AppSec Blog: Tag - php

Taming the Beast - The Floating Point DoS Vulnerability

Originally posted as Taming the Beast The recent multi-language numerical parsing DOS bug has been named the "Mark of the Beast". Some claim that this bug was first reported as early as 2001.This is a significant bug in (at least) PHP and Java. Similar issues have effected Ruby in the past. This bug has left … Continue reading Taming the Beast - The Floating Point DoS Vulnerability


What should be part of a PHP Streetfighter API

Do we need a quick and dirty PHP Streetfighter API? Something to help lazy developers beat up lazy exploits? Something that can be written in 24hrs and learned in less then 1hr? If you are interested in using it, let me know. Continue reading What should be part of a PHP Streetfighter API


Various PHP and MySQL Pitfalls

This is a short post, to summarize some of the issues I see with PHP code and the use of MySQL. Not too many people know about these pitfalls and they are given rise to some of the more subtle security issues: 1 - "SQL Overflow" If a value you insert into a column is … Continue reading Various PHP and MySQL Pitfalls


Session Attacks and PHP - Part 2

Yes, I will talk in this article about why it is not good to leave your session files in /tmp. But first, allow me to follow Jason's lead and talk about the session attacks he discussed in Part 2 of his ASP.NET article. I will keep it short Session fixation isn't really that much of … Continue reading Session Attacks and PHP - Part 2


A Proposal for a PHP "UserData" Class

The title of this blog is "Application Security Street Fighting". It is based on an idea I am pursuing for a while now. The goal is to come up with a set of simple and reproducible techniques to secure applications. Personally, I favor coding in unstructured languages like Perl and PHP for all the wrong … Continue reading A Proposal for a PHP "UserData" Class