New to AppSec?

AppSec is a diverse and complex field, but getting started doesn't mean mastering all the concepts at once. Check out my "Intro to AppSec" guide for a quick guide to understanding the basics.

Looking to Learn?

Already in the field? Check out the career curriculum to learn how to take your skills to the next level.

Real Training, Really Free

Tired of reading articles? Ready for real hands on training? Check out the Training section for tips on building a training lab and practicing your skills in a safe (legal) environment!

HTML5 Input Validation Is Not Sanitization

Posted on by Brooks Garrett - No Comments

One of the hyped features of HTML5 is the ability to specify the input “type” of an input on a form as one of several new options:

  • color
  • date
  • datetime
  • datetime-local
  • month
  • week
  • time
  • email
  • number
  • range
  • search
  • tel
  • url

The implementation of this new feature couldn’t be easier, simply specify the “type” attribute of your input field and let the browser handle the rest. For example, by specifying an input type of “email”, Chrome will validate the input to ensure it is a validly formed email address. In Safari on iOS devices, the virtual keyboard will automatically change to be more email address friendly (by adding the @ sign and .com buttons).

 

All of this functionality comes with no additional scripting by the developer. For convenience, this is exciting news. User input can now be validated client side to ensure users are actually putting an email in that field and not a phone number. For security though, there is absolutely no added benefit. Much as attackers have been substituting values for years, so they will continue. The new input types do not prevent an attacker from submitting values of their choosing via an intercepting proxy.

The old adage still holds true, “If the user can access it, they can abuse it.” Use these new input types for helping good users submit accurate data on the first attempt, but continue server side data validation and sanitization to prevent attackers from owning your application.

Transitions

Posted on by Brooks Garrett - No Comments

Today being the last day of my employment with Aflac IT, I’m looking forward to having the next 2 weeks off for myself.

My goals in the next 14 days:

  1. Two a day workouts – Cardio in the AM, weights in the PM
  2. Read, learn, experiment with WebAppSec
  3. Enjoy my new baby and wife

Amazing Poem About Legacy

Posted on by Brooks Garrett - No Comments

The Bridge Builder 

An old man, going a lone highway,
Came, at the evening, cold and gray,
To a chasm, vast, and deep, and wide,
Through which was flowing a sullen tide. 

The old man crossed in the twilight dim;
The sullen stream had no fear for him;
But he turned, when safe on the other side,
And built a bridge to span the tide. 

“Old man,” said a fellow pilgrim, near,
“You are wasting strength with building here;
Your journey will end with the ending day;
You never again will pass this way;
You’ve crossed the chasm, deep and wide-
Why build you this bridge at the evening tide?” 

The builder lifted his old gray head:
“Good friend, in the path I have come,” he said,
“There followeth after me today,
A youth, whose feet must pass this way. 

This chasm, that has been naught to me,
To that fair-haired youth may a pitfall be.
He, too, must cross in the twilight dim;
Good friend, I am building this bridge for him.” 

By Will Allen Dromgoole

Posted via email from brooksgarrett’s posterous

w3af Crash Course PDF

Posted on by Brooks Garrett - No Comments

I found an awesome presentation detailing some basic tips for w3af by one of the contributors. This was originally hosted at http://oxdef.info/talk/j4m2010-w3af.pdf and is hosted here only for my personal archive purposes. The document was created by Taras Ivashchenko.

w3af_crash_course

Older Posts »