• color
• date
• datetime
• datetime-local
• month
• week
• time
• email
• number
• range
• search
• tel
• url

The implementation of this new feature couldn’t be easier, simply specify the “type” attribute of your input field and let the browser handle the rest. For example, by specifying an input type of “email”, Chrome will validate the input to ensure it is a validly formed email address. In Safari on iOS devices, the virtual keyboard will automatically change to be more email address friendly (by adding the @ sign and .com buttons).

All of this functionality comes with no additional scripting by the developer. For convenience, this is exciting news. User input can now be validated client side to ensure users are actually putting an email in that field and not a phone number. For security though, there is absolutely no added benefit. Much as attackers have been substituting values for years, so they will continue. The new input types do not prevent an attacker from submitting values of their choosing via an intercepting proxy.

The old adage still holds true, “If the user can access it, they can abuse it.” Use these new input types for helping good users submit accurate data on the first attempt, but continue server side data validation and sanitization to prevent attackers from owning your application.

My goals in the next 14 days:

1. Two a day workouts – Cardio in the AM, weights in the PM
2. Read, learn, experiment with WebAppSec
3. Enjoy my new baby and wife

An old man, going a lone highway,
Came, at the evening, cold and gray,
To a chasm, vast, and deep, and wide,
Through which was flowing a sullen tide. 

The old man crossed in the twilight dim;
The sullen stream had no fear for him;
But he turned, when safe on the other side,
And built a bridge to span the tide. 

“Old man,” said a fellow pilgrim, near,
“You are wasting strength with building here;
Your journey will end with the ending day;
You never again will pass this way;
You’ve crossed the chasm, deep and wide-
Why build you this bridge at the evening tide?” 

The builder lifted his old gray head:
“Good friend, in the path I have come,” he said,
“There followeth after me today,
A youth, whose feet must pass this way. 

This chasm, that has been naught to me,
To that fair-haired youth may a pitfall be.
He, too, must cross in the twilight dim;
Good friend, I am building this bridge for him.” 

By Will Allen Dromgoole

Posted via email from brooksgarrett’s posterous

w3af_crash_course

Posted via email from brooksgarrett’s posterous

Posted via email from brooksgarrett’s posterous

A subsequent tcpdump revealed the OSX server was sending logs to port 51 instead of 514, even thought the syslog.conf file read as follows:

[...]
*.info @192.168.1.10:514
[EOF]

Omitting the port number lead to the logs not being forwarded at all.

The explanation was OSX apparently requires a blank line at the bottom of the syslog.conf file and this rule was the last line. Adding the port back in and a blank line at the end of the file resulted in normal behavior.

Posted via email from brooksgarrett’s posterous