Is the links in the site. While the commonly used scripts make themselves portable to different locations by using relative links, those same relative links are an opening for security exploits via cross site scripting, and cross site sql injection.
A properly written script will have a site specific variable that is added to every relative link to reduce the possibility of that happening.
When writing a script fom scratch, or picking a pre-existing script, look for how the script will avoid the issues of cross site exploits.
Discussion on:
View:
Show:
Please Remind your audience that this article's scope is limited to Windows Server networks.Unix/Linux users should ignore most of it as MS specific.
While I agree with you that there is nothing to suggest that the tips apply to Windows-based web servers.....
As an 'IT Professional', making comments about the mental condition of others is totally unnecessary and unhelpful.
It would be more constructive to challenge the poster to defend his viewpoint or opinion.
As an 'IT Professional', making comments about the mental condition of others is totally unnecessary and unhelpful.
It would be more constructive to challenge the poster to defend his viewpoint or opinion.
Please explain how it's limited to MS Windows. I wrote it as an OS agnostic article, and there is nothing about it that I recall that made it specific to MS Windows.
He either has his head shoved up a penguin's butt or is merely an MS basher. Either way, he's blind to the facts.
Here's a quote of the only part of the article that I could find that even *mentions* MS or Windows. This does not look like an endorsement to me.
"[C]ross-platform-compatible strong encryption such as SSH is usually preferable to platform-specific, weaker encryption tools such as Windows Remote Desktop."
"[C]ross-platform-compatible strong encryption such as SSH is usually preferable to platform-specific, weaker encryption tools such as Windows Remote Desktop."
Or their managers' foreheads, whichever is appropriate.
Fine list you got there. I sincerely hope that proper security built in first before the rest of site design starts catching on. Hopefully, lists like yours will help good designers make sure they've covered all bases, and inspire others to start condidering security as a "good idea".
Well written as always.
Fine list you got there. I sincerely hope that proper security built in first before the rest of site design starts catching on. Hopefully, lists like yours will help good designers make sure they've covered all bases, and inspire others to start condidering security as a "good idea".
Well written as always.
This was a surprisingly decent article. It hits the main points, supports them, doesn't wander into the weeds or veer into OS-specific nonsense. Good job.
I agree, great article. If only every IT architect & developer understood this and practiced in this fashion. Plus, good addition about cross site scripting. More, please.
Of course it's not OS specific. An apache exploit, or a weak password, or an unencrypted login knows no OS.
I second the request for more on cross site scripting. That's still mostly fog in my mind.
I second the request for more on cross site scripting. That's still mostly fog in my mind.
Here you go. I've written an article about cross-site scripting for you.
Thanks,
Many times when I read articles like this you find that the author is just restating the basics or the obvious. Saying things like, "Don't do admin work from Starbucks." and "Don't write your password on your whitboard."
You didn't ignore these, but you went deeper.
I am looking at moving to TSL now. It looks like a great option for my product.
Thanks again.
Many times when I read articles like this you find that the author is just restating the basics or the obvious. Saying things like, "Don't do admin work from Starbucks." and "Don't write your password on your whitboard."
You didn't ignore these, but you went deeper.
I am looking at moving to TSL now. It looks like a great option for my product.
Thanks again.
One thing you won't catch me doing is making up a checklist entirely of superficial fluff like "Don't write your password on the whiteboard in the conference room!" (barring rare exceptions, like a joke).
and then it probably won't pick up obfuscated malware objects in just one scan either.
Hey all,
I just got a series of emails through a contact us form on the website (I use form2email for data handling) which all originated from the same IP address.
The form poster used the string -1' in all the fields available.
I've never seen this before - is that an attempt to exploit a loophole?
Any suggestions to prevent this from occuring in the future?
Thanks, s.
I just got a series of emails through a contact us form on the website (I use form2email for data handling) which all originated from the same IP address.
The form poster used the string -1' in all the fields available.
I've never seen this before - is that an attempt to exploit a loophole?
Any suggestions to prevent this from occuring in the future?
Thanks, s.
Excellent checklist.
I'd like to add another point : Periodically audit your website for flaws and vulnerabilities.
This is extremely important, because we constantly make changes in our code, configurations, new installations, plug-ins and so on. Every little change can make our website vulnerable to hackers, that's why it is important to constantly validate its security state.
for malware scanning : http://websitedefender.com
for security audit : http://itsecurityadvice.net
thanks,
I'd like to add another point : Periodically audit your website for flaws and vulnerabilities.
This is extremely important, because we constantly make changes in our code, configurations, new installations, plug-ins and so on. Every little change can make our website vulnerable to hackers, that's why it is important to constantly validate its security state.
for malware scanning : http://websitedefender.com
for security audit : http://itsecurityadvice.net
thanks,
- Keyboard Shortcuts:
- Prev
- Next
- Toggle
