For the PHP developers who are interested in learning more about Cross-Site Scripting (XSS) or Cross-Site Request Forgeries (CSRF), I'm happy to announce that Foiling Cross-Site Attacks is now available for free from my Web site.
This article, originally published in the Oct 2003 issue of php|architect, describes both attacks as well as several best practices that can help you protect your applications. Thanks to php|architect for allowing me to make this information freely available.
The FOSS Planet seems like a nice idea. It's almost too exhaustive for my needs, but I'm sure I'll be reading it anyway.
It's difficult to please everyone with this sort of thing. I recently stumbled upon Planet PHP, but it didn't interest me (despite my interest in PHP). It includes too many blogs from people that I'm not interested in and is missing too many blogs of people that I am interested in. Plus, it uses blog titles instead of people's names, which makes it difficult to distinguish the two.
FOSS Planet lists people's names and is pretty exhaustive. So, it at least solves two of those problems. At most, you only have to avoid the blogs of the people that you may not be interested in. Nice job, Steve.
The PHP community now has a logo. The winning artist is Peter Jovanovic (with contributions from Richard Davey). Congratulations, Peter, and thanks for the great logo.
We will hopefully soon have banners of various sizes that you can place on your site to promote the PHP community.
Zak Greant has posted the MySQL Speaker Guidelines under a Creative Commons Attribution License.
This seems like a good step toward eliminating the "reinventing the wheel" syndrome among conference organizers. Hopefully this will start a nice trend of cooperation.
I will be giving three talks at OSCON this year: two sessions and a tutorial.
They're all focused on PHP security in one way or another, and I'm very happy
that O'Reilly is giving this topic so much attention. I'm including the descriptions
below, although the exact outline of the tutorial (PHP Security) is
subject to change.
Securing PHP Sessions
PHP's native session mechanism provides Web developers with all the tools they need to create stateful PHP applications. In this talk, I will explain how to take this one step further and secure your sessions to help complicate impersonation as well as defend against various types of attacks.
By taking a detailed look at the HTTP transactions that take place as users interact with a Web application, you will gain important insight into the challenge of maintaining state. You will learn how to identify patterns in a Web browser's requests to create a virtual fingerprint as well as how to leverage multiple identifiers.
Beginning with the most basic example of implementing sessions with PHP, you are shown exactly what is required to impersonate a user. This basic example is strengthened as the talk continues by introducing a few different techniques. As each technique is introduced and explained, the resulting user experience is contrasted with a sample attack required to impersonate the user. By the end, you should have a much clearer understanding of sessions and walk away with some useful techniques that you can implement in your own applications.
Foiling Cross-Site Attacks
PHP is quickly becoming the world's most popular programming language for creating Web applications. As more and more applications are being built for the Web, security is becoming a crucial topic. One of the best methods you can use to educate yourself about PHP security is to study the various types of attacks that you must defend against.
This talk introduces two of the most common types of attacks that current Web developers face, Cross-Site Scripting (XSS) and Cross-Site Request Forgeries (CSRF). Because XSS involves exploiting the trust granted to a particular Web site and CSRF involves exploiting the trust granted to a particular user, these two example attacks will help demonstrate a wide variety of application-based attacks.
By using examples that illustrate exactly how these types of attacks are accomplished, you are shown simple and effective techniques that you can use to help prevent such vulnerabilities in your own PHP applications.
This is just a preliminary outline. I am basically choosing a focused selection of topics from my upcoming book, PHP Security.
What Is Security?
Spoofed Form Submissions
Spoofed HTTP Requests
Databases and SQL
Exposed Access Credentials
Exposed Session Data
Browsing the Filesystem
The PHPCommunity.org Logo Contest ended a few days ago. All of the entries are online, and you can make comments on your favorites.
Thanks to all who entered. There are some really great logos.
Ben Ramsey, of the PHPC project, and Matt Kern are creating a PHP user group in Atlanta. As described here, Matt actually thought of the idea three days before Ben. Maybe this will make a funny story once the group gets going. I wish them both the best of luck.
After having been contacted a few times now regarding PHP user group creation, I have realized that we, the PHP community, need something similar to Perl Mongers. I hope to have more information on this soon, as I plan to do something about it.