Security Requirements for Software Development
Posted on June 6, 2008 - Filed Under programming | Leave a Comment
For PHP, use mysql_real_escape_string() if using MySQL, or preferably use PDO which does not require escaping If language is J2EE, documentation of the J2EE Security Manager settings should be provided Do not use GET requests (URLs) for …
Read More..>>The Telling of One Billion Ghost Stories (draft) - Part 29
Posted on June 6, 2008 - Filed Under programming | Leave a Comment
Few resources were being wasted on an escape tunnel that would rarely be used. The far end brought them to a set of double doors, these ones opening with no more than a simple latch. Once inside, further high security had been made …
Read More..>>DoS attacks using wildcards
Posted on June 5, 2008 - Filed Under filtering input | Leave a Comment
Say, your web application processes all this data and shows it back to the user, and your code doesn’t check number of records that has been asked for, then your application is also affected. An application level DoS. …
Read More..>>Lets examine security.
Posted on May 28, 2008 - Filed Under security | Leave a Comment
Encode all posts or user inputed data. You’ll have to sanitize user input, by disabling users the ability to put HTML tags & Javascript on pages, this is called escaping. Javascript escape(); Parse all HTML data as to make sure code …
Read More..>>EuroCUP 2008 presentation
Posted on May 12, 2008 - Filed Under filtering input | Leave a Comment
Because it’s used for key input filtering. The Javascript handler can “return false” to tell the browser to ignore a given key. It’s also complicated because things like “control-v” for “paste”, and “home” for “go to start of the input” …
Read More..>>Commonly Security Flaws with PHP Sites
Posted on May 9, 2008 - Filed Under programming | Leave a Comment
However, many programmers cut corners when it comes to the security of a web site. In this article, I’ll go over some of the security blunders that are commonplace with PHP programmers. Non-Validated User Input …
Read More..>>Wordpress Gallery - Nasty PHP Authentication Handling
Posted on May 9, 2008 - Filed Under filtering input | Leave a Comment
Easy transparent PHP input filtering I have been working on a site that will have potentially quite a few random third parties accessing it and inserting data into a MySQL database. I am thus quite keen on a good solid input filtering …
Read More..>>Are firewalls dead in the Web 2.0/Web Service world?
Posted on May 7, 2008 - Filed Under filtering input | Leave a Comment
I will argue that this is a bad thing, and should be addressed by a proper review from your enterprise architecture group, involving your security folks, obviously. The perimeter, while it has become fuzzy in some places needs to be …
Read More..>>Desirable Input Validation Baseline Check
Posted on April 15, 2008 - Filed Under filtering input | Leave a Comment
This demonstration shows you on how you should implement baseline acceptable input filtering on visitors’ inputs. Filtering inputs are the most important because 100% injection attacks (XSS,SQL,XPATH,OS CMD …etc) come from inputs …
Read More..>>Comment from Jonas Abrahamsson
Posted on April 1, 2008 - Filed Under filtering input | Leave a Comment
I’m currently reconsidering my input filtering policys and find your articles very helpful. I think Gordon’s comment above is very interesting because thats is exactly my approach, to convert whatever data is received to the right type …
Read More..>>