Log in

No account? Create an account
29 June 2005 @ 10:42 am
9 ways to hack a web application.  
I've been getting calls from 1-866-668-8047. No answer when I pick up, no voicemail when I don't. Marci, if you see this and we aren't able to talk on the phone, just reply to this post with a time we can meet. You mentioned wanting to go to Lush, so we can meet there unless you specify a different landmark.

95 percent of webapps have security flaws. Nmap, nikto: these tools are not new to me.

Defense-in-depth is strongly recommended. Have your web server physically separate from your app server, whixh is physicially separate from your database server. Limit the user accounts for your services. Hide secrets: don't place password or conf files in web-accessible folders. Use standard, vetted components and libraries. Log and watch logs.

Don't trust user input. Review your own code for logic holes.

OWASP top 10:
Unvalidated input. Client-side validation is useless against malicious users.

Broken access control. Use standardized access control (JAAS).

Broken account and session management. Do not use IP to authenticate. Use vetted SSO techniques. Do not use predictable user names.

Cross-site scripting. Can steal cookies if JavaScript injection is possible. Whitelist input validation.

Injection flaws. Dynamically concatenated SQL is problematic. Use prepared or called statements.

Improper error handling. "helpful" error messages can be helpful for malicious users. Log to back end, not to screen.

Insecure storage. Don't make your own crypto algorithm. Protect storage locations. Store only what you must, hash the value if you can.

DoS. Heavy object allocation. Overuse of logging. Unhandled exceptions. Unresolved dependencies. Counter with load testing and code review.

Insecure comfiguration management.

Brutus password guessing tool.
Tags: ,
Katrynaladykatryna on June 29th, 2005 06:51 pm (UTC)
Googled it for you and this is what I got
866-668-8047", "Dish Network - EchoStar Communications Corporation", "9601 South Meridian Blvd Englewood\, CO 80112 www.dishnetwork.com", "Television-Cable\, CATV & Satellite", ""

Telemarketers are getting on you cell.
Turning the Schmaltz up to 11: fwak-oompullthestars on June 29th, 2005 07:06 pm (UTC)
Re: Googled it for you and this is what I got
I was about to say, that sounds like the number that *I* keep getting calls from, that turned out to be Dish Network. Did you call them to check on prices for satellite TV?
Heiress of the Empiretechnocracygirl on June 29th, 2005 08:11 pm (UTC)
I was going to go ahead at meet you at your hotel at 6, but we can meet at Lush if you want. I can also give you a call when I get home.
(Anonymous) on October 7th, 2005 05:48 am (UTC)
I have been getting calls from that same number with the same thing happening. No answer and never a message. Do you know anything about it
(Anonymous) on October 7th, 2005 05:49 am (UTC)
I have been getting calls from that same number with the same thing happening. No answer and never a message. Do you know anything about it leave me a note at thunt@montana.edu if you knwo anything
(Anonymous) on October 14th, 2005 12:21 am (UTC)
Mysterious 866 telephone number
I can shed a little light on this number. Like everyone else it seems, this number would appear on my CID display, but it always seemed that the calls were missed, or, on occasion, would be answered and have no response. (I have a TeleZapper on this line, and between it and the Federal Do Not Call List, this cuts down on 95% of the annoyance calls, even from the allowable entities such as my credit card companies, charities, etc--I would highly recommend both, used together.) I even tried calling this number back at odd hours (like 3 AM), and every time it was answered with "May I have your home phone number, please?" at which point I hung up. Finally, today, I answered this call and after "hello?...hello!" and a pause, a male robotron came on the line and read his brief script at warp speed, which seemed to indicate that he was returning an inquiry call about DISH Network service. I then told him that we were already DISH Network subscribers at which time I could almost see the wheels in his head turning as he stammered, seemed to be lost and indicated obvious confusion. I repeated, "You mean Echostar/DISH Network? Yes, we are already customers!" He then stammered an "Okaythankyouverymuch" and hung up.

So, if you are receiving these calls, I would say it is probably because you either are or were a DISH Network subscriber, or perhaps have even been referred by a 'friend', even. Given the way this company does business, I wouldn't put it past them to cull phone numbers from some sweepstakes list or even credit reports--anything to get prospects. If any of you have further comments or questions, I'd love to hear them. Just Google-ing the number pulls up interesting responses from other confused consumers.