Wednesday, November 3, 2010
For starters I'd recommend "OWASP Top 10 - 2010 Edition" and then go on reading the ones you find yourself interested in.
OWASP isn't the ultimate source for information, but it's a start. You can find guidelines etc from their site... I suggest that you check it out if you're interested in penetration testing.
Wednesday, October 27, 2010
The news have been full of articles about the Firesheep addon for Firefox. The addon enables you to listen to newtwork traffic on an open WLAN and also makes it easy to hijack any session, that:
- works on unsecured connection (no ssl/https)
- relies on session cookie
The sites, which sessions you can highjack with default settings include:
- Windows Live
Some of the sites log you in over secure connection and after the login procedure, will move you to a non secure channel to save bandwith/processor time. So even if your credentials will be secure the sessions will be highjackable.Possible workarounds are the utilization of a VPN (though the network traffic will still be unencrypted between your VPN endpoint and the service) or an addon, that forces the browser to user only HTTPS -connections to certain sites. An example of such an addon is Force-TLS.