ZendCon Day One

19 Oct 2005

I'm attending the Zend PHP Conference and Expo (which I've decided to call ZendCon for convenience) this week. The conference is taking place at the Hyatt Regency in San Francisco (Burlingame if you're picky). The venue is very nice, and the business focus is proving to be more interesting than I expected.

Yesterday was the first day of the conference, but it was just tutorials, so it lacked the attendance, keynotes, and other stuff that accompanies the "real" conference days.

I gave a tutorial called Securing PHP Applications that I think went really well. The night before, I decided to cut out some material to make room for a case study of the Myspace worm. I think most people appreciated seeing a real-world scenario that solidified many of the topics I was discussing in the talk. I also think there is quite a bit of confusion and misunderstanding about the mechanics of the worm (specifically about the role XSS played). I plan to collect some of my notes and blog more details about that.

Most people seem particularly interested in the fact that AJAX was used to subvert the CSRF protection that Myspace employed. Someone reminded me that I described this scenario in a comment I made a month or two ago. It was also a scenario that I researched in a recent consulting engagement.

I plan to cover the conference pretty well in my blog, so stay tuned. :-)