20071109

Teaching Without a Net

A post I still haven't put on here is an amazing offer and opportunity that I've gotten locally to help in a classroom, and a few more really good professional connections. Tonight was the first opportunity I've had meeting with the class to actually demonstrate anything.

For a group of students who are learning cyber-defense, they're learning attacking. While most application hacking you can only learn by doing, I was asked to at least demonstrate first. In my professional career, I've enumerated a lot of databases by injection attack, but oddly have never had an opportunity to use SQL injection to enumerate an entire MySQL server. I deliberately didn't try much attacking on the application before the class, I just verified that there were holes to work with - I think the thought process is every bit as important as the specific techniques.

I know, it was nothing shocking, but I thought it was a nice touch to try to do something in a classroom that I had never specifically done. I've enumerated db's with injection attacks, but not mysql.

And completely off-topic, kudos to pdp for the find on jar url attacks. very slick stuff. Any site that receives uploads of anything in a ZIP format (meaning, almost any kind of archive, including OpenOffice document, JAR, ZIP, blah, blah) becomes a cross-site scripting host - and the script runs in context of the server hosting the jar.

0 comments: