Integrating Vulnerability Scanners and Web Application Firewalls
Posted on June 6, 2008 - Filed Under filtering input | Leave a Comment
As I mentioned in my previous post - What’s the Score of the Game - I feel that one of areas where organizations are failing, with regards to web application security, is that there is a lack of communication between the following three …
Read More..>>Security Requirements for Software Development
Posted on June 6, 2008 - Filed Under programming | Leave a Comment
For PHP, use mysql_real_escape_string() if using MySQL, or preferably use PDO which does not require escaping If language is J2EE, documentation of the J2EE Security Manager settings should be provided Do not use GET requests (URLs) for …
Read More..>>The Telling of One Billion Ghost Stories (draft) - Part 29
Posted on June 6, 2008 - Filed Under programming | Leave a Comment
Few resources were being wasted on an escape tunnel that would rarely be used. The far end brought them to a set of double doors, these ones opening with no more than a simple latch. Once inside, further high security had been made …
Read More..>>DoS attacks using wildcards
Posted on June 5, 2008 - Filed Under filtering input | Leave a Comment
Say, your web application processes all this data and shows it back to the user, and your code doesn’t check number of records that has been asked for, then your application is also affected. An application level DoS. …
Read More..>>PHP Security / SQL Security - Part 1
Posted on June 5, 2008 - Filed Under programming | Leave a Comment
Combining the above techniques to provide stripping of tags, escaping of special shell characters, entity-quoting of HTML and regular expression-based input validation, it is possible to construct secure web scripts with relatively …
Read More..>>PHP / SQL Security - Part 2
Posted on June 5, 2008 - Filed Under security | Leave a Comment
In the previous article, I looked at processing and securing user input when it is to be redisplayed or executed as PHP code. Now its time to consider entering that data into a database, and cover the security issues which arise when …
Read More..>>[WEB SECURITY] question about anti-xss applicability of PHP's …
Posted on June 2, 2008 - Filed Under security | Leave a Comment
Hi all,I’ve been trusting PHP’s htmlentities() to escape to HTML for a long time now on several customer site and I want to be sure that it’s secure. I am specifying UTF-8 as my charset in XHTML headers, so I don’t think alternative …
Read More..>>Flying Woes
Posted on June 2, 2008 - Filed Under filtering input | Leave a Comment
Some of these rules and security precautions are just complete nonsense. A knife that’s 3 1/2 inches is fine, but four inches and you’re a terrorist! Thankfully, I don’t really look like a trouble maker, if you could even articulate …
Read More..>>Getting Started With CodeIgniter: Part 4 - Security
Posted on June 1, 2008 - Filed Under programming | Leave a Comment
array($this->input->post(’username’), $this->input->post(’password’)));. As you can see, the query() function has a little known optional second parameter of an array of variables to stick into the SQL. CI will automatically escape …
Read More..>>Re: [WEB SECURITY] Question about escaping strings in javascript
Posted on June 1, 2008 - Filed Under programming | Leave a Comment
Hey Evert,There’s a great compilation of input vectors at :http://ha.ckers.org/xss.html. Eg. if content is parsed into an img tag, the following might be a possible IV:- EnricEvert | Collab …
Read More..>>