background preloader

Misc/unsorted

Facebook Twitter

Stupid htaccess Tricks Perishable Press. Welcome to Perishable Press! This article, Stupid htaccess Tricks, covers just about every htaccess “trick” in the book, and is easily the site’s most popular offering. In addition to this htaccess article, you may also want to explore the rapidly expanding htaccess tag archive. Along with all things htaccess, Perishable Press also focuses on (X)HTML, CSS, PHP, JavaScript, security, and just about every other aspect of web design, blogging, and online success. If these topics are of interest to you, I encourage you to subscribe to Perishable Press for a periodic dose of online enlightenment ;) General Information [ ^ ] .htaccess Definition 1 ^ Apache server software provides distributed (i.e., directory-level) configuration via Hypertext Access files. Commenting .htaccess Code ^ Comments are essential to maintaining control over any involved portion of code. Important Notes for .htaccess Noobs ^ As a configuration file, .htaccess is very powerful.

Performance Issues ^ [S=x] [E=variable:value] What The Fuck Is My Information Security Strategy? OWASP_DanielCutbert_Evolution_WebAppPenTest.mp4. DeepSec 2007 - Aaron Portnoy Cody Pierce - RPC Auditing Tools and Techniques. Extern blog SensePost; The intertubes have been humming lately around a certain NTP feature to gather lists of NTP servers' clients and it naturally grabbed our attention.

The humming was started by HD Moore recently where he revealed that it is possible to query NTP servers to get lists of addresses and using the information for fun and profit. He also mentioned that he will be releasing a paper describing all this and how he can create a sizable DDOS using NTP, without giving too much detail about it. Some quick research into NTP(from ww.ntp.org) revealed that NTP servers allow you to perform a bunch of commands that are secondary to time keeping.

You can easily play with these using the ntpdc client program eg. Listpeers - List the peers(NTP servers) for the time server showpeer - Give time keeping info about a specific peer time server peers - List peers and some basic time keeping info sysstats - Info regarding ntp daemon itself many more... Have data, what now? Files: ntp_monlistza_time_servers. Zen One: PCI Compliance - Disable SSLv2 and Weak Ciphers.

According to section 4.1 of the the Payment Card Industry Data Security Standard (PCI-DSS) v1.2, merchants handling credit card data are required to “use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks.” What does this mean? In order to validate your PCI DSS compliance in this area you will need to ensure that your relevant server(s) within your PCI environment are configured to disallow Secure Sockets Layer (SSL) version 2 as well as "weak" cryptography. You are also required to have quarterly PCI security vulnerability scans conducted against your externally facing PCI systems.

Without disabling SSLv2 and weak ciphers you are almost guaranteed to fail the scans. In turn this will lead to falling out of compliance along with the associated risks and consequences. The SSLv2 Conundrum Does your server support SSLv2? How to test: # openssl s_client -ssl2 -connect SERVERNAME:443 Steve. HD Moore on Metasploit, Exploitation and the Art of Pen Testing | threatpost. Black-box-scanners-dimva2010.pdf (application/pdf Object) Database_Pen_Testing_ISSA_March_25_V2.pdf (application/pdf Object)