I’m planning to release my Wordpress security plugin called “Wordpress Lockdown” soon once I’ve done a full audit of Wordpress code and I’ve completed other stuff. I have a few test users which are providing useful feedback all the time but unfortunately the code isn’t ready to be used by the masses because of certain [...]
The Spanner
php —
Category Archives: php
CSK update
I’ve been doing some more experimenting with CSS (god help us) and I’ve found a way to successfully store and retrieve data via CSS without page refreshes. In case you don’t know, CSK is my CSS Scripting Kit I’m developing. I plan to release the kit soon once I’ve polished some features. This is really [...]
The blogs you should read
I’ve created this list to show my respect for some of web security’s greatest minds. I don’t usually link to blogs or posts when I write but I have decided to do it more often in order to spread the word and provide a good resource for people to learn. There may be other people [...]
Secure programming flowchart
Ronald has an excellent article on secure programming:-
Secure programming flowchart
The reason I like this article so much is because it introduces a way of thinking. I generally think like that, I have a list of steps in my head and I try to code my scripts with various steps of security. The further you go [...]
More browser bugs equals greater risk
I found this on Security focus:-
http://www.securityfocus.com/brief/578
Really I’ve not read so much rubbish in my life, are they having a laugh or what? The article headlines with “More browser bugs, but less risk?”, all I want to know is what sites have they been looking at. If they have only been tracking malicious web sites then [...]
CSK CSS Scripting Kit
I’m currently in the process of developing a CSS Scripting Kit called “CSK”, this kit will allow you to perform scripting actions that normally would be reserved for Javascript. I believe the standards that browser manufacturers are adopting create major security holes and if they don’t either create new security policies to adapt to this [...]
CSS LAN scanner
I think the single most insecure feature of internet browsers today is iframes, you can do too much with them and I feel I’ve only touched the surface with the examples I’ve shown. My next tool shows how simple it is to scan your entire local network from the internet using iframes, CSS and absolutely [...]
CSS attacks!
As the browser manufacturers add new features they can sometimes overlook the security implications which can often seem minor. I’ve found two such features which I think could cause problems.
CSS overlays
Iframes can be manipulated to show only a small area of the screen, even worse you can actually overlay any other item over the top [...]
Protection against CSRF part 2
Continuing from my previous post I have decided to provide demos of a lot of the techniques discussed. These techniques won’t make your site 100% secure but they will help reduce the risk of attack. Remember you need to protect against XSS and these techniques will not stop your site from being attacked with XSS.
I [...]
Protection against CSRF
It’s quite difficult to protect against CSRF because you are performing actions on the attackers behalf, there are a couple of things you can do to help protect against it and I shall explain a couple of methods here.
Form tokens
Form tokens can be used to make it more difficult for an attacker to perform CSRF, [...]