Website Security

Now in todays times website security is key to running a server. So. Teach me the ways "young grasshopper". I want to learn beyond the basics of finding site vulnerabilities and patching/securing them.

maybe this tutorial can help:

http://darkc0de.com/tutorials/webhacking.txt

chronicburst wrote: I want to learn beyond the basics of finding site vulnerabilities and patching/securing them. That's good, but make sure you learn the basic techniques before you study the rare stuff since you'll more likely be a victim of XSS, SQL injection or CSRF than an exploit that barely no one knows ;)

chronicburst wrote: Teach me the ways "young grasshopper".

Are you asking for help or giving it? If you are asking then you are the grasshopper not the ones giving you the lessons.

Anyways, Try out a few tutorial sites as well as the new security and programming forums www.isecforce.com there is not a load of content there but we are averaging 10 users per day in growth so it will pick up soon enough. And questions asked there would be different than ones asked here.

Anyways if you have any questions hit me up there or on any other contact method I have available on my profile :D

Thanks AldarHawk. As in young grasshopper I was just bord.. But I have a server computer that I mine as well run a site on or maybe even a challenge. So lets say its going to be a challenge server for encouragement. Now I would need to secure it. Start with an audit or no?

Probe the machine from inside then outside. once your probing is complete find out where the flaws lie and patch them. Try out iSecForce. It may be able to help you out with security issues :)

i know of

LDAP injection Xpath injection Blind SQL SQL injection XSS CSRF DoS/DDoS RFI/LFI Javascript injection Cookie poisoning Social Engineering Bypassing Certain .htaccess SSI MSSQL vulns Using robots.txt Posion Null Bytes Changing Cookies for Authentication Steganography Multiple Attacks against IIS IPP Printer overflow Hidden Field Manipulation Buffer Overflows Phishing

feel free to look them up but thats the vulns that i know exist.

Falling, thats awsome. I would call that a great foundation. Thats what I want to learn. The ins and outs of all of those. If I know how to patch problems… Would I understand how to exploit those issues?

not sure. i don't know how to patch things or how to create anything special in any language. i try to stay strictly in exploting things. however i am now trying to learn PHP and C++ or maybe C i haven't decided yet.

but if you have any questions on anything i will gladly help you out. i know of a few papers on these subjects that i think could help you out

fallingmidget wrote: not sure. i don't know how to patch things or how to create anything special in any language. i try to stay strictly in exploting things. You won't become a pro in exploiting if you don't know the languages you're trying to exploit :ninja:

Uber0n wrote: [quote]fallingmidget wrote: not sure. i don't know how to patch things or how to create anything special in any language. i try to stay strictly in exploting things. You won't become a pro in exploiting if you don't know the languages you're trying to exploit :ninja:[/quote]

and if you saw the next line down i am trying to start learning

Also note most of those are web exploits. If you are looking to get truly great at security you need to look into RIP and many other protocols because just aiming at a web server will get you into a DMZ and no where most of the time in this day and age. If you want to learn how to TRULY secure a network look into Cisco language and other major types of networking so you can truly learn and not land in the mud and only be able to fix a vulnerable Apache server ;)