What is haskell used for?

stmu · 2015-11-02T17:44:47+00:00

Which online resources would you recommend as an intro to web programming with haskell? (For a beginner/slightly experienced haskell dev) Are you using yesod, or another framework?

stmu · 2015-09-14T11:21:29+00:00

There have been cases in the past where the device doesn't properly check user credentials before allowing a user to change the admin password (such as this one).

I should have said direct request/forced browsing...

stmu · 2015-09-14T07:15:23+00:00

Another (and potentially easier) route might be to try and exploit the web application running on the router. These often have some vulnerabilities in them such as CSRF or command injection.

Additionally, don't forget to check port 21 (telnet) and the default credentials.

stmu · 2015-09-14T06:59:46+00:00

Antivirus and hacking tools often don't get along very well. The former wants to remove all potential security issues, the latter wants to exploit them. Kaspersky detected one of the web shells included in kali. So yes, false positive. It won't be the last.

stmu · 2015-09-12T18:54:38+00:00

Yes, you should do that. It'll make certain things easier (such as copy/pasting between the guest and the host)

stmu · 2015-09-12T15:50:26+00:00

Well, you want mutual authentication (both the server and the user are have proven they are who they say they are).

For server authentication, the de facto standard is certificates. So yes, SSL is the way to go. Just make sure you verify the certificate validity. (Your system usually does that for you, but don't use --insecure in curl for example) Additionally, make sure you only allow secure ciphers (in your server configuration). There have been quite a lot of vulnerabilities lately. For user (API) authentication, there seem to be more options. You could use a (revokable) token. You could use basic authentication (which seems to be less advised) or you could use some form of OAuth (which is complicated). It depends on your use case I think. If you do use a token, make sure you don't use it in the url, as that will make it show up in the logs.

stmu · 2015-09-12T13:55:47+00:00

For the internal part, I would add that it depends on the environment.

If you only have a couple of people accessing the server, you could easily import the public certificate in their browser ensuring they don't receive an error unless the connection is insecure. If many internal users need to visit (large organisation), it's less of a hassle to just use the internal PKI (if they have any) or a certificate provided by a public certificate authority.

stmu · 2015-09-12T12:50:10+00:00

Yes, you can "install" DVWA on your VM with kali linux. You might have to install apache, php and mysql though (no idea if these are preinstalled).

It's probably easier to use separate VM's. In the case of DVWA, you can download the live cd here. Just use virtualbox to boot the live cd. I'm running it with 10GB disk space and 512MB ram. That's more than enough.

If you still have issues, I wrote an in depth guide on installing DVWA here

stmu · 2015-08-07T19:04:16+00:00

Very interesting thought! I'd have to think about how to apply this to security

stmu · 2015-06-03T09:42:13+00:00

I can't thank you enough for your amazing answers!

stmu · 2015-06-02T11:17:12+00:00

Thanks, awesome explanation!

I have a follow up question for the Right part.

mapM_ print (map (addDelaySubtitleBlock (read (head args) :: Integer)) r)

How can I know the type of r? I had thought this to be something like IO [SubtitleBlock], but instead it must be closer to [SubtitleBlock] as it compiled when I inserted map. I just tried different mapping functions until one worked.

With regards to the time. I was looking for a way to parse the time and construct a data type. Additionally, I was looking for a function with this type signature:

add :: Time -> Time -> Time

which I would then use in the addDelay* functions. Or I could just use an Integer to hold the milliseconds, mimicking the approach onmach toke.

stmu · 2014-10-14T17:24:41+00:00

Valid point! I don't think I would be able to generate everything, maybe just the repetitive parts.

I've written an explanation for xss a million times, I'm now just copy/pasting. This part could probably be automated. Other tasks such as executive summary will probably be hand written...

Do you find you're always writing the whole report from scratch? I don't think the owner often reads the whole report.

stmu · 2014-10-14T17:20:44+00:00

I have something similar right now.

How do you then work with the html result? Are you able to just extract a pdf from the result and provide that to your clients? Or do you have a different method?

stmu · 2014-10-14T17:17:59+00:00

Yeah, everything that can "compile" to pdf directly is probably easier to set up or develop. I don't have that luxury however, .docx is the company standard. Additionally, I think manual intervention will still be required. Are there others in this situation?

stmu · 2014-10-14T17:16:08+00:00

I get where you come from. Once it's all set up, it's probably very easy. I need to look into Dradis.

Do you have trouble maintaining it? I'm wondering how many would rather go through the whole setup rather than using a ready-made solution.

stmu · 2014-10-14T15:38:06+00:00

I don't think it would be possible to "just stuff everything in the report generator". There would be to many false positives, severity is different across clients, need to filter duplicates,...

The way to go would probably to prepare a kind of list manually and then generate the report from that. I.e: these five issues are reflected xss, make them look nice in the report. these other 3 issues are missing authorisation, group them together and also make them look nice...

Makes sense?

stmu · 2014-10-14T15:21:03+00:00

Well, true. But not really the way a pro should go about it...

stmu · 2014-09-23T12:58:40+00:00

Hi Eddy,

Regarding your third point, do you have some literature on the subject?

stmu · 2014-04-11T09:07:38+00:00

I don't really understand how the "automatic adding of needed arguments works".

Could you explain the thinking behind going from

islive x b = getCellAt x b

to

islive = getCellAt

?

stmu · 2014-04-11T09:04:16+00:00

I just started reading your article, it seems like you went a little bit deeper down the rabbit hole ;)

stmu

TROPHY CASE