Many passwords in linux are encrypted using the crypt() utility. The user is usually not aware of the difference between a crypt and a MD5 encryption. Well it can turn out to be important, especially if crypt uses the default DES-based scheme to perform the encryption.
The problem with crypt() + Traditional DES is that it truncates the password length to 8 characters. Users are not usually aware of this and assume that the entire length of the password has been saved and encrypted. Take the apache tool htpasswd for example. It uses crypt() to encrypt passwords (It may also use its own MD5 routine) into a password file. The following command creates a new user in a password file
htpasswd password_file new_user
I came across an interesting application today. Google has released an application named Jarlsberg that is full of security holes. The intent is to make developers learn how these holes work and put them in a position to combat the security vulnerabilities.
You can visit the app to learn more. Security flaws to be detected are classified under the following categories
- Black box. You dont know the code
- White box. Requires you to see the code to understand how to break it.
- Gray box. Some code will be made visible.
I also came across an instructor’s guide that has problems to be solved in the application, graded by their difficulty level.
What better way to learn an exploit than to perform it on a test system ? Some of the exploits involve
I often see environments where web applications use log4j for logging into files using various appenders. That is all well and good until I see that the logs are getting written into the application server’s logs. In JBOSS for example this is server.log. So why is this a bad idea ?
Why not to write into server.log:
- An application server’s log is supposed to be used by the app server and not by your application.
- This log is supposed to contain app server level information like loading war files / exceptions that were handed over to the container etc.
- Weeding through the logs of about 10 applications to find a particular debug / error line is going to be crazy.