Bulletproof* image upload security guide for developers

In the series of tubes there’s a ton of tutorials and guides on image upload security, but apparently still not enough –  I stumbled upon yet another PHP application image upload vulnerability. These are ridiculously easy to spot, take about 10 minutes to exploit and if the attackers succeed, odds are they will be able to upload a shell, execute arbitrary code on your server and do pretty much whatever they want. So if you’re a developer (especially PHP!) and don’t know how exactly image uploads should be implemented, please please please take the time to read and understand.

Continue reading

The problem with certificates and standards

From Slashdot:

“The FAA’s NextGen Air Traffic Control (ATC) modernization plan is at risk of serious security breaches, according to Brad Haines (aka RenderMan). Haines outlined his concerns during a presentation (PDF) he gave at the recent DefCon 20 hacker conference in Las Vegas, explaining that ADS-B signals are unauthenticated and unencrypted, and ‘spoofing‘ (video) or inserting a fake aircraft into the ADS-B system is easy. The FAA isn’t worried because the system has been certified and accredited.”

This is a great example of how certifications and standards can create a false sense of security.

Why you should be using a proper HTML sanitization library

The idea that it’s easy to protect your web app from XSS seems to be floating around the interwebz. I’ve seen a whole bunch of “tutorials” saying stuff like “just use htmlencode()” etc.

If you’re building web applications, even small ones, do yourself a favor and use a proper html sanitization library. I hear good things about HTMLPurifier (PHP) and Sanitize (Ruby); there probably is a library for most other languages as well. I don’t dare to recommend anything specific so you’ll need to do some research, but it will be time well spent. And if you’re using a framework or CMS, use the sanitization functions they provide.

Continue reading