justinclarke.com

We've just added support for supplying an arbitrary user supplied header to Oedipus using the -d option. At some point we will probably expand this to allow a user to specify more than one.

At the same time I added in support for custom User Agents (through a -u option), to allow the user to easilly select which browser to tell the web application that Oedipus is. By default, Oedipus will masquerade as Internet Explorer 6 on Windows XP, but this can be changed to IE 7, Firefox 1.0, Firefox 1.5, Mozilla, or the user's custom user agent.

Presently, this is available in CVS only. Look for the relase coming up soon!

Recently I decided for some reason to run my site through the W3C Validator to check to see if I was generating valid XHTML. If you've ever done this, you shouldn't be surprised to find out that my site was anything but compliant. Why is this important? Well, it's probably not going to break most modern browsers as they are quite tolerant of non-compliant code, but it's bad coding - if your code is valid then you should be displayed well by any compliant browser or parser in use.

Some of the things that I wasn't doing correctly included:

• Terminating break and image tags:
  • <br> - Incorrect
  • <br /> - Correct
• Handling Movable Type's default "Convert Line Breaks" behaviour that sticks tags in lists where they aren't welcome
• Including "alt" elements in my IMG tags
• Making all of my tags lower case. In XHTML, HREF and href are different - lower case is correct
• Encoding all ampersands (&), including ones in URLs

And, my number one problem - multl layer lists:

<ul>
<li>This is incorrect</li>
<ul>
<li>This should be indented</li>
</ul>
</ul>

Which should actually be written like this:

<ul>
<li>This is correct
<ul>
<li>This will be indented</li>
</ul>
</li>
</ul>

I enlisted a few tools in my quest to get valid and stay valid. Foremost was the W3C Validator service, which I have integrated into my publishing routine using Brandon Fuller's excellent MT-W3CValidator plugin, and the handy XHTML reference material at W3Schools. I am proudly displaying my XHTML valid status on each page (as verified by the W3CValidator plugin), so feel free to click the icons to verify the validity of my XHTML, Atom, RSS 1.0, and/or RSS 2.0 feeds.

The Oedipus Web Application Scanner project (that I have been writing plugins for) has just released it's first public beta release - version 1.8.1. Oedipus is a penetration testing focused tool, designed for penetration testers and for technical security or web development folks to test their applications for web application security issues. It deviates from many of the commercial tools in that:

• Oedipus does not claim to be a one stop testing tool that will find every type of hole in your applications. It is, however, pretty good at finding the low hanging fruit so you can spend your time finding the really nasty problems manually
• Oedipus has some exploitation functionality built in, especially for SQL injection at this point, for generating working exploits for web application vulnerabilities. After all, the best way to show the business impact of an issue is to show it is exploitable
• It's free, open source, and pretty easy to extend through the use of it's plugin architecture

From the blurb - "Oedipus is an open source web application security analysis and testing suite written in Ruby by Pentration Testers for Penetration Testers. It is capable of parsing different types of log files off-line and identifying security vulnerabilities. Using the analyzed information, Oedipus can dynamically test web sites for application and web server vulnerabilities"

Downloads have been temporarily removed from the Oedipus site while we review a situation that has arisen.

From the Oedipus site:
"Fellow security professionals. It has recently been brought to our attention of a certain misunderstanding between an ex-employer and the Oedipus Project. Until the matter has been resolved, we have decided it best to take down the latest release of the Oedipus suite. We apologize to our users for any inconvenience and hope to have this misunderstanding resolved in the near future.
Kind regards,
Oedipus Team"

Quick note because some of you may be interested - 800m800m has started a development blog over on the Oedipus site. You can find it here. The first entry has some detail about the (hopefully) forthcoming Oedipus GUI, which is still under development (currently alpha status).

Bruce Schneier has an interesting contest on his blog. The goal? Cause some terror through the most unlikely, though plausible, terrorist attack scenario movie plot.

Some of the plots posted so far are weird and wonderful. Follow the link above to see more.

Bruce Schneier, well known security guru, has posted an interesting summary of expected federal law covering disclosure of data loss in the US. What Bruce doesn't mention is that a lot of the state laws that are in place include a notification exemption for where notifying customers that their data has been lost would be too costly to a company.

For example if a company did lose data relating to several hundred thousand customers it is not too hard to imagine that the cost involved could be greater than $250,000 (which is the limit for the Ohio notification law). The company could then opt for a "conspicuous posting" on their website, or to provide "notification to major media outlets" in lieu of informing each customer.

Not hard to imagine never hearing about your data being lost is it?