Keith Fitzgerald on 26 Jun 2007 21:14:04 -0000


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PhillyOnRails] ModSecurity / PHPIDS

well i guess i [poorly] wrote two statements in that email. one dealing with run time security and one random thought about checking your application for holes pre-deployment.

regarding pre-deployment security, i imagine it would be pretty easy to check for common cases that *could* lead to xss exploits. i.e. many applications simply just trust user input and do not validate.

or for example, rails by default allows GET as well as POST submissions. an easy test would be to check GET requests are blocked in form action. unless this is no longer default behavior?

On 6/26/07, Darian Anthony Patrick <darian@criticode.com> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Keith Fitzgerald wrote:
> Just a thought: it'd be pretty cool to build in pen testing for RoR. If
> anyone is interested in collaborating on such a project, I'd be very
> interested.

Keith,

I'm curious what you mean by "build in" pen testing.  How so?

- --
Darian Anthony Patrick, ZCE, GWAS
Principal, Application Development
Criticode LLC
(215) 240-6566 Office
(866) 789-2992 Facsimile
Web:   http://criticode.com
Email: darian@criticode.com
JID:   darian@jabber.criticode.net
-----BEGIN PGP SIGNATURE-----

iD8DBQFGgXWLKpzEXPWA4IcRAuXeAJ9vmAYadzA2sBg19Zthd7JpGt70BwCgjmyE
PP6xltz+EkfdJv5CvQDBnas=
=jJ+9
-----END PGP SIGNATURE-----
_______________________________________________
To unsubscribe or change your settings, visit:
http://lists.phillyonrails.org/mailman/listinfo/talk

_______________________________________________
To unsubscribe or change your settings, visit:
http://lists.phillyonrails.org/mailman/listinfo/talk