Monday, April 13, 2015

Is PHP vulnerable and under what conditions?


We are going to analyze a special method of attacking Web Servers. It is known as LFI with PHP Info vulnerability [1]. It was first publish by Insomnia Sec at 2011. The method clever handles some PHP build-in features (such as upload and wildcards [2]) to accomplish a well formed attach that will end up with an arbitrary code execution (call me remote shell) on the victim's server. Requires two specific flaws on the server: A phpinfo() function must be available along with a LFI vulnerability. By combining the above two, a high risk attack can be implemented. The method has been tested successfully on Windows as well as Linux operating systems on IIS and Apache web servers. The same method failed on NginX web server.

Wednesday, February 25, 2015

How safe is our personal information?

What you will learn

  • How bad guys use information already exists on the net to gain access to:
    • your email accounts,
    • your financial information such as credit cards, PayPal accounts etc,
    • your internet hosting accounts (if you have any),
    • your personal web sites,
    • your personal life in general!
  • How you can protect yourself by such bad situations by following some very simple but very efficient security rules.
The actual incident that this article is based on was 100% real but for privacy reasons all referred user names are not the real ones and they have been chosen randomly. According to the same reason all images have been obscured.


Sunday, December 28, 2014

Testing Web Server Performance

Talking about Web Server Performance is a serious matter and for sure is not an easy one to perform. We can safely say that it is one of the few things that make the difference when we are involved in a professional site project development.

One of the main questions that the client ask is how many simultaneous visitors  can the site handle. Well, we are all know that this is a very general question and can be affected by many factors. To state our client's question in a more technical view, let say this:  
We want to check our web server responsiveness when many simultaneous requests hit on it.

Sunday, February 2, 2014

Implementing asynchronous callbacks in asp.Net 4

Internet application development can be seen as the a stateless client-server programming using a thin client.In case that we don't like this approach, we have several methods to change it.
The cause of such adaptations most often stems from specific business needs and rules.

Sometimes, software engineers want to make the client a bit more thick. They usually do this by adding code to the client side, i.e. JavaScript, vb-script, etc. Other times, want to make UI more... feasible. By 'feasible' I mean that it is not necessary to post-back a whole page just for a very simple calculation. One solution to this issue is to put simple calculations to the client side (using JavaScript). But again, what if the operands are members of  some more generic object that cannot be transferred to the client, such as a large database table? Is then the post-back a one-way solution? Well, no. The answer can be called AJAX or in other words (a more MS oriented ones) Asynchronous Callbacks.