HttpOnly in Safari 4.0 (release)

Good news! Safari 4.0 has: Supports read only HttpOnly protection XMLHttpRequest read protection for set-cookie, set-cookie2, and GetAllResponseHeaders! It does not protect against cookie writing. Test script here: This is a great improvement! Now all major browsers support HttpOnly in some form. thanks, Andrew

Validating ASVS 1.0 beta using a PHP application

A long, long time ago, I took on running Aussieveedubbers, a forum based around the love of Volkswagens. We were on EzBoard, where the adverts and performance sucked so bad, that free was no longer acceptable. Over many iterations, I now run UltimaBB, a derivative of XMB. I had various titles – including lead programmer […]

ESAPI for PHP news

AccessReferenceMap, RandomAccessReferenceMap and IntegerReferenceMap, and enough of the other classes (FileBasedAuthenticator, StringUtilties, etc) are present and working: This is very good news as although some of the other classes in Milestone 1 are complicated, these two classes were actually going to be some of the hardest to port as PHP does not have the equivalent of J2EE […]

Web training news

No posts for like a month or two, and two in one day? Time for some shameless crass philanthropy and some good natured commercialism. In some exciting news: I’ve donated my one and a bit ESAPI / ASVS training deck I gave at OWASP AU 2009 to OWASP! It’ll be available as soon as the education project […]


Last night, I spoke to the phpMELB folks for an hour on ESAPI for PHP. The talk went well, and they taped it. When the video appears, I will link to it. More importantly, I worked on ESAPI for a couple of hours after returning last night, and finally have something to show everyone! ESAPI for […]