Archive for July, 2008

Validate Strong Password

Posted by admin on July 25, 2008  |  No Comments

If you ever had to code a user authentication system, you probably know how much fun it can be to write your own strong password validation. Luckily, Charles Forsyth has developed a regular expression (and published it at Regular Expression Library) that will validate a strong password.

Regular Expression Library

The regular expression works for passwords that:

  • are at least 15 characters long
  • contain at least one (1) numerical digit
  • contain at least one lowercase character
  • contain at least one special character (such as !, @, #, %, etc.)

Strong passwords to be validated may not contain any whitespace, and they cannot contain the strings pass, word or password.

Tags: , ,

Filed Under: Web Design and Development, web security

Free T-shirt for Computer Geeks

Posted by admin on July 10, 2008  |  No Comments

As seen on TV. Extreme PC Garage is giving away free T-shirts. As long as supplies last. Hop on over to their web site and sign up. It’s relatively painless. Enter your name and address, then answer a few questions about the show.

Extreme PC Garage

You have seen the show, right? It’s a program made by gamers for gamers. The premise is to build the most “awesomest” gaming PC, using the hottest hardware, the latest accessories and gadgets and matching all of that to a lucky person’s unique gaming style. The show proclaims that their only rule is: There are no rules!

The end result? One lucky gamer (and it could be you) will witness the transformation of lackluster PC into a “killer one-off custom screamin’ hot gaming machine.”

Tags: , , ,

Filed Under: Just For Fun

SQL Injection Detection Tool: Scrawlr

Posted by admin on July 9, 2008  |  No Comments

Proactive SQL Injection combatants can download Scrawlr (for free) from HP’s web site. With Scrawlr, short for SQL Injector and Crawler, you can crawl a web site, analyze the parameters of each web page and check for potential SQL injection.

According to HP’s Erik Peterson, “Scrawlr is lightning fast and uses our intelligent engine technology to dynamically craft SQL Injection attacks on the fly. It can even provide proof positive results by displaying the type of backend database in use and a list of available table names. There is no denying you have SQL Injection when I can show you table names!

Some of the things that Scrawlr can do include:

  • Identify verbose SQL injection vulnerabilities in URL parameters
  • Can be configured to use a proxy to access the web site
  • Identify the type of SQL Server in use
  • Extract table names (verbose only) to guarantee no false positives

As with most free things, there are some limitations as to what Scrawlr will and can do (obviously, HP would like to sell its professional-strength SQL Injection tools as well):

  • Scawlr will only crawl up to 1,500 pages
  • Scawlr will not support web sites that require user authentication (user name & password)
  • Scrawlr cannot retrieve database contents
  • Scrawlr does not test forms (POST parameters) for SQL Injection
  • Scrawlr does neither parse Flash nor JavaScript

If you’re not put off by those limitations, give Scrawlr a try. Because Scrawlr is free, it is not a supported product. However, there’s a Scrawlr forum, and HP encourages us to go there to post questions about the product.

Just in case you were wondering (as I was), yes, HP offers professional SQL Injection and Web Security tools as well. If you’re interested, log on to their web site (or GoogleO and look for DevInspect, QAInspect or WebInspect. All those tools, according to HP, “find SQL Injection and countless other security vulnerabilities. DevInspect can even inspect your source code for SQL Injection as well and guide developers through the process of fixing their code.”

 

Tags: ,

Tags:, ,

Filed Under: web security