Atlanta PHP July Meeting
Tomorrow marks Atlanta PHP’s fourth consecutive, regular meeting at New Horizons in Tucker, GA. Originally, Matt Kern was slated to present a talk on Ajax, but he is now gearing up to move to Oregon, so he is not able to prepare his presentation. Thus, I have taken up the reigns again, and I will be presenting a talk that I’m preparing for some of the fall conferences (in the event that my proposals are selected).
The talk I’m presenting was actually inspired by several questions asked during my presentation at the last Atlanta PHP meeting, in which I briefly covered cross-site scripting (XSS) and cross-site request forgeries (CSRF) but went on to describe server configuration instead of a more in-depth discussion on XSS and CSRF. This talk goes into more detail where the other left off and approaches these attacks from the application (code) level.
XSS and CSRF: Programmers Prepare, Users Beware
Cross-site scripting (XSS) and cross-site request forgeries (CSRF) are often confused as being one and the same, but this misconception can lead to disastrous results. In this talk, you will encounter each of these attacks through examples and learn to distinguish between them. You will also examine secure coding practices and techniques for prevention.
So, if you’re in the Atlanta area tomorrow, come on out and join Atlanta PHP at 7:00 PM EDT at New Horizons in Tucker.
Looking forward, our August and September meetings are already shaping up and the topics are very promising. We’ll discuss what’s in the forecast at our meeting tomorrow.
9 Comments
You can use the atlphp.org site as a good example of XSS problems. There are dozens. ;)
Eat your own dog food :-)
Atlanta PHP has received no notices of security vulnerablilities findings from Rasmus -- just these hecklings he's posted here. I have combed the site as best I can and can find no vulnerable points where XSS can be entered and outputted unescaped, but Rasmus has an XSS scanner that he wrote to scan sites, and this is probably what he's using.
Unfortunately, he didn't try to first send me the vulnerabilities output from his scanner so that I could attempt to correct whatever problems he found before he decided to heckle me.
I only did a quick check and was assuming you guys would contact me if you wanted more info or wanted me to run a full scan. Who is the contact for the site?
Just to clarify two things. It wasn't meant as a heckle. It was a badly worded poke for Ben to contact me. And I do apologize for the wording. It wasn't malicious. Malicious would have been posting an XSS link to atlphp.org.
And second, I didn't write that "Eat your own dogfood" comment above that has my name on it. Not even sure what that is supposed to mean.
I'm the contact for the site, but we're in transition since I don't actually have server access, so I can't actually fix any of the code.
At any rate, I wasn't sure what "eat your own dog food" meant, either, and I was also pretty sure it wasn't you since the IP address for it is from Australia, but I did mistakenly take the tone of your original post to be mean-spirited. I guess I should've paid closer attention the smiley. ;-)
I mistook the original comment too. It's not like we hand-coded the entire site ourselves, heh. Wouldn't hurt to do a thorough security assessment anyway, though - maybe we'd turn up something significant.
Although I agree it's kind of a stupid idiom, the phrase "eat your own dogfood" is known in the software industry to mean "use your own software for actual work", and usually in the context of "QA the daylights out of it before actual customers see what's broken". It would be like if everyone at Microsoft started using OpenOffice or if Rasmus said "Well, I invented PHP, but really prefer to code everything in Python." You'd start to wonder what's wrong with PHP.
Ummmm... Hacks happen, I know. But you might wanna check out http://atlphp.org . It's been rooted and hacked for a while now.
Steve, I'm not sure I follow you. The site looks fine. Might you know something about that server that I do not? If so, it'd be good of you to let me know. :-)