The last time I talked about OWASP’s new Application Security Verification Standard, I had performed a Level 2B-3 review of my forum software, UltimaBB. This time, I’m working on a real project for a real customer. It’s been interesting. Level 1A and in particular, 1B has been emasculated. I’m not really sure of the value…
Category: Security
HttpOnly in Safari 4.0 (release)
Good news! Safari 4.0 has: Supports read only HttpOnly protection XMLHttpRequest read protection for set-cookie, set-cookie2, and GetAllResponseHeaders! It does not protect against cookie writing. Test script here: http://greebo.net/owasp/httponly.php This is a great improvement! Now all major browsers support HttpOnly in some form. thanks, Andrew
Pretty is not necessarily secure
I feel sorry for folks trying their hardest to be something they’re not. It’s time for me to put something down I’ve been saying at conferences for years. If you’re not a programmer or developer by trade, please don’t write software or web apps. Dreamweaver does not maketh you a programmer. Ajax is not a…
Validating ASVS 1.0 beta using a PHP application
A long, long time ago, I took on running Aussieveedubbers, a forum based around the love of Volkswagens. We were on EzBoard, where the adverts and performance sucked so bad, that free was no longer acceptable. Over many iterations, I now run UltimaBB, a derivative of XMB. I had various titles – including lead programmer…
ESAPI for PHP news
AccessReferenceMap, RandomAccessReferenceMap and IntegerReferenceMap, and enough of the other classes (FileBasedAuthenticator, StringUtilties, etc) are present and working: This is very good news as although some of the other classes in Milestone 1 are complicated, these two classes were actually going to be some of the hardest to port as PHP does not have the equivalent of J2EE…
ESAPI for PHP – first tests passed
I’ve been working on the essentials for OWASP ESAPI, and now it passes its first set of unit tests, in this case a 1:1 mapping of the ESAPI exceptions test class. This is the first set of classes that fully passes a set of tests that is exactly equivalent to the J2EE trunk SVN. Yes,…
Web training news
No posts for like a month or two, and two in one day? Time for some shameless crass philanthropy and some good natured commercialism. In some exciting news: I’ve donated my one and a bit ESAPI / ASVS training deck I gave at OWASP AU 2009 to OWASP! It’ll be available as soon as the education project…
How today’s Twitter Attack Might Never Have Been
I feel sorry for Twitter – they have the poster child of low value apps (which usually means no security controls or review), and then all of a sudden, they get done over using such a simple attack that it’s generous to call the attack a “hack”. Of course, because of the targets – Barak…
2009 – The Year of WebAppSec Solutions
“He who controls the present, controls the past. He who controls the past, controls the future” – Orwell, 1984 Looking back at the last few years, we’ve made some huge leaps at swatting at issues that bit us in back in the past, but still have not made a huge fundamental leap to controlling the…
A review of 2008
Last year, I made the following observations / resolutions. Let’s check out how well I did: Be a good dad to Mackenzie my gorgeous daughter, and a wonderful (hopefully less chubby) hubby to Tanya, my beautiful wife. I think I succeeded at this one Lose some weight and mean it this time. What New Year’s…