So I got a rather interesting email today. Ever since I put my resume public a few months ago (even though it was taken off just 2 weeks later when I accepted a position), I’ve been getting emails quite often from recruiters looking for help. Most are mildly interesting and the majority I just glance over. But every once in a while I get one that takes me aback and makes me look deeper. Some of those turn out to be really good. And some of those are shockingly bad. This one is the latter…
Today’s IDEs (Integrated Development Environments) provide a lot of features that make development significantly easier. From error checking and debugging to intelligent syntax highlighting and refactoring, there are a significant amount of time saving features available. One of these commonly loved features I have disabled, and found it has made my life easier as well as the code I write better. The feature I am speaking of is autocompletion…
The upcoming release of PHP 5.4.0 includes a plethora of new features, including Traits. While I do believe this is a great feature with great possibilities, I also fear that it may fall into the category of often-abused-features such as eval(), goto, constants, the @ operator, class inheritance and regular expressions.
When we talk about “random” numbers, we generally talk about two fundamental properties: Predictability and Bias. Both are closely related, but are subtly different. Predictability in reference to random numbers is the statistical problem of predicting the next value when knowing any number of previous values. Bias on the other hand is the statistical problem of predicting the next value when knowing the distribution of previous values.
As promised, I’m going to post the slides from last night’s talk on XSS prevention with PHP here. There was a fair turnout, with a few following the live stream of the talk. I must thank those who came, as there was definitely some good interaction and questions.
Today an article popped into my feed reader that raise my eyebrows. The article’s title is “Building Secured Web Applications Using PHP - The Basics“. The summary of the item looked interesting, so I decided to open it up…
What I found blew me away. It was filled with loads of bad information including some down-right wrong suggestions. Let me go through point by point and shed some light on the subject…
Well, my next talk is scheduled! It will be June 30th, 2011 at NYPHP. It’s the first of a series of talks in collaboration with OWASP, going over each of the top 10 vulnerabilities. This talk will be on Cross Site Scripting (XSS).
Hello all. It’s been a little while since my last post, but I haven’t disappeared. In fact, I’ve been quite busy…
I have always been intrigued by projects such as PHP.JS. To be completely honest, it’s not because I though they were “neat” or “innovative”, but because they have always made me ask myself “Why would someone seriously want to do something like that?!?!?”… Let me try to explain my standpoint.
In the first post of this series, we looked at some fundamental concepts of Web Application Security, and introduced the concept of Filter In, Escape Out. In today’s post, we will be examining the single most prolific vulnerability plaguing web applications today: Cross-Site Scripting (otherwise known as XSS). Not only is it prolific, it’s also commonly under-estimated and is often just a low priority after-thought. In reality, XSS is a formidable threat and needs to be treated as such.