Don't say we didn't warn you.
This 12-hour course is a brief and intense dive into web site and application security, including risk assessment and remediation techniques. Recommended for up-and-coming developers.
You should: Change the default user name directly in the database. Put files that contain login credentials outside your webroot. Don’t allow writable directories. (With details….) Don’t allow users to upload anything. Sorry. Avoid toxic data. Patch like mad. Use a security notification plugin like Sucuri (and actually pay attention). Change your username if the …
Continue reading “[ Security for Web Developers ] :: 16: Best Practices”
By the Book There are lots of methodologies, more or less formal, for testing your web app’s security. OWASP is, of course, a biggie. https://www.owasp.org/images/5/52/OWASP_Testing_Guide_v4.pdf And don’t forget tools for particular platforms, for instance WordPress. http://wpscan.org/ (this is great) Next: https://schoolforhackers.com/security-web-developers-best-practices/
Grand Master Ninja Hacking With Burp Suite It can seem wildly complex, but it’s actually pretty straightforward to use. There are a lot of tutorials for it, but one of my favorite presenters is Andi Fishta; his videos are very short and get right to the point. Assignment: Watch the above video. Notice it’s numbered …
Continue reading “[ Security for Web Developers ] :: 14: Burp Suite”
Hydra First, be clear that there is more than one way to password-protect a website or a directory (folder) inside a website. One is to use a database management system to control what everybody sees. Another is to use simple htaccess files to require a password. Regardless, Hydra is an app to brute-force website logins, …
Continue reading “[ Security for Web Developers ] :: 13: Testing With Hydra”
XSS Me This is another Firefox plugin, but unlike Tamper Data, XSS Me lets you do cross-site scripting attack tests. Assignment: Install XSS Me and try out its basic functions. SQL Inject Me Like XSS Me, this tool comes from Security Compass. It’s a slick tool for finding fields and launching SQL injection attacks on …
Continue reading “[ Security for Web Developers ] :: 08: Other Plugins”
Using Mutillidae Mutillidae is another pre-built vulnerable web app. It’s highly aligned with the OWASP testing organization (which can take you wildly deep into the world of web app testing). You can install it side-by-side with other web apps by simply putting it in a separate sub-folder. (How does mutillidae/ sound for a name?) Assignment: …
Continue reading “[ Security for Web Developers ] :: 12: Mutillidae”
Using Local Test Web Apps You should be testing your site. If you don’t – or even if you do – other people will. So get familiar with some of the tools of the trade. Use a local website development tool like XAMPP so you can host vulnerable websites on your security testing computer. Using …
Continue reading “[ Security for Web Developers ] :: 11: DVWA”