Community

The community grew out of a desire to give readers some extra features as a thank you for their contributions. Join us to syndicate your own blog on the front page, display your comment history and blog posts via your profile, and reserve your name.

Latest Comments

1. Chris Shiflett's GravatarChris Shiflett said:

Glad it helped, Niall!

Posted In Git on Snow Leopard.

Wed, 17 Mar 2010 at 02:30:41 GMT

2. Niall Kelly's GravatarNiall Kelly said:

Having tried other methods without success and looked through plenty of bloated documentation, this just works! Thank you for providing simple code that does what it's supposed to...

Posted In Git on Snow Leopard.

Mon, 15 Mar 2010 at 14:42:15 GMT

3. liukang's Gravatarliukang said:

I have problem with this example.

In my php.ini magic_quotes_gpc is off so i'm using only addslashes() in script. Table in MySQL i made with your SQL code and i added one record 'liu' 'kang' :) but anyway $db->query($sql); wan't give me this one record in result...

echo $sql:

SELECT * FROM users WHERE username = '<here is some chinesse sign>' OR username = username /*' AND password = 'guess'

What am i doing wrong?

(sorry for my poor english)

Posted In addslashes() Versus mysql_real_escape_string().

Sun, 14 Mar 2010 at 12:22:02 GMT

4. RyanTheGreat's GravatarRyanTheGreat said:

Well, I'm not Chris, but I will do my best to address the questions raised in the comments by Ian E and Ray C.

@Ian E - I'm not sure what you found on that first link called "Cool CSRF using nothing but CSS and iframes" because it no longer exists. However, I would venture to guess that if someone indeed did use css + iframes for CSRF it was either one of two things:

1) An example of the possibilities of CSRF against an unprotected form, not one that was using a nonce. From the title, it sounds like it was intended to be an example of the fact you can use only CSS + iframes to execute a CSRF. I do not believe it was meant to be an example of how to use CSS + iframes to bypass a protected form which uses a nonce.

2) If it was indeed an attack against a protected form, not just a vulnerable form, I would be forced to assume it was a particular version of a browser that was vulnerable, not an attack vector meant for all purposes.

I would be forced to assume this because your assumption: "I am no javascript programmer, but I believe javascript can read a frame's content." is incorrect. JavaScript has almost literally NO access to ANY information about a frame. Try it out for yourself, you can get essentially no information about a even a frames current URL, let alone the actual content within the frame - and with good reason.

Imagine how horribly insecure everyone would be if such attacks were possible? Monitoring entered keystrokes inside a frame with JavaScript to steal login credentials, redirecting users from a frame in which they thought they were on a legitimate site to an attack site and etc. If you could use JavaScript to manipulate/grab information from frames, CSRF would be the very least of our problems.

-Ryan

Posted In Security Corner: Cross-Site Request Forgeries.

Thu, 11 Mar 2010 at 20:40:04 GMT

5. Chris Shiflett's GravatarChris Shiflett said:

Thanks for the kind words, Simon.

I'm glad you liked the tutorial. In case it's helpful, here's a link to the slides on SlideShare:

http://slideshare.net/shiflett/evol...of-web-security

Thanks again, and I agree with everything you said about Webstock. People love things that are made with love. :-)

Posted In Webstock.

Fri, 05 Mar 2010 at 16:55:02 GMT

6. Chris Shiflett's GravatarChris Shiflett said:

Hi Robin,

I plan to post something about it, but it's going to be hard to express everything in writing.

The short summary is Webstock is the best conference I've ever been to, and I've been to a lot of conferences.

More soon, I hope!

Posted In Webstock.

Fri, 05 Mar 2010 at 16:49:53 GMT

7. Simon Mahony's GravatarSimon Mahony said:

Hi Chris,

I really enjoyed your workshop on the Evolution of Security at Webstock. I think I got enough value from those three hours to justify the entire conference fee. I'm just heading off to Amazon to buy the book. I've been programming in PHP for nearly a decade and was stunned by how little I really knew about security. Thanks for providing the answers.

And thanks for coming to Webstock. It is a great conference, and what's even more amazing is that it's put together by two guys and their wives working part time (they all have full time jobs) and is run by them and a very small group of volunteers. No professional, full-time organisation. Just pure heart.

I hope we'll see you at another Webstock event soon.

Cheers,

Simon

Posted In Webstock.

Sat, 27 Feb 2010 at 11:46:56 GMT

8. Robin Gorry's GravatarRobin Gorry said:

Hi Chris,

I was wondering if you were going to post how Webstock went for you this year.

I live in New Zealand and desperately wanted to get to Wellington but I couldn't get the time of work.

cheers

Robin

Posted In Webstock.

Thu, 25 Feb 2010 at 02:04:18 GMT

9. Jess's GravatarJess said:

I am using the following service for vulnerability research:

http://xss-scanner.com

Posted In Adobe PDF XSS Vulnerability.

Wed, 24 Feb 2010 at 21:01:14 GMT

10. Ray Low Dake's GravatarRay Low Dake said:

Hi Chris,

I enjoyed reading this article as well as your article about session security titled "The Truth About Sessions". Gave me deeper insight into how I should be handling sessions in my web apps. Thanks.

Posted In Guru Speak: Storing Sessions in a Database.

Wed, 24 Feb 2010 at 04:10:02 GMT

Join Us / Log In

  • Syndicate your blog and claim your identity.
  • Sign Up

Already a Member?

Members

Work and Books

Analog Essential PHP Security HTTP Developer's Handbook