Time to prepare…
Reading Jeremiah Grossman's recent post on what's happening, and what's to come reminds me of what network security used to be like: attacks on the infrastructure has caused plenty of damages, and thus the effort focused on defending against them. This has led to the current (relatively more matured) state of the network and hosts security domain.
It's hard for people to care about anticipated dangers, till it becomes true on a large scale or when it happens to them, sad but true.
Nonetheless, it's high time industries/companies/individuals start to look seriously into attacks at the web application level, because it has been the path of least resistance for the attackers for a long time already.
And time for the whitehats to really prepare the answers needed by the masses in time to come.
Monitoring WordPress using syslog and OSSEC
This has got to be one of the unconventional (yet interesting) ideas I've come across.
It involves the use of a plugin (currently maintained at OSSEC) to get WordPress to send syslog events for OSSEC to parse. It is a good idea since it is good to monitor any web applications running for anomalies, but WordPress doesn't seem to provide any kind of audit logging.
Looking at its capabilities, the first use for this that comes to mind is to monitor sites that run WordPress with multiple user logons. As for those with insufficient access to your web server (you're on a shared webhost), you're probably better off using the tips given at wpbeginner.
I won't know yet, but perhaps I'll have a better idea on what it is good for after I try it out.
Do YOU use OSSEC to monitor your WordPress installations? Any comments on it?
13 Things a Web Application Attacker Won’t Tell You
Saw this post being referred to in Jeremiah Grossman's blog post, it's just too good/funny and true not to share, so here goes...
1. Just because you moved something from being a GET parameter to a POST parameter so I couldn’t see it in the URL bar doesn’t mean that I don’t know it is there. And it also doesn’t mean I can’t change it. (Download WebScarab if you disagree)
2. Just because you put something in a hidden FORM parameter doesn’t mean I can’t find it. Or change it. See #1.
3. Ditto for cookies. See #1.
4. Validating things on the client side with JavaScript doesn’t prevent me from submitting whatever the heck I want.
5. I love it when you say “That would never happen in production.”
6. I really love it when you say “An attacker would never do that.”
7. I really hate strong server side input validation.
8. That page with the detailed error message – my job would be way harder without it.
9. Most of those “Guaranteed Secure!” banners you put on your site only serve to tell me you don’t understand the first thing about security.
10. That web application scanner you ran – it didn’t find everything. Not even close.
11. That network scanner you ran – it didn’t even start testing the security of your application.
12. I understand AJAX (or fancy, new technology “XYZ”) better than you do.
13. The more clever you think you are – the better I feel.