Good news! Safari 4.0 has: Supports read only HttpOnly protection XMLHttpRequest read protection for set-cookie, set-cookie2, and GetAllResponseHeaders! It does not protect against cookie writing. Test script here: http://greebo.net/owasp/httponly.php This is a great improvement! Now all major browsers support HttpOnly in some form. thanks, Andrew
Category: OWASP
Validating ASVS 1.0 beta using a PHP application
A long, long time ago, I took on running Aussieveedubbers, a forum based around the love of Volkswagens. We were on EzBoard, where the adverts and performance sucked so bad, that free was no longer acceptable. Over many iterations, I now run UltimaBB, a derivative of XMB. I had various titles – including lead programmer…
OWASP EU 2009 Coming Soon!
OWASP EU 2009 is coming up! This year, it’s held in Kraków, Poland. Time to book! Program highlights: Keynote: Ross Anderson from Cambridge University. I’ve wanted to meet Ross for many years. Those guys are legends! Keynote: Bruce Schneier. I bet there are groupies w3af – Andrés Riancho. This is one of the best free toolkits I’ve tried…
OWASP Melbourne tonight!
I am appearing at OWASP Melbourne tonight. Come along and enjoy my take on protecting business value.
ESAPI for PHP news
AccessReferenceMap, RandomAccessReferenceMap and IntegerReferenceMap, and enough of the other classes (FileBasedAuthenticator, StringUtilties, etc) are present and working: This is very good news as although some of the other classes in Milestone 1 are complicated, these two classes were actually going to be some of the hardest to port as PHP does not have the equivalent of J2EE…
ESAPI for PHP – first tests passed
I’ve been working on the essentials for OWASP ESAPI, and now it passes its first set of unit tests, in this case a 1:1 mapping of the ESAPI exceptions test class. This is the first set of classes that fully passes a set of tests that is exactly equivalent to the J2EE trunk SVN. Yes,…
Web training news
No posts for like a month or two, and two in one day? Time for some shameless crass philanthropy and some good natured commercialism. In some exciting news: I’ve donated my one and a bit ESAPI / ASVS training deck I gave at OWASP AU 2009 to OWASP! It’ll be available as soon as the education project…
ESAPI for PHP
Last night, I spoke to the phpMELB folks for an hour on ESAPI for PHP. The talk went well, and they taped it. When the video appears, I will link to it. More importantly, I worked on ESAPI for a couple of hours after returning last night, and finally have something to show everyone! ESAPI for…
Training coming along nicely
For those of you sitting on the fence about coming to OWASP AU 2009, it’s time to book. 🙂 The training materials I’ve developed using OWASP ASVS covers all the ground in the ASVS in one day, from a developer perspective: About the Application Security Verification Standard What you need to verify code About Risk …
How today’s Twitter Attack Might Never Have Been
I feel sorry for Twitter – they have the poster child of low value apps (which usually means no security controls or review), and then all of a sudden, they get done over using such a simple attack that it’s generous to call the attack a “hack”. Of course, because of the targets – Barak…