Recent Entries
Popular articles
Topics
Recommended links

RSS icon Subscribe

» View my profile
Technorati

del.icio.us My links on del.icio.us

Tags
analysis antivirus application security auditing botnets breaches compliance crime cryptography DNS encryption forensics humor interesting Linux Malware marketing network pdf pentest phishing php Privacy rant reference software ssl standards sysadmin tool tools trends ubuntu Virtualization virtualization security vmware vulnerabilities vulnerability+assessment web web application security webappsec web security windows Windows security xss

Archive for 'Web security' Category

Next Page »

Sanitizing PHP file uploads

9 April 2009

Security folks are often called in at the last stage of a project, after the architecture and development work is finalized, with a mandate to “secure the system” just before it goes live. Usually the web code and network architecture can’t be changed because “that phase of the project has completed”, or the app is [...]

Read the rest of this entry...
 

Posted by D Webber Filed in Web security
Comments Off

OWASP meetings are depressing

7 April 2009

Our local OWASP chapter met last night for a talk on “rich internet applications” (meaning Ajax, Flash, MS Silverlight, Adobe AIR etc.). It was grim. The talk (given by this guy) mainly focused on how business logic, passwords and encryption keys are being embedded into client-side Flash applications, under the mistaken assumption that compiled Flash [...]

Read the rest of this entry...
 

Posted by D Webber Filed in Web security
Comments Off

Core GRASP – SQL injection prevention for PHP

24 August 2007

SQL injection vulnerabilities are still common in web applications. The damage done when attackers are able to send raw SQL commands through to your database are severe enough that most developers have some idea about avoiding it: using bound parameters and stored procedures rather than the usual method (building an SQL statement by concatenating constants [...]

Read the rest of this entry...
 

Posted by D Webber Filed in Web security
Comments Off

Port scanning with Adobe Flash

20 August 2007

The same origin policy for web browsers is completely blown. Last year SPI Dynamics demonstrated how to trick a browser into doing a port scan of the local network using plain old Javascript. Now researchers at the Chaos Communication Camp demonstrated that Adobe Flash can do the same thing. Very neat proof of concept. Yet [...]

Read the rest of this entry...
 

Posted by D Webber Filed in Best practices, Web security
1 Comment »

(Unencrypted) site security confirmed!

7 August 2007

SSL vendors still equate encryption with “security”. Forget about hardening your e-commerce server. Don’t bother encrypting data at rest. According to the ads from SSL vendors, all you need is their 128-bit SSL certificate (preferably the new EV SSL variety) … and to pay the annual fee. VPN and other crypto product vendors do the [...]

Read the rest of this entry...
 

Posted by D Webber Filed in Web security
Comments Off

Next Page »


Article contents copyright © Advosys Consulting Inc. Comments are copyright of the author
Icons courtesy Wikimedia Commons and are copyright of their authors.