Web Input Filtering

Integrating Vulnerability Scanners and Web Application Firewalls

xadmin — Fri, 06 Jun 2008 14:54:12 +0000

As I mentioned in my previous post - What’s the Score of the Game - I feel that one of areas where organizations are failing, with regards to web application security, is that there is a lack of communication between the following three …

Security Requirements for Software Development

xadmin — Fri, 06 Jun 2008 12:56:00 +0000

For PHP, use mysql_real_escape_string() if using MySQL, or preferably use PDO which does not require escaping If language is J2EE, documentation of the J2EE Security Manager settings should be provided Do not use GET requests (URLs) for …

The Telling of One Billion Ghost Stories (draft) - Part 29

xadmin — Fri, 06 Jun 2008 02:50:22 +0000

Few resources were being wasted on an escape tunnel that would rarely be used. The far end brought them to a set of double doors, these ones opening with no more than a simple latch. Once inside, further high security had been made …

Top 10 Linux Commands Anyone Can Use

xadmin — Fri, 06 Jun 2008 01:24:07 +0000

This command receives input from STDIN (Standard Input) and allows you to page through the output. This is useful with the command mentioned above. What if you have too much data for your shellâ€™s output buffer? You canâ€™t scroll up. …

DoS attacks using wildcards

xadmin — Thu, 05 Jun 2008 20:05:11 +0000

Say, your web application processes all this data and shows it back to the user, and your code doesnâ€™t check number of records that has been asked for, then your application is also affected. An application level DoS. …

Re: Best practice for validation

xadmin — Thu, 05 Jun 2008 07:26:21 +0000

Zend_Form handles input filtering, so it can be dropped in as a > replacement for Zend_Filter_Input (another option you didn’t specify) as > an input filter for your model. Just because Zend_Form _can_ render …

PHP Security / SQL Security - Part 1

xadmin — Thu, 05 Jun 2008 07:23:00 +0000

Combining the above techniques to provide stripping of tags, escaping of special shell characters, entity-quoting of HTML and regular expression-based input validation, it is possible to construct secure web scripts with relatively …

PHP / SQL Security - Part 2

xadmin — Thu, 05 Jun 2008 07:22:00 +0000

In the previous article, I looked at processing and securing user input when it is to be redisplayed or executed as PHP code. Now its time to consider entering that data into a database, and cover the security issues which arise when …

RailsConf 2008 Recap

xadmin — Tue, 03 Jun 2008 21:41:45 +0000

Take advantage of the quote() function to sanitize user input (for SQL). Cross Site Scripting preventive measures: SafeERb, XSS Shield, Manual Escaping with h(). Tarantula plugin crawls everything and performs form fuzzing. …

[WEB SECURITY] question about anti-xss applicability of PHP's …

xadmin — Mon, 02 Jun 2008 22:37:00 +0000

Hi all,I’ve been trusting PHP’s htmlentities() to escape to HTML for a long time now on several customer site and I want to be sure that it’s secure. I am specifying UTF-8 as my charset in XHTML headers, so I don’t think alternative …