- My Personal Security Guiding Principles
- Popup & Focus URL Hijacking
- Exploiting Microsoft IIS with Metasploit
- Results of Investigation into Holiday IIS Claim
- Cryptographic Storage Cheat Sheet
- WAF vs IPS (or Four Things Your IPS Can’t Do)
- Generic cross-browser cross-domain theft
- Twitter bans obvious passwords
- Web Attacks and Defenses that Could Affect Users in 2010
- SQL Injection Resources
SQL Injection Resources
(from Robert Portvliet)
Here`s list of some (SQL Injection) resources I had put together, a good portion of it is probably covered in the Phoenix OWASP list, but here it is anyway:
Vulnerable WebApps:
GOAT - http://www.owasp.org/index.php/Category:OWASP_WebGoat_Project
MOTH - http://www.bonsai-sec.com/en/research/moth.php
Damn Vulnerable Web App - http://www.dvwa.co.uk/
Mutillidae - http://www.irongeek.com/i.php?page=security/mutillidae-deliberately-vulnerable-php-owasp-top-10
Hackme Bank - http://www.foundstone.com/us/resources/proddesc/hacmebank.htm
Hackme Travel - http://www.foundstone.com/us/resources/proddesc/hacmetravel.htm
Hackme Shipping -
http://www.foundstone.com/us/resources/proddesc/hacmeshipping.htm
Hackme Casino - http://www.foundstone.com/us/resources/proddesc/hacmecasino.htm
Videos & webcasts:
OWASP Appsec NYC 2008 -
http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference
Caught in the web series - http://www.coresecurity.com/content/ondemand-caught
Invasion of the browser snatchers series -
http://www.coresecurity.com/content/on-demand-snatchers
Advanced SQL injection -
http://www.irongeek.com/i.php?page=videos/joe-mccray-advanced-sql-injection
Websec 101 - http://www.foundstone.com/us/websec101.asp
Hackme Bank & Hackme Travel videos-
http://www.foundstone.com/us/resources-videos.asp
Tools
Samurai Web Testing Framework (Live CD which contains most tools
needed to perform web assesment) - http://samurai.inguardians.com
Methodologies
OWASP Testing Guide -
http://www.owasp.org/images/5/56/OWASP_Testing_Guide_v3.pdf
Cheat Sheets
SQL Injection Cheat Sheet -
http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/
SQL Injection Cheat Sheet - http://michaeldaw.org/sql-injection-cheat-sheet
SQL Injection Cheat Sheet w/ filter evasion - http://ha.ckers.org/sqlinjection/
SQL Injection Cheat Sheets sorted by DB -
http://pentestmonkey.net/index.php?option=com_content&task=category§ionid=9&id=24&Itemid=1
XSS Cheat Sheet w/ filter evasion - http://ha.ckers.org/xss.html
Web App Assesment Cheat Sheet -
http://www.secguru.com/files/cheatsheet/webappcheatsheet2.pdf
Books:
Web Application Hackers Handbook - http://portswigger.net/wahh/
Whitepapers & slides-
OWASP article on Web application penetration testing -
http://www.owasp.org/index.php/Web_Application_Penetration_Testing
Advanced SQL injection -
http://sqlmap.sourceforge.net/doc/BlackHat-Europe-09-Damele-A-G-Advanced-SQL-injection-whitepaper.pdf
Best of web application penetration testing tools -
http://pauldotcom.com/TriplePlay-WebAppPenTestingTools.pdf
(The next two papers are a little old, but still quite useful)
Advanced SQL Injection in SQL Server -
http://www.ngssoftware.com/papers/advanced_sql_injection.pdf
(More) Advanced SQL Injection in SQL server -
http://www.ngssoftware.com/papers/more_advanced_sql_injection.pdf