“Understanding AD Access Control Entries” is a quick and simple article describing some of the madness of the Active Directory access control entities. This is particularly useful for those of us who had to deal with Active Directory, without having much experience with MS Windows. I’m sure this will come handy again in the future.
Tag: security
PHP : Preparing for the Penetration Testing
Chris Cornutt wrote “PREPARING FOR PENTESTING (@ LONGHORN PHP 2018)” blog post for his upcoming talk at the conference. I’d gladly attend the talk, but the time and place didn’t work out for me this time. Here are a few useful links from his blog post that might come in handy for anyone evaluating the security of their PHP application and preparing for the penetration testing:
- OWASP Top 10 2017 – the ten most critical web application security risks
- PortSwigger Burp Suite (community edition)
- PHP Security Cheat Sheet
- Top 7 PHP Security Blunders
- The 2018 Guide to Building Secure PHP Software
The above are not a replacement for the talk, but if you are like me and can’t attend, these should at least get you started in the right direction.
Useful payloads for security testing of web applications
This article (in Russian) lists a number of useful payloads (and some tools that work with them) for security testing of web applications. Below is the list of handy GitHub repositories for web server path testing, cross-site scripting, SQL injection, and several other common types of vulnerabilities. These payloads are much richer than basic hand-made tests and can help improve the security of the web application a great deal:
- Unleashing an Ultimate XSS Polyglot
- fuzz.txt – potentially dangerous files
- Payloads All The Things – a list of useful payloads and bypasses for web application security
- SecLists – a collection of different lists useful during the security testing
- IntruderPayloads – a collection of payloads, fuzz lists, and file uploads
- FuzzDB – a collection of fuzz lists and web application firewall evasion patterns
- payloads – a collection of payloads with links to a lot more lists and tools
Awesome list of Important Podcasts for software engineers
Awesome podcasts is a curated list of podcasts for software engineers. The list includes a whole lot of sections – one for each programming language out there, generic software engineering, tools, etc.
Also, have a look at this blog post I did a while back.
Let’s Encrypt now supports wildcard certificates
Here are some very exciting news from Let’s Encrypt:
We’re pleased to announce that ACMEv2 and wildcard certificate support is live! With today’s new features we’re continuing to break down barriers for HTTPS adoption across the Web by making it even easier for every website to get and manage certificates.
ACMEv24.0k is an updated version of our ACME protocol which has gone through the IETF standards process, taking into account feedback from industry experts and other organizations that might want to use the ACME protocol for certificate issuance and management some day.
Wildcard certificates5.1k allow you to secure all subdomains of a domain with a single certificate. Wildcard certificates can make certificate management easier in some cases, and we want to address those cases in order to help get the Web to 100% HTTPS. We still recommend non-wildcard certificates for most use cases.
Wildcard certificates are only available via ACMEv2. In order to use ACMEv2 for wildcard or non-wildcard certificates you’ll need a client that has been updated to support ACMEv28.5k. It is our intent to transition all clients and subscribers to ACMEv2, though we have not set an end-of-life date for our ACMEv1 API yet.
Additionally, wildcard domains must be validated using the DNS-01 challenge type. This means that you’ll need to modify DNS TXT records in order to demonstrate control over a domain for the purpose of obtaining a wildcard certificate.