You cannot post messages because only members can post, and you are not currently a member.
Description:
The Google Group to accompany PythonSecurity.org
|
|
|
cryptography page
|
| |
Hey all,
I'm wondering if anybody minds if I mess around with the
[link] page. I've already
added one thing, but it really just needs a complete overhaul, and I'm
not sure what the protocol is here.
Thanks for your (collective) time,
Geremy Condra
|
|
|
Extending Burp Suite in Python
|
| |
Hi all!
Just to let you know in case this is of interest for some of you, I
wrote a Jython binding for the Burp Suite application. This enables
users to create Burp Suite extensions directly in the Python language.
Burp Suite ([link]) is an integrated framework
to assess the security of web applications.... more »
|
|
|
Current Focus: Session Management
|
| |
Let's shift our current focus towards session management [1], including the prevention of session hijacking [2] and session fixation [3]. Session identifiers are keys to the kingdom, and can allow an attacker to impersonate an authenticated user without even knowing their credentials. Consider this: If you aren't using SSL, a user's session identifier can be... more »
|
|
|
Intrusion Detection System (was Tools for security analysis)
|
| |
Last year I wrote a somewhat limited IDS for ESAPI on Python [1]. The primary way it was used was through exceptions - when input failed validation an exception would be raised, which would register an event with the IDS. - Events - These are things such as "Bad Password," "input did not pass validation," or "successful login". When events are registered they need... more »
|
|
|
Tools for security analysis
|
| |
I've been thinking a lot about what tools would be useful to have when analyzing Python code for security vulnerabilities. At some point all computers are basic input/output systems, which is the premise for security tools which identify sources and sinks, and can trace the flow of data from one to the other. Part of the idea of taint mode in... more »
|
|
|
ESAPI Swingset, a playground for application security
|
| |
I'd like to introduce the ESAPI Swingset [1], an application aiming to make security more transparent and exploratory. The application allows developers to learn more about security in a safe sandbox. To really understand what it's all about, take a look! There are pretty good demonstrations of cross... more »
|
|
|
Django Raw SQL Scanner, a PoC static analysis tool
|
| |
Continuing the focus on Django security, I've hacked up a scanner for raw SQL queries that should aid in an application audit. Please see [1] for source code and sample output. This project started with Adam Baldwin's regex to find raw SQL queries: grep -R ".raw(" * grep -R ".execute(" * However, the scanner [1] is a bit more powerful. It checks that string... more »
|
|
|
Current Focus: Django
|
| |
Let's focus on analyzing and improving the security of the largest Python web framework: Django. [1] is the wiki page for Django. As you can see, we already have a bunch of information. In particular, I've taken a look at the authentication and password storing scheme. Still, there is much work to be done:... more »
|
|
|
