Slow Work Day
Yesterday was a really slow work day (don’t ask). Sufficient to say, I didn’t get any of the work I had planned done, due to other people. On the bright side, I was able to catch up on some stuff I wanted to check out as soon as I could find some spare time.
First, I finally came around to read Mark Dowd’s and Ben Hawkes’ Google
Salt NaCl summary of issues PDF from the security contest. If you haven’t heard of Google NaCl, it’s a research project to run native x86 code in web applications. Matasano has a nice and informative blog post explaining the security implications. The paper contains 10 security issues and is quite fun to read. Personally, I liked issue 3 very much, where they unmap parts of their own (already verified) text segment and map untrusted code intro it, bypassing the verifier.
I furthermore had the time to take a quick look at w3af, the Web Application Attack and Audit Framework. It’s basically like Metasploit for web apps and looks rather promising. I didn’t have the time to test it with e.g. WebGoat or their own Moth, but I’ll give it a shot in my next web application pentest. I’m always reluctant with automated tools though, I like to do things by hand to really see whats happening. In my opinion, its rather easy to fall into the “hey, tool X didn’t find anything, so let’s move on” trap. But it’s nice to have some automation to check you didn’t leave out something easy by accident, after you’ve done the manual work.
There were also some Youtube videos I watched. Not just any videos of course, but the SHA-3 song from the Eurocrypt 2009 rump session. Performed by Peter Schwabe (whom I know rather well) and Michael Naehrig. Go watch it, it’s hilarious. It even trumped the My little Pony: Live-Action Trailer for me ;).