I’ve been playing around with JSON recently, and I’ve discovered that most JSON implementations allow parameter pollution. This might be obvious to JavaScript experts, it’s not immediately obvious to most folks as JSON is just so much line noise. {“varName”:value,”varName”:value2,”varName”:value3} In the systems I’ve tried injecting, value3 is the one taken. Now if you have…
Category: OWASP
How to migrate to PDO without it hurting… much
As we saw in the previous article, conversion to MySQLi is an awful lot of work. So let’s move to PDO. Step 0. Get PDO working with your database server Somewhere along the line, the PHP and MySQL folks decided to not be friends, so even though 99.99% of all PHP scripts require MySQL, in…
Converting your PHP app to MySQLi prepared statements
Okay, you’ve got like a zillion SQL queries in your PHP app, and probably 95% of them have a WHERE clause, and you need to make them safe so people will still download and use your app. Because if you don’t fix your injection issues, I will rain fire on your ass. These are the…
Howard Schmidt appointed US cyber czar
Howard Schmidt has been appointed as the US’s cyber czar. The position has been open for months, which is … interesting … considering how vital IT is to the world’s economy and safety. Mr Schmidt, if you read this blog entry, please consider the following: Web Application Security is the most pressing need for change….
Web App Sec Predictions for 2010
Normally at this time of the year, I would talk about the industry’s achievements over the last year. None. Zilch. Nada. We’re seeing more SQL injection used in real world attacks than ever before. XSS is still with us, and one of the biggest offenders – PHP – has made zero moves to include proper…
GaiaBB and OLPC
Peter Quodling. an old friend, e-mailed out of the blue last week. I have a lot of time for Peter as he’s one of the few Australian IT architects that really knows his stuff, plus he’s a really nice guy. He is involved in OLPC in the PNG region. Last Christmas, I nearly bought an XO…
Google: Don’t be evil
I work on an open source project, ESAPI for PHP. Well, “work” might be too strong a word for it, but I try to prod its lifeless carcass from time to time. That’s not the reason I write today. I write because of stupidity, and evil being conducted in the name of a “law”. I…
Neilsen on password security vs usability
I read Jakob Neilsen’s post on password security, and although he has a point, there are several issues as to why this is a monumentally bad idea. First, passwords are a fundamentally bad idea for all data risk classifications. Instead of trying to make passwords more usable, how about getting rid of them? Second, exposing…
Soon, there will be one
Well, what an interesting weekend. A cold, working like a slave, and one of my co-workers is a father for the first time (Congrats, Ty!). But that’s not the most interesting news. I will be taking sole ownership of my forum, Aussieveedubbers, sometime this week. This means that I will have to spend a bit…
Using ASVS for real
The last time I talked about OWASP’s new Application Security Verification Standard, I had performed a Level 2B-3 review of my forum software, UltimaBB. This time, I’m working on a real project for a real customer. It’s been interesting. Level 1A and in particular, 1B has been emasculated. I’m not really sure of the value…