I’ve been playing around with JSON recently, and I’ve discovered that most JSON implementations allow parameter pollution. This might be obvious to JavaScript experts, it’s not immediately obvious to most folks as JSON is just so much line noise. {“varName”:value,”varName”:value2,”varName”:value3} In the systems I’ve tried injecting, value3 is the one taken. Now if you have…
Category: Security
How to migrate to PDO without it hurting… much
As we saw in the previous article, conversion to MySQLi is an awful lot of work. So let’s move to PDO. Step 0. Get PDO working with your database server Somewhere along the line, the PHP and MySQL folks decided to not be friends, so even though 99.99% of all PHP scripts require MySQL, in…
Converting your PHP app to MySQLi prepared statements
Okay, you’ve got like a zillion SQL queries in your PHP app, and probably 95% of them have a WHERE clause, and you need to make them safe so people will still download and use your app. Because if you don’t fix your injection issues, I will rain fire on your ass. These are the…
Howard Schmidt appointed US cyber czar
Howard Schmidt has been appointed as the US’s cyber czar. The position has been open for months, which is … interesting … considering how vital IT is to the world’s economy and safety. Mr Schmidt, if you read this blog entry, please consider the following: Web Application Security is the most pressing need for change….
Web App Sec Predictions for 2010
Normally at this time of the year, I would talk about the industry’s achievements over the last year. None. Zilch. Nada. We’re seeing more SQL injection used in real world attacks than ever before. XSS is still with us, and one of the biggest offenders – PHP – has made zero moves to include proper…
How not to answer secret questions and answers
This one is not quite safe for work, but it’s very funny: Live Chat Help Currently experiencing network delays, one moment please…. Network connection re-established. Adam Brooke: Do you work for the IRS? Kamyar: Thank you for waiting Sir. Unfortunately we cannot access your password, however we can reset it, which enables you to access…
“Protect the Data” Idiot! Redux
Richard Bejtlich at his TaoSecurity Blog makes a very strong assertion that we’re all idiots for wanting to protect data, rather than the container. I’m not going to play a semantic game about protecting data versus the thing the data is in at the moment, but honestly, I think he misses a really strong point as…
Google: Don’t be evil
I work on an open source project, ESAPI for PHP. Well, “work” might be too strong a word for it, but I try to prod its lifeless carcass from time to time. That’s not the reason I write today. I write because of stupidity, and evil being conducted in the name of a “law”. I…
Neilsen on password security vs usability
I read Jakob Neilsen’s post on password security, and although he has a point, there are several issues as to why this is a monumentally bad idea. First, passwords are a fundamentally bad idea for all data risk classifications. Instead of trying to make passwords more usable, how about getting rid of them? Second, exposing…
Soon, there will be one
Well, what an interesting weekend. A cold, working like a slave, and one of my co-workers is a father for the first time (Congrats, Ty!). But that’s not the most interesting news. I will be taking sole ownership of my forum, Aussieveedubbers, sometime this week. This means that I will have to spend a bit…