Monday, April 28 2008
By Romain on Monday, April 28 2008, 09:03 UTC
I've just came across this interesting blog entry; some numbers on how people (large websites companies) are actually using MySQL.
http://venublog.com/2008/04/16/notes-from-scaling-mysql-up-or-out/
Tuesday, April 8 2008
By Romain on Tuesday, April 8 2008, 21:45 UTC
Sometimes I really don't understand developers.
Why the heck a table name such as a<script>foo(42)`cool could ever be allowed? What's the point of that?
I know I am almost clueless with SQL but... what's the reason here? If someone has some idea, I would love to hear them!
Saturday, January 5 2008
By Romain on Saturday, January 5 2008, 11:55 UTC
Tomorrow, I'm gonna fly to Hawaii, for the HICSS-41 conference in the Big Island. I will give a talk about something I did almost one year ago: building a test suite for web application scanner. This work has been done at NIST for the Web Application Security Scanner project at SAMATE.
It's kinda old work, but still, talking about levels of defense for modeling the different possible defense mechanisms that we can find a web application. This allow to test the web apps scanner with more realistic flaws and see how they behave with some few protections...
Anyway, I think I will have good time there, and also good talks to fellow...
Tuesday, October 16 2007
By Romain on Tuesday, October 16 2007, 11:31 UTC
Since yesterday, I'm working on a data-flow problem. I need to model a function and I should do all the data-flow process. Well, that's kinda long if I have to do that on all functions and especially I will never use much of the information I would generate by analyzing the tree associated to the function (local variables etc.). So what the point of doing that? None.
I was stuck at this point, didn't find a good way to model a function (entry parameters, global calls etc.) so I thought of reasoning as a crystal ball. I can see what it is, but it's kinda blurry :) I am now modeling a function as inputs and outputs, only in terms of functions and global variables interaction. By this, I should be able to see the possible interaction of the given function on the system. Hope it's gonna work well!
Monday, June 25 2007
By Romain on Monday, June 25 2007, 15:05 UTC
Make sure that your test case is correct!!!!!
Damn I'm stupid, I was working on Grabber on the session state management, and of course, I did a small test case with a couple of pages to be sure the spider can reach every pages. But, my test case was just stupid and calling twice my index make my session still alive, but the variables were set to an order just crazy and have the same effect as destroying the session.
Anyway, now it works! At least in the next Grabber release:
I don't know yet when I'm gonna release the version, I need to make sure it works correctly and is stable, I also need to create something to generate nice report (maybe simple XSLT sheets developer/user side) and I want to work more on the hybrid mechanism using different tools (fortify,pixy,php-sat,swaat...)
Wednesday, April 11 2007
By Romain on Wednesday, April 11 2007, 09:00 UTC
FROM THE DESK OF DR AZIZAN COKER BILL AND EXCHANGE MANAGER, BANK OF AFRICA, OUAGADOUGOU BUKINA-FASO.
PLANE CRASH WEB SITE...http://news.bbc.co.uk/1/hi/world/europe/859479.stm
("REMITTANCE OF $25.8 MILLION U.S.A DOLLARS (CONFIDENTIAL IS THE CASE")
Compliment Of The Day,
I am Dr Azizan Coker from burkina faso.I want to seek your assistance after my discovery during auditing in my bank as am the manager of Bill and Exchange at the Foriegn Remittance Department of BANK OF AFRICA,(B.O.A.) In my department we discovered an abandoned sum of USD$25.8million US dollars in an account that belongs to one of our foreign customers who died along with his entire family in plane Crashes 2000,
Since his death, we have been expecting his next of Kin to come over and claim his money because we can not release it unless somebody applies for it as next of Kin or relation to the deceased as indicated in our banking and financial policies but unfortunately all the efforts proved abortive.
IT is therefore upon this discovery that I decided as the head of my department to make this business proposal to you and release the money to you as the next of kin or relation to the deceased for safety and subsequent disbursement since nobody is coming for it and we don't want this money to go into the Bank treasury as unclaimed bills. Do not view this as been illegal but an opportunity for us to help enrich our hope in life instead of the bank converting this much money to the security funds.You should not nurse any atom of fear as all required arrangements have been made for the smooth transfer of this funds and your acceptance is what will crown this effort.
We will conclude this operation within 14 banking days based on the amount of coperation you will contribute.
Thank you for your understanding as i await your urgent response to enable me give you more details don't forget to give me those informations below to enable me know you very well before we can go ahead in this business,
Your International passport or ID card............ Your private telephone number........................ Your profession................................................ Your age........................................................... Your country....................................................
Your’s faithfully Dr Azizan Coker
POST SCRITUM:You have to keep everything secret as to enable the transfer to move very smoothly in to the account you will prove to the bank.
Wednesday, January 24 2007
By Romain on Wednesday, January 24 2007, 17:44 UTC
Today, I got a serious CSS bug with IE 6 (still don't know what's going on, maybe the HTML code is crappy...); anyway, just to say that I only have Internet Explorer 7 / Opera and Firefox and couldn't test/debug with Internet Explorer 6 (because there is no trouble with ie7).
I found that good stuff: Internet Explorer 6 Standalone version! Definitely useful...
That makes me think of a tool I can dream of... a kind of meta-browser that support lots of old/current standalone engines. Imagine with your firefox interface be able to load Internet Explorer5 or 6, Opera 8, Netscape 4, Lynx... that would be awesome for web developers/designers...
There is a firefox extension IE Tab which allows you to have the current IE engine in FF, but still, I need the old versions!
By Romain on Wednesday, January 24 2007, 08:12 UTC
Thursday, January 11 2007
By Romain on Thursday, January 11 2007, 11:44 UTC
Even if i'll be busy with papers and tests, I really would like to do different things:
Monday, December 18 2006
By Romain on Monday, December 18 2006, 07:58 UTC
For a study I'm looking for some "famous" OpenSource web application in PHP.
The two first I have selected are two CMS:
I also need to select some well known application, I can think of twatch, phpmyvisites etc. but I really have to make my mind of any restriction on the application I need to "test".
Saturday, December 16 2006
By Romain on Saturday, December 16 2006, 23:48 UTC
By Romain on Saturday, December 16 2006, 22:58 UTC
This afternoon I went to wikipedia and saw a SVG file. Then, I was thinking.: SVG... XML... Some minutes later, after a quick look at the spec. and especially the "Scripting" part, I had a SVG file with a XSS attack inside. Then I started to look at websites and advanced webmails for inserting my file.
Damned, I came something like one year too late... Wikipedia still does not allow to upload SVG files, Gmail does not open it hotmail itoo, and actually this thing is well known. Actually I've never seen any attack with some SVG files inside.
Okay, before Firefox 2.0 (and the next browsers) there was only external plugins for reading these files, It may change now. I'll keep on trying to do some things with my file!
Okay, all this SVG things are not new, but I'm a nioob in web security, at least it's new for me ;)
By Romain on Saturday, December 16 2006, 10:32 UTC
Yesterday, I was testing some web apps scanner with my Test Suite (this test suite aimed to represent the actual common website: PHP, MySQL, CSS, JavaScript,AJAX) and what I really fear happened.
Most of them does not read the JavaScript and then... nothing.
I was only trying to catch the 14 possible SQL Injection which are all behind a AJAX Login system. The basic tools (like Grabber for instance) don't have a login mechanism but it's okay, the script names are in the JavaScript! A tool like Wapiti handle the cookies, but because it does not support the dynamic auth login, I cannot retrieve the cookies with its "getcookie.py" tool. I should have to create these cookies manually to bypass the login system...
Anyway... to make them feel better with the results I have to:
Another point about the first results I can see... a tool like Paros allows you to make lots of intereseting action because it's a proxy tool (you set it as a proxy into your browser then it save the actions you see, this is okay for the AJAX etc.). But when I looked at the results (for the SQL Injection only) it seems that it simply tag each parameter with the SQL Injection vulnerabilty (even if the parameter is only used by is presence in the URL), I was a little bit confuse about this...
Last comments