Sat, 08 Nov 08 14:50:39 -0700

Almost every source will tell you to use a robots.txt file, including the all powerful Google.

The issue is a security one. Lets look at an example robots.txt file:

User-agent: *
Disallow: /rss
Disallow: /portal
Disallow: /search1
Disallow: /login
Disallow: /secret


See the problem here?

There are actually a few.

First of all, and most obviously, /secret is clearly a private directory.
It might be unprotected, and contain


















...

Mon, 20 Oct 08 19:44:55 -0600

Hats off To Internet Explorer 8.0!
(sort of)

IE8.0 beta (Download Here) Has taken a huge step forward in XSS protection, by adding XSS Filter. Essentially, it blocks active content defined in the url from activating, this is far from a complete protection as a few things seem missing, but its a huge step forward.

It seems to miss anything in the head section of the document. And I still need to do much furt






...

Sat, 18 Oct 08 14:38:38 -0600

I like to mention this every once in a while, it kind of gives us a look behind the eyes of a hacker.


The Hacker Manifesto

by
+++The Mentor+++
Written January 8, 1986

Another one got caught today, it's all over the papers. "Teenager Arrested in Computer Crime Scandal", "Hacker Arrested after Bank Tampering"...

Damn kids. They're all alike.

But did you, in your three-piece psychology and 1950's technobrain, ever take a look behind the eyes of th














...

Fri, 17 Oct 08 13:11:39 -0600

One of the first things a hacker will do when attacking a site is search for data. This includes mapping the site and looking for empty directories.

Generally, the standard procedure against this is to simply add an index.html file or set the server to forbid directory browsing.

The only problem with this, is that it proves that a directory exists, and is not just a mod_rewrite trick to make the url pretty.

This often will lead to brute forcing sensitive file names, often leading to data







...

Wed, 15 Oct 08 22:12:58 -0600

Link Spoofing! woo!

A harmless link to yahoo... hover over it and the status bar reads "http://yahoo.com"
Yet, it conceals a devilish secret, simply click the link, and you go to... Google.

Wait, what?
Anyone can make a hyperlink that reads one address as the anchor text and has a different href, but this can spoof the status bar, and even the careless code reader.

To fend off a more careful code-reader, I can do something like a remote function..

There, looking a











...