Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Foundstone Hacme Books and .NET Security Toolkit

from [Mark Curphey] Network Security [Permanent Link]
Subject: Foundstone Hacme Books and .NET Security Toolkit
Date: Tue, 8 Mar 2005 12:08:23 -0800 
Just to let you know we have released some more free tools this morning.

Hacme Books is a full Java bookstore similar to Hacme Bank but this time
built like a real application. Full source code will be available (released
next week) and all code includes unit tests etc. It's not a vanilla JSP type
app that are so often used when demonstrating security. It follows an MVC
with an Inversion of Control design pattern. You can get the solution guide
in PDF with screen shots here;

http://www.foundstone.com/resources/whitepapers/hacmebooks_userguide.pdf

We will be integrating this with the Hacme Bank V2 (using web services) at
some point soon. Hacme Books was written by Dave Raphael this lists
moderator.

We also released part of the Foundstone S3i .NET Security Toolkit. The two
components this week are the Validator.NET and the Visio SecureUML template.


Validator.NET is a proof of concept tool to explore better ways to do
validation than the HTTP proxy approach (aka web app firewall) for apps
where you can't modify the code. It provides a GUI to point to an assembly
and uses the reflection API to determine the web controls and subsequent
forms. It then provides a GUI to build contextual validation rules that can
be saved as an XML rules file. We then provide an HTTP module to load the
rules into. It is proof of concept and is not a production ready tool. It
doesn't look at cookies and other key things for instance. 

"The Foundstone Validator.NET tool is an important resource for malicious
input testing for ASP.NET Web applications," said Michael Howard, senior
security program manager at Microsoft Corp., and co-author of Writing Secure
Code.  

http://www.foundstone.com/resources/termsofuse.htm?file=validator.zip

SecureUML is a Visio template to do SecureUML Roles Bases Access Control
Modeling. The whitepaper that comes with the tool has some examples. 

http://www.foundstone.com/resources/termsofuse.htm?file=secureuml.zip

Next week well add to the toolkit the .NET Mon which is to the .NET CLR what
filemon or regmon is to windows. This tool is very powerful for code reviews
watching the CLR to see how it really enforces the security restrictions. 

We have a few more coming in the next few weeks, one to do cookie analysis
using 2nd order phase state analysis and a web services version of a fuzzer
like SPIKE.

Enjoy.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Web security breach changes the lives of 119 people, Richard M. Smith
Next by Date:  Automagic webapp testing tools, inflatablekiwi
Previous by Thread:  Web security breach changes the lives of 119 people, Richard M. Smith
Next by Thread:  Re: Foundstone Hacme Books and .NET Security Toolkit, dotnetdeveloper
Indexes:  [Date] [Thread] [Top] [All Lists]