Archives for the Month of October, 2007

Hackvertor video demo

I’ve decided to create a video demo of Hackvertor to display the new features I’ve added. The tool is quite powerful now and it is even able to solve my a bit of fun challenge. I didn’t want to waste the bandwidth of my server because of costs so sorry about the adverts displayed in […]

Spambam beta test

I’ve worked on a new version of Spambam which has a lot more features, it now doesn’t reject spam but simply moves it into a spam folder. I’d be interested in what everyone thinks about it and if this method is preferred to simply blocking all spam. The reason behind the method change was to […]

IFrames security summary

I’ve decided to collect the various proof of concepts I’ve done and summarise why iframes are a security risk. Here are the top reasons:- 1. Browser cross domain exploits Description:- Because you can embed another web site inside your page, you can exploit that page and perform actions as that user and doing anything on […]

Verisign fix overlay vulnerability

I’m pleased to announce Verisign have fixed the CSS overlay vulnerability I disclosed. It is good news that the OpenID providers respond well to security reports as I think security is extremely important especially with a single sign on service. Verisign acted very professionally and communicated well and fixed the flaw promptly.

JSCK demo update

I believe in releasing code as early as possible and often. So I’ve released another version of JSCK, the code isn’t a complete solution at the moment and is more of a proof of concept rather than a final version you can use on live sites but it highlights the method well and should provide […]


I had a great idea to protect against CSRF, use my random Javascript creation technique! I already knew it was possible to use it in this way but I wanted a nice solution that anyone could incorporate into their site. PHP first creates a random session key using random code blocks, then Javascript does the […]

Regular expression challenge

After the success of my “a bit of fun” challenge, a few people asked for some more challenges. So I was answering a question on a mailing list that I’m a member of and I thought it would be a good topic for a little challenge and help sharpen everyone’s regular expression skills. The rules […]

New version of Hackvertor released

I’ve been busy catching up with some of the projects I’ve been working on and I’m pleased to announce a new version of Hackvertor, if you don’t know what it is check it out. It’s a useful tool to help with conversions and pen testing server side XSS filters. I decided to write the tool […]


I’m pleased to announce that I have recently joined Blogsecurity which is fantastic news because I can work with some excellent people and develop free open source software which will help blogging security. WordPress Lockdown and WPIDS We’ve already been working on a security plugin for WordPress which combines my previously unreleased plugin WP Lockdown […]

OpenID account security

Many developers often design their system security based on what the software does; this is a mistake you should always design a security system based on what your software might do. I’m quite surprised when people don’t understand this, I often think of potential scenarios and discuss flaws in a current implementation based on those […]