Ilia has just blogged that HttpOnly is now supported in PHP 5.2. This prevents the usual sort of basic XSS attacks, like: Supported browsers: IE 6.0 SP1 and later – prevents reading, but not over-writing (still allows preset CSRF attacks) IE 7.0 – prevents reading and writing – safest Safari 1.3 – not support (update)…
Category: PHP
OSCON
Work: I owe my boss a huge beer (and a document) and an apology when I get back to Australia. Personal life: in the dog house. I got very little sleep these last few days, and I bet my other half is feeling far worse than me. Hopefully, she can come to Vegas so we…
A quickie
Here’s a single slide from the PHP security architecture slide deck. When I’ve sorted myself out in terms of demos for OSCON, I will release the entire thing when it’s in better shape (and smaller for the web – this Keynote theme seems particularly heavy). Slide 9 (1.2 MB, pdf)
PHP Security Architecture
[ EDIT: a comment I wrote in this entry referred to Laura Thomson as one of the reviewers of the OWASP Top 5 article. Although I have discussed other PHP related things with Laura, this article is not one of them. I’ve carefully reviewed my Sent folder during this time, and I’ve updated the reviewers…
OSCON 2006 – See you there!
Just a quick note as to the quietness of the blog. I’m working on a few things: my slides for OSCON (webappsec 150 tutorial, and updating my Ajax presentation to include the latest research and make it a bit more (ahem) controversial to liven things up) doing demos for the above my slides for OWASP…
Ajax Security Presentation up
Here’s the quick and dirty preview of the new Ajax chapter of the Guide 2.1. It’s also some of the first real guidance anywhere on Ajax security – period. It was interesting to find so many apps adopting Ajax, but so little information on how to secure it. Ajax Security Presentation (PDF, 1.8 MB) If…
PHP Security Architecture: SABSA approach
There are only a few acknowledged industry security architectures. SABSA (best documented in Enterprise Security Architecture by Sherwood, Clark and Lynas) is probably the best known. The various artifacts from this architecture include: Each of these layers needs to be thought about in a considered way: (Business) Drivers Why do you want X / How…
PHP Security Architecture – Contextual Overview
Overview The problem with PHP is that it has no security architecture. What do I mean by security architecture? A single pervasive vision for security, which will last for approximately five years with little or no design maintenance. A robust security architecture creates a balance between functionality and risk, and ensures that by default, simple…
PHP Insecurity: Failure of Leadership
About a week or so ago, I wrote to webappsec in response to Yasuo Ohgaki (書ã‹ãªã„日記) post about some issues with PHP’s security model. For some time, I’ve been worried about the direction of PHP. As many of you know, I helped write XMB Forum and now help write UltimaBB. XMB in particular is an…
PHP Insecurity: File handling and remote code execution
One of the reasons that PHP applications feature so prominently on bugtraq is not particularly developer focussed, it is PHP’s fault. Today we look at the top reason: the semi-hidden world of allow_url_fopen, wrappers and pretty much all file orientated functions. The extraordinarily bad decision to make allow_url_fopen the default AND enable a host of functions to automatically “benefit” from these features causes the #1 security defect of 2005 – remote file inclusion. Read on for this rant. Warning – no solutions contained within.