AppSec Blog: Author - Johannes Ullrich

8 Basic Rules to Implement Secure File Uploads

The recent release of a new IIS vulnerability motivated me to compile a list of "best practices" for file uploads. This is a check list I use in my own coding and it has become quite valuable to me. File uploads are always a "scary" feature in particular if the files need to be access controlled or if they will be retrievable via a browser by other users. Continue reading 8 Basic Rules to Implement Secure File Uploads


What should be part of a PHP Streetfighter API

Do we need a quick and dirty PHP Streetfighter API? Something to help lazy developers beat up lazy exploits? Something that can be written in 24hrs and learned in less then 1hr? If you are interested in using it, let me know. Continue reading What should be part of a PHP Streetfighter API


IPv6 and your Web Application

If you want to do something now: Make sure that you confirm if your current web server supports IPv6 or not. Modern operating systems tend to establish IPv6 tunnels over IPv4 automatically. Make sure they are disabled until your application is ready for IPv6. Communicate clearly with your networking team to avoid accidental IPv6 exposure of your application. Finally: Get an IPv6 test environment running to get your feet wet. Continue reading IPv6 and your Web Application


The Day the World Will End

With a new movie coming out about how the world will end with the (supposed) end of the Mayan calender in 2012, I figured it would be nice to get a list of software related "end of calender" issues: Dec. 31st 1999, 23:59:59 GMT The famous Y2k issue. We made it... (so far ) … Continue reading The Day the World Will End


Go Google Yourself

Regular spidering should be part of a web application's maintenance regiment. Of course, there are plenty of free and commercial tools to do it for you. Vulnerability scanners will typically come with a powerful spider function. On the other hand, public search engines like Google already do most of the work for you. In particular … Continue reading Go Google Yourself