Posts

Showing posts from March, 2009

Securing Web Services

Image
Using web services gives you flexibility of using interoperability between different applications no matter which language they are developed into or what platforms they use. That's why today more and more applications are based on web services.If you are developing a travel portal which helps users plan their trip, your portal should have an enquiry facility so that users can search for accommodation in different hotels,airlines,trains of their choice on a given date and finally plans for the trip.Now with traditional web application you can provide link to each and every hotels,airlines vendors and railways booking system.Which is a cumbersome process and sometimes interoperability is an issue. Again from business point of view you are not benefited because customer will be directed to the respective vendor's portal to do the transaction.Here web services come into rescue. With development of Web2.0, web applications have become more powerful and web services is one of them.…

Gmail provides Hijack detection tool

Image
It's not 'Eureka'! I admit... I know this is not any extraordinary feature and somebody might be familiar with it. But this post is for unfamiliar ones and I was amongst them until I searched this feature. I don't say this one is going to provide full proof security, but yes, to some extent you can make yourself sure that your account is not opened at any other machine except you, what activities have been performed and at what time, form which IP etc--every bit of information can make yourself more confident. The feature can be found below the user interaction area.

Format the drive of SQL Server ;)

I came across an interesting security issue . Not any thing special regarding the security issue but the way it was exploited was interesting. You can even fromat the hard disk of the server.
The steps were specific to that example and may not be the same in all instances. One will have to fuzz for every such attack.Steps in that example were:
1. Goto Forgot Password Feature.
2. Find a valid user id and enter a userid. A bit of guessing will work here.
3. The next screen should ask you for hint question to answer.
4. Enter SQL query to either get the password retrieved in this feature or enter incorrect SQL string to grab the server details.
5. In case the account used by application to connect to SQL server is admin account like 'sa', then MS SQL server has a feature to run kernel level commands via Extended Stored Proc.
6. Formulate a SQL query to run an extended stored procedure to run the command to format drive of SQL server.