It’s no news that the latest 0day for IE is spreading via SQL injection attacks. What is news is why are we still suffering from SQL injection? We’ve known for over eight years how to utterly end SQL injection. I’m sick of writing about it. We should not be talking about SQL injection any more. This…
Category: Security
WordPress 2.7 released with easter egg
As I noted a few weeks ago, WordPress has had an obfuscated easter egg in it for some time. Despite reporting this security defect / software engineering malpractice to two different WordPress folks (the author of the excellent WP development blog, and the security team’s e-mail), 2.7 was released with the easter egg. Hopefully, this…
WebScarab For Eclipse
This lunchtime, I did something I’ll probably later regret: creating a new project. As if I don’t have enough on my plate already. The idea has been rattling around my head for a while – I use Eclipse nearly all day, and I figured that Eclipse is a great toolchain hosting platform. It gets rid…
Black Hat 2008
Well, I’m back from another year at Black Hat. This time, I taught one of my company’s 2D Web Application Security courses. I think I may have been one of the very few courses that concentrated on defense, which is Black Hat’s tongue in cheek slogan (“Digital Self Defense”). I taught the folks in there…
OWASP Guide 3.0 and Coding Guide 2009 Start
I’ve been busy over the weekend. I met with Blake Turrentine at a diner near where I live. We had a good long discussion over breakfast on the future of the Guide 3.0. The Guide 3.0 will be about how to design apps and code securely. That’s it. Only positive controls will be discussed unless…
Feelings of Rejection
In other news, all my talks for OSCON were rejected again. Why did I bother? I should have paid attention my last year’s rant. Most likely, I will have to give up on submitting papers to certain open source developer’s conferences as honestly, why bother doing the work of doing the research, creating the paper…
HttpOnly Update
Jim asked a great question – what is the current state of the nation for HttpOnly? I’m glad he asked! Pass – read/write cookie protection IE 7.0 Firefox >= 2.0.0.5 Firefox 3.0 beta Camino 1.5.4 Barely Pass – read only cookie protection IE 6.0 Opera 9.50 beta Fail – no cookie protection Safari 3.1 Firefox…
ESAPI for PHP is go
I’m working (slowly) on porting ESAPI to PHP. This will be great! So just in case I keep on having a life after hours, Jeff kindly created an ESAPI for PHP project. If you care about PHP security, come help us finish the port. It’s only 3900 lines of code, and I’ve ported like a 1000 of them already. …
Reaching for the high hanging fruit
My current research is mainframe security as it applies to web applications. This is where the high hanging fruit (the golden apples) lie. If you can a) fake or bypass authentication b) fake or bypass authorization c) spoof logging or otherwise destroy accountability d) interact directly or indirectly with a deeply nested service of value e)…
Let’s talk mainframes for a bit. Part 1: Background and AuthC
In larger organizations, the back end of a web application is a mainframe. The mainframe is the final frontier of application security: Uses a platform few if any in the application security industry know about Those who do know mainframe security rarely interact with the outside IBM trains young devs in how to program COBOL,…