AppSec Blog

Spot the Vuln - Invincible - Cross Site Scripting

Details Affected Software: WPhone Plug-in Fixed in Version: 1.5.2 Issue Type: Cross Site Scripting (XSS) Original Code: Found Here Details This bug is a straightforward XSS bug. Once again, we see the familiar $_SERVER['PHP_SELF'] variable being echoed back to the user without any encoding. The fix is simple, remove the value for the ACTION form … Continue reading Spot the Vuln - Invincible - Cross Site Scripting


Developer Survey for BSides London

To prepare a talk a BSides London, Chris Riley is looking for some input from developers and managers about application security. Please take a couple minutes to help him out. http://svy.mk/i5aV0N Continue reading Developer Survey for BSides London


GWEB - Web Application Security Certification

GIAC is launching a new certification for developers and application security professionals involved in defending web applications. As the author of the corresponding course DEV522, I was invited to beta test the exam. So, while I have a related interest, this isn't my baby. This certification exam is fantastic - it is tough. To pass … Continue reading GWEB - Web Application Security Certification


Firefox 4 Security Features

Like no other release before it, Firefox 4 includes a number of significant security features. These features are addressing attacks that are in particularly hard to avoid by developers and in which the browser is more so the victim then the server. Continue reading Firefox 4 Security Features


Spot the Vuln - Invincible

In ancient times skillful warriors first made themselves invincible, and then watched for vulnerability in their opponents. Sun Tzu Spot the Vuln uses code snippets from open source applications to demonstrate vulnerabilities in real world web applications. Every Monday morning a vulnerable code snippet is posted. Take a look at the vulnerable code and try … Continue reading Spot the Vuln - Invincible