorized Access Attempts
File location guessing (see Guessed or visible temporary file)
URL Redirection
… make sure the attack is listed for each vulnerability

Note: many of the items marked vulnerabilities from CLASP and other places are really attacks. Some of the more obvious are:

What is a vulnerability?

okio03 — Sat, 12 Jul 2008 04:16:00 +0000

A vulnerability is a hole or a weakness in the application, which can be a design flaw or an implementation bug, that allows an attacker to cause harm to the stakeholders of an application. Stakeholders include the application owner, application users, and other entities that rely on the application. The term “vulnerability” is often used very loosely. However, here we need to distinguish threats, attacks, and countermeasures.

Please do not post any actual vulnerabilities in products, services, or web applications. Those disclosure reports should be posted to bugtraq or full-disclosure mailing lists.

Examples of vulnerabilities

Lack of input validation on user input
Lack of sufficient logging mechanism
Fail-open error handling
Not closing the database connection properly

For a great overview, check out the OWASP Top Ten Project. You can read about the top vulnerabilities and download a paper that covers them in detail. Many organizations and agencies use the Top Ten as a way of creating awareness about application security.

Principles

okio03 — Sat, 12 Jul 2008 04:03:57 +0000

What’s an application security principle?

Application security principles are collections of desirable application properties, behaviors, designs and implementation practices that attempt to reduce the likelihood of threat realization and impact should that threat be realized. Security principles are language independent, architecturally neutral primitives that can be leveraged within most software development methodologies to design and construct applications.

Principles are important because they help us make security decisions in new situations with the same basic ideas. By considering each of these principles, we can derive security requirements, make architecture and implementation decisions, and identify possible weaknesses in systems.

The important thing to remember is that in order to be useful, principles must be evaluated, interpreted, and applied to address a specific problem. Although principles can serve as general guidelines, simply telling a software developer that their software must “fail securely” or that they should do “defense in depth” won’t mean that much.

Some proven application security principles

Apply defense in depth (complete mediation)
Use a positive security model (fail safe defaults)(minimize attack surface)
Fail securely
Run with least privilege
Avoid security by obscurity (open design)
Keep security simple (verifiable)(economy of mechanism)
Detect intrusions (compromise recording)
Don’t trust infrastructure
Don’t trust services
Establish secure defaults (psychological acceptability)

Network Hacking

okio03 — Sat, 12 Jul 2008 03:04:45 +0000

berisi segala sesuatu yang berhubungan dengan lan hacking

Wireless Hacking

okio03 — Sat, 12 Jul 2008 02:58:50 +0000

berisi segala sesuatu tentang cara hacking wireless

Harus tulis apa???

okio03 — Fri, 11 Jul 2008 09:00:14 +0000

Bingung mau tulis apa???

Tanya donk ke OmGo!!!

goan : OmGo aku harus tulis apa???

OmGo : Yaa… tulis aja apa yang ada dipikiranmu sekarang