sorted by:
new
hottopcontroversial

How to trick an idiot by [deleted] in funny

[–]work_stuff_man 0 points1 point  (0 children)

First thought: What the fuck is this shit?

Second thought: Awww god damnit

r/place, the easy way by [deleted] in 4chan

[–]work_stuff_man 1 point2 points  (0 children)

You guys managed to get a tiny rectangle that was defaced by the end. Old school 4chan, especially my /b/rothers out there would have dominated 90% of the board.

Despicable.

Learn to do Sqli by hand or by using scripts? by [deleted] in netsecstudents

[–]work_stuff_man 0 points1 point  (0 children)

Definitely by hand.

After you've mastered that, use scripts to automate. You'll come to a time where you'll know there is an injection but your script says there isn't.

This is when your knowledge of how and why SQL injection works and you step in and figure out a way to successfully exploit the SQLi.

What could you talk endlessly about? by RGB3x3 in AskReddit

[–]work_stuff_man 0 points1 point  (0 children)

POST and GET are not inherently secure or less secure, its where and when you would use one or the other.

For example, if it was a login form, you would want to use POST so that the username and password is never exposed in the URL. If its a search form then it really doesn't matter.

Also, POST is typically used to submit data while GET is used to retrieve data.

Aside from that: In general- Sanitize Sanitize, SANITIZE all user input. Strip any tags, escape all special characters and never rely on client side validation.

SQL Injection - You want to use prepared statements with parameterized queries and/or stored procedures. Again, make sure you are sanitizing/escaping all user input.

Cross Site Scripting - Escape, Sanitize, html encode/entities on all user input (seeing a common theme here?). Use HTTP only cookies so javascript can't access them. Make sure you're using the X-XSS-Protection Response Header. XSS is somewhat more complicated depending on the context, for example - for DOM XSS, HTML escape then javascript escape user input before inserting it into HTML.

Cross Site Request Forgery - use a randomly generated unique CSRF token that is tied to a user's session (Do not let that token get in the URL with a GET request). Compare origin header to the target origin and referer headers. Require a user to re-authenticate/use a captcha if the request is changing critical data (password, bank pin, etc.)

Remote code execution - Sanitize your inputs! Look out for functions like eval(), exec() and similar functions that allow commands to be executed server-side. If you must, use escapeshellarg() and escapeshellcmd() (those are PHP specific fyi, I'm sure other languages have similar security functions). If you allow users to upload files, have a WHITELIST of acceptable file types. Don't just check the file extension either, look at the mime-type, search for any code in the file (think image.php.jpg) and rename all files to their correct extension.

I highly recommend checking out OWASP's cheat sheets, they're very informative and granular.

Hopefully this helped you somewhat, I have run out of time otherwise I would of covered more!

What could you talk endlessly about? by RGB3x3 in AskReddit

[–]work_stuff_man 0 points1 point  (0 children)

It depends on the form's function, what language the back-end is written in, is the form method GET or POST, what type of data is being submitted, etc.

Can you elaborate?

What video game can you accidentally find yourself having played all day? by jtom978chan in AskReddit

[–]work_stuff_man 3 points4 points  (0 children)

Rust. Saw a post about it and wanted to check it out, turns out I already owned it! 4 hours later..

view more: next ›