HTTP authentication, done badly
Web application authentication is the most consistently mis-implemented part of any web stack. A walk through the bad patterns I have seen this year, with the correct approach for each.
Notes from the field
Writing
Long-form thinking on cyber defence, detection, and resilience — from Slackware-era honeypots through to AI-driven SOC analytics.
Showing posts tagged web security — 5 results.
Apache modules and what they expose
Apache's module architecture is one of its strongest features. Each module is also an additional attack surface. A walk through which modules are usually loaded by default, what each one does, and which ones you almost certainly do not need.
Path-based attacks against web servers
A walk through the family of attacks that exploit the gap between a URL string and the file the web server actually opens. The bugs are old. The pattern is the same. The defence is the same. The frequency is unbroken.
Securing a public web server, end to end
What I changed on a Slackware box before I was happy to put it on the open internet with a real web server running. None of it is exotic. All of it matters.
CGI vulnerabilities and the joy of reading the source
Common Gateway Interface scripts are the easiest place in modern computing to introduce a remote-code-execution bug. Two examples from this week, with the actual mistakes called out.