[ale] Future Talk

Ronald Chmara ron at Opus1.COM
Sun Aug 17 00:47:13 EDT 2003


On Saturday, August 16, 2003, at 12:35  PM, Matty wrote:
> I mentioned this at the end of the meeting, but wanted
> to see if there was any interest in a talk on web
> vulnerabilities. The talk would cover (+/- the following):
>
> - Explanation of stack/heap/integer overflows
> - SQL injection

Always fun. +1 for folks who don't clean variables, or folks who 
actually need "--" and ";" (etc.) in their variables.

> - Abusing Session IDs and HTTP cookies

Maybe adding why code vendor's "sessions" themselves can be bad ideas, 
along with trusting any keyed data that has predictable key sequences, 
or other methods of variable handling where you are trusting external 
code to "make sure things are safe". :-)

> - Cross site scripting
> - Why user input checking is a must!!

For extra giggles, fight with perl's tainting and php's 
register_globals!

> - How search engines can be turned against you
>
> If there is interest in discussing one topic over another,
> I am all ears. If there is interest, I would like to give a 10-minute
> explanation of each, and provide ways to protect
> you and your company from these problems.

It might be worth adding something on "safe coding principles". 
Sometimes it seems like too many folks are putting plugs in a rupturing 
dam, rather than building a stronger dam in the first place. (Hence, 
PHP and register_globals... some programmers just weren't doing *any* 
sanity checking, it's not like good coding ever required 
register_globals=off.). Rather than learning to fix bad data, or 
eliminate bad data, some programmers are often still relying on 
libraries, functions, methods (etc.) do "do the fixing for them", 
without having any real understanding of what is, and isn't, happening.
//
$safevar = super_magical_fix_everything_with($badvar);
//
Just doesn't exist. :-)

-Bop
Ronald Chmara
Ronin Professional Consulting LLC
"To create a new standard it takes something that's not just a little 
bit different.  It takes something that's really new and really 
captures people's imagination. And the Macintosh, of all the machines 
I've ever seen, is the only one that meets that standard "  --Bill Gates

_______________________________________________
Ale mailing list
Ale at ale.org
http://www.ale.org/mailman/listinfo/ale





More information about the Ale mailing list