background preloader

ModSecurity: Open Source Web Application Firewall

ModSecurity: Open Source Web Application Firewall

Web Application Security Statistics Download pdf version Download Security Statistics 2007 The Web Application Security Consortium (WASC) is pleased to announce the WASC Web Application Security Statistics Project 2008. This initiative is a collaborative industry wide effort to pool together sanitized website vulnerability data and to gain a better understanding about the web application vulnerability landscape. We ascertain which classes of attacks are the most prevalent regardless of the methodology used to identify them. Industry statistics such as those compiled by Mitre CVE project provide valuable insight into the types of vulnerabilities discovered in open source and commercial applications, this project tries to be the equivalent for custom web applications.

Ping Tutorial: 15 Effective Ping Command Examples As you already know, ping command is used to find out whether the peer host/gateway is reachable. If you are thinking ping is such a simple command and why do I need 15 examples, you should read the rest of the article. Ping command provides lot more options than what you might already know. Ping Example 1.

How To Block Facebook's Face Recognition And Tighten Other Privacy Settings Facebook seems to be forever pushing the boundaries of what "online privacy" means. Today we see the latest iteration of this--Face Recognition. By adjusting its interface, Facebook has now enabled "tag suggestions" to many more of its users around the world, which means your friends will get an alert if someone uploads a photo that Facebook thinks contains your image. Web Application Firewall Evaluation Criteria Get WAFEC 1.0 WAFEC 1.0 is available in several formats: PDF version, HTML Version and Text Version Please note that WAFEC, like all other WASC projects, is distributed under the creative common license. Please respect this license. Particularly note that the license requires that if you use the information you attribute it to WASC and WAFEC.

wall m0n0wall is a project aimed at creating a complete, embedded firewall software package that, when used together with an embedded PC, provides all the important features of commercial firewall boxes (including ease of use) at a fraction of the price (free software). m0n0wall is based on a bare-bones version of FreeBSD, along with a web server, PHP and a few other utilities. The entire system configuration is stored in one single XML text file to keep things transparent. m0n0wall is probably the first UNIX system that has its boot-time configuration done with PHP, rather than the usual shell scripts, and that has the entire system configuration stored in XML format. In m0n0wall 1.8.1, the base system has been switched to FreeBSD 8.4 for better support of recent hardware, and there have been significant improvements, new features and bug fixes in many areas.

RawCap sniffer for Windows released ! ~ THN : The Hacker News RawCap sniffer for Windows released We are today proude to announce the release of RawCap, which is a free raw sockets sniffer for Windows. Here are some highlights of why RawCap is a great tool to have in your toolset:Can sniff any interface that has got an IP address, including (localhost/loopback)RawCap.exe is just 17 kBNo external libraries or DLL's neededNo installation required, just download RawCap.exe and sniffCan sniff most interface types, including WiFi and PPP interfacesMinimal memory and CPU loadReliable and simple to useUsage RawCap takes two arguments; the first argument is the IP address or interface number to sniff from, the second is the path/file to write the captured packets to. C:\Tools>RawCap.exe dumpfile.pcap You can also start RawCap without any arguments, which will leave you with an interactive dialog where you can select NIC and filename: RawCap Downloaded

Web Application Firewalls: How to Evaluate, Purchase and Implement A Web application firewall (WAF) is designed to protect Web applications against common attacks such as cross-site scripting and SQL injection. Whereas network firewalls defend the perimeter of the network, WAFs sit between the Web client and Web server, analyzing application-layer traffic for violations in the programmed security policy, says Michael Cobb, founder of Cobweb Applications, a security consultancy. While some traditional firewalls provide a degree of application awareness, it's not with the granularity and specificity that WAFs provide, says Diana Kelley, founder of consultancy Security Curve. For instance, the WAF can detect whether an application is not behaving the way it was designed to, and it enables you to write specific rules to prevent that kind of attack from reoccurring. WAFs also differ from intrusion prevention systems. Main WAF Attributes

Certified Information Security Consultant (CISC) 6 Months, Training, Course, Certification - Institute of Information Security, Mumbai(India) CISC is 6 months training in information security for amateurs and professionals to make you an expert in the field of Information Security. The course is ideal for those wanting to differentiate themselves from candidates with an undergraduate degree only, as well as those already in industry wishing to advance their skills in this constantly evolving area. Many companies are actively recruiting security specialists and this course will prepare graduates for senior technical and management positions in many industry sectors.

Network Monitoring Tools Les Cottrell, SLAC. Last Update: December 14, 2015 ESnet | ESCC | PinGER Internet monitoring | Tutorial This is a list of tools used for Network (both LAN and WAN) Monitoring tools and where to find out more about them. The audience is mainly network administrators. Annotated.js For large, complex Javascript applications or libraries, Annotated.js provides a language extension for expressing the structure & validity of your code. By annotating your regular Javascript code, the Annotated.js runtime provides additional language features like declarative namespaces, class and module macros, and runtime type testing. Runs directly in the browser, even in external sources - what you see in the IDE is what you get in your browser's debug session. Annotated.js is legal javascript and runs natively in the browser without eval, code rewriting or server-side compilation - it's also fully compatible with popular minifiers, parallel or AJAX-y script loaders, code optimiziers, etc.

15 Penetration Testing Tools That Every Pen-Tester Can Use! 1) Metasploit This penetration testing framework is very popular amongst hackers and penetration testers all over the world. It is based on the 'exploit' concept, which refers to a code that can break past a system's security measures. 2) Wireshark

Zuckers! Facebook Has Secretly Been Giving User Info to Cops - Technology We've told you before that Facebook treats its users like products. That companies now exist to search for your Facebook account and tell your bosses your secrets. That people are quitting Facebook en masse. Now, there's yet another reason you might want to make the switch to Google+: Facebook has gotten into the habit of allowing police to scour users' profiles without their consent. According to a new report from Reuters and Westlaw, federal judges have granted at least 24 search warrants since 2008 allowing law enforcement officials to snoop around people's Facebook accounts. Some of the warrants sought things as innocuous as status updates, but others gave access to friend requests, photos, event calendars and personal messages.

Research Labs Cost: FreeSource Code: GitHubVersion: (XMAS edition)Requirements: .Net FrameworkLicense: GPLRelease Date: 2008-12-14Recent Changes:Fixed incorrect links spider bugAdded time anomaly functionality in back-end scanner.Added easy access (and icons) to findings in back-end scanner.Fixed executable finding occasionally not showing bug. Wikto is Nikto for Windows - but with a couple of fancy extra features including fuzzy logic error code checking, a back-end miner, Google-assisted directory mining and real time HTTP request/response monitoring.

Access Control and Access Control Operators - Squid User's Guide Access control lists (acls) are often the most difficult part of the configuration of a Squid cache: the layout and concept is not immediately obvious to most people. Hang on to your hat! Unless the Squid Configuration Basics chapter is still fresh in your mind, you may wish to skip back and review the access control section of that chapter before you continue. This chapter assumes that you understood the difference between an acl and an acl-operator. The primary use of the acl system is to implement simple access control: to stop other people using your cache infrastructure. (There are other uses of acls, described later in this chapter; in the meantime we are going to discuss only the access control function of acls.)