Sat, 28 Feb 09 15:42:51 -0700 PermaLink...

Wed, 18 Feb 09 23:28:49 -0700

As with any good web security professional, I am constantly auditing my own scripts and this time, I came up with something!

I found a way for spammers to potentially post anonymous comments on my blog posts via an advanced CSRF attack.

In the past, I (foolishly) believed that my advanced CAPTCHA system would protect against CSRF, this however proved false.

By including the captcha image in a remote site (my localhost in this case) and allowing third-party cookies, a user could be tricked







...

Wed, 18 Feb 09 13:38:51 -0700

Every good web developer hashes his passwords before storing them.

Popular hashes are md5, sha1, whirlpool, sha512, md160, etc.

For those of you that don't know, a hash is a one-way encryption that is used to protect password data. When a user puts in a password, the system hashes the provided password and checks it against the stored one. If there is a match, the script logs the user in.

This provides a huge security boost over plaintext password storage. For one, if your database is hac







...

Wed, 17 Dec 08 19:23:26 -0700

I made a simple guide to PC protection from online threats. Malware, browser exploits, scams, etc.

It is fairly long, but still simple and easy to use. If you follow the directions here, you should have a highly secure PC, all without spending a dime.

A simple guide to (free) PC protection





...

Fri, 28 Nov 08 18:33:25 -0700

Ok, do I have your attention? Good.

Stop it. Just. Stop. It.

About 70% (from my experience) of websites have an XSS hole somewhere. I Really don't understand how hard it is to use the htmlentities() function in PHP.
or Server.HtmlEncode() in ASP.
Or any of the numerous such functions in perl, JSP, SSJS, or anything you chose.

Google it.

The problem is, when for whatever reason, the user's input is outputted to a page. Such as 'Your Query, "duhduhduh" returned 0 re











...