Farscan Home

Translator

Farscan Blog Topics

Farscan Subscriptions

Archives

Facebook

Farscan on Facebook

Security Audit tool of the month: sqlmap

By admin, on April 30th, 2009

One of the most common and dangerous web application vulnerabilities revolve around unsafe SQL (Structured Query Language) handling in applications. SQL injection is a type of security exploit in which the attacker inserts SQL code to a Web form input box to gain access to resources or make changes to data.

Successful SQL injection attempts can cause an attacker to not only steal data from a database, but also modify and/or delete it. Certain SQL Servers may also contain Stored and Extended Procedures (database server functions). If an attacker can obtain access to these Procedures it may be possible to compromise the entire system and through it, access other systems on the network.

Testing for SQL injection vulnerabilities is often a tedious and labor intensive process. Sqlmap is a powerful tool that aid in this test process. Currently at version 0.7 release candidate 1, sqlmap is a command-line automatic SQL Injection tool developed in python.

Its goal is to detect and take advantage of SQL injection vulnerabilities in web applications. Once it detects one or more SQL injections on the target host, the user can choose among a variety of options to retrieve remote DBMS databases, user names, tables, columns, enumerate entire DBMS, read system files and much more taking advantage of web application programming security flaws that lead to SQL injection vulnerabilities.

sqlmap implements multiple techniques to attempt and exploit a SQL injection vulnerability. Inferential blind SQL injection, also known as boolean based blind SQL injection, UNION query (inband) SQL injection, also known as full UNION query SQL injection and Batched (stacked) queries support, also known as multiple statements support.

In addition to the common input sources, the tool can also test cookies. Since many applications store their session information using a cookie, this is a common practice during SQL injection attempts — one that most penetration tests often overlook.

Sqlmap excels more at exploiting an identified SQL injection vulnerability than finding it. Even with the high degree of automation, it still takes some time to identify vulnerabilities and requires some knowledge of SQL injection techniques.

Latest version of sqlmap is available at sourceforge. For information on preventing SQL injection vulnerabilities, refer to this cheat sheet.

  • Share/Bookmark
April 30th, 2009 | Tags: , , , , , , | Category: Blog, Linux, Review, Security | 2 comments

Wellstone Action: A Drupal Process Case Study

By admin, on April 3rd, 2009
Wellstone Action! is a national center for training and leadership development for the progressive movement. Founded in January 2003, Wellstone Action trains, educates, mobilizes and organizes a large network of progressive individuals and organizations. The original Wellstone.org website was built using a proprietary CMS system. As the site aged and communications needs evolved, staff had to increasingly work around that system and it's constraints. As such, part of the motivation for a new website was to not only present information clearly, but to do so in a way that was open to evolution and improvement over time, making Drupal and ideal fit for their needs. Wellstone Action's Drupal-powered website launched in the Spring of 2008. With roughly a year of operating perspective, we can begin to assess the overall effectiveness of the project. Accordingly, this case-study is intended to:
  1. Document the process used to manage this project and make decisions
  2. Discuss the overall success of the project (and thereby evaluate the process)
  3. Spark more conversation in the Drupal community about the best ways to produce the best possible results for all of our clients and their Drupal projects
read more Original Story: drupal.org
April 3rd, 2009 | Tags: , | Category: News, Open Source | Comments are closed

Jobberbase – the open source job board reviewed

By admin, on March 28th, 2009

jobber1This week, we have been looking at the open source job board application – jobberbase. Originally derived from the successful Romanian IT job board jobber.ro, the current version (ver 1.6) of this job board package is very flexible and leverages smarty templates for customization. Head over to www.jobberbase.org for a standard jobberbase installation example.

jobber2t

Jobberbase’s main features are:

  • Allows job posts with a simple one time e-mail verification
  • Allows applying to jobs without requiring an account
  • Browse / Search based on type (Full-time / part-time), category (E.g: Programmer) and locations of jobs
  • RSS feeds of latest jobs
  • Counter indicating # of applicants for each posted job
  • Clean and crisp UI
  • Admin control panel for maintaining jobs & stats
    Continue reading "Jobberbase – the open source job board reviewed" →
  • Share/Bookmark
March 28th, 2009 | Tags: , , , , , , , , , , , , | Category: Blog, Job Board, Jobberbase, Linux, Open Source, PHP, Review, Software | 5 comments

Open Source alternatives for Business

By admin, on March 18th, 2009

One of the common questions that come up during IT strategy discussions is around open source alternatives that businesses should keep an eye on, if not actively considering a migration to. This article examines some of the common open source alternatives that I have found most clients have been happy with in their production environment. This is not intended to be an exhaustive list of open source alternatives. But, some of the top choices in selected categories that can get you started.

Continue reading "Open Source alternatives for Business" →

  • Share/Bookmark
March 18th, 2009 | Tags: , , , , , | Category: Developer, Linux, Open Source, Software | One comment