AppSec Blog: Tag - security

Various PHP and MySQL Pitfalls

This is a short post, to summarize some of the issues I see with PHP code and the use of MySQL. Not too many people know about these pitfalls and they are given rise to some of the more subtle security issues: 1 - "SQL Overflow" If a value you insert into a column is … Continue reading Various PHP and MySQL Pitfalls


Web application penetration testing VS vulnerability assessment

I deal with infrastructure and application security testing on a regular basis. On the infrastructure/network side, the consulting and testing market is much more mature, definition of pentest and vulnerability assessment are industry accepted. It is easy to communicate with other folks about the work involved. On the application side, things are not as well … Continue reading Web application penetration testing VS vulnerability assessment


Logging Links to 3rd party provider

While web application spans over multiple sites boundary, it is essential to keep track of where the users are being directed. This is pretty much a basic logging and audit trail concept. While it is easy to understand in theory, it is not always easy to see where it should be implemented. Development communities sometimes … Continue reading Logging Links to 3rd party provider


A Proposal for a PHP "UserData" Class

The title of this blog is "Application Security Street Fighting". It is based on an idea I am pursuing for a while now. The goal is to come up with a set of simple and reproducible techniques to secure applications. Personally, I favor coding in unstructured languages like Perl and PHP for all the wrong … Continue reading A Proposal for a PHP "UserData" Class


Examine HTTP compressed gzip content

For incident handling, forensics or troubleshooting purposes, packet sniffing is often used to understand the information exchange between two hosts. HTTP traffic packets are often sniffed so that the full header and body can be revealed easily, especially on the server side. On the client side, most commonly used technique is to use a proxy … Continue reading Examine HTTP compressed gzip content