Introduction

Clickjacking is a malicious technique of tricking web users into revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages. A vulnerability across a variety of browsers and platforms, a clickjacking takes the form of embedded code or script that can execute without the user's knowledge, such as clicking on a button that appears to perform another function (credit: Wikipedia).

Clickjacking is hard to combat. From a technical standpoint, the attack is executed using a combination of CSS and iFrames, which are both harmless web technologies, and relies mostly on tricking users by means of social engineering. Additionally, the only server side technique against …

Here are the slides and links I am using for the “Database Security Using White-Hat Google Hacking” at the 2008 MySQL Users Conference and Expo.

pdf slides

Where to Start:
http://johnny.ihackstuff.com/ghdb.php

i-hacked.com/content/view/23/42

for the impatient

Google’s Terms of Service
Google Operators

More Googlehacks to run:
Page 35 of …

On Tuesday our CIO, Johann-Peter Hartmann, gave a Web-seminar about security issues in the Web 2.0 era. We had about 140 participants and some very good questions in the following Q&A Session. We would like to thank you for the response and also we´d like to thank Jürgen from MySQL, our webinar-host.

We uploaded our slides as promised. To download them, click here.

If you missed the Web-Seminar you get a chance to see the recording of it here.
But be aware: It´s in german!!!

For english readers/speakers: Johann held an english security talk some time ago. Find it here

We already heard that …

Hi Folks,

This is an announcement for a webinar in German. Therefore only written in German. If you are interested in the security topic be sure to see the english webinar, which is stored here.

Web-2.0-Anwendungen absichern

Die verbesserte Einsatztauglichkeit der Web-2.0-Anwendungen wird auf Kosten von neuen Sicherheitsproblemen erworben. Sowohl die mächtige Logik im JavaScript als auch der permanente Login auf vielen Sites bergen Risiken, die anders und gezielt beantwortet werden müssen. Dieses Webseminar gibt einen Überblick, bewertet die Probleme und stellt Lösungswege vor.

Wenn Sie Web 2.0- und AJAX-Anwendungen entwickeln, ist dieser Vortrag genau das Richtige für Sie! Hier erfahren …

Looking for code inclusions?
The versatile google cluster has a solution for this, like for many other tasks.
This search

lang:php \secho\([^)]*_REQUEST[^)]*\); lets You find various places where some variable from the superglobal $_REQUEST is printed with echo. By the same means, you can easily find places where such a variable is directly included in an SQL query, for instance with lang:php \smysql_query\([^)]*_REQUEST[^)]*\); .
This alone yields 50 results for each query, but it may be varied with printf() instead of echo() or just …