prettyPhoto DOM based XSS on Saotn.org… This evening, after tweeting about preventing cross site scripting vulnerabilities, I received a reply from Olivier Beg. His reply to my tweet contained an image, as you can see above. He alerted me that Saotn.org was vulnerable to a DOM based XSS vulnerability, hidden in prettyPhoto used by my WordPress theme. Whoops! So, I had work to do! But, what is prettyPhoto and what exactly is a DOM based XSS?
…
The less spammers hit your WordPress blog, the better your blog performs, is one of my opinions. A second is, the less unnecessary plugins you use on your WordPress blog, the better. So, a little while ago I decided to remove plugins like Stop Spammer Registration Plugin and do its work myself. Here is why & how:
…
In this article I’ll give some real live examples of using these ported GnuWin tools like grep.exe for logfile analysis on Windows servers. The article provides three examples as an alternative to Microsoft’s Log Parser tool, because finding spam scripts fast is often very important.
Grep for forensic log parsing and analysis on Windows Server IISRead More »
The following was posted to the Web Security Mailinglist: Unauthorized Access: Bypassing PHP strcmp(). A way to bypass PHP’s strcmp() binary safe string comparison function.
Acunetix’ Bogdan Calin wrote an article explaining why .htaccess files should not be used to secure sensitive data: htaccess files should not be used for security restrictions.
…“htaccess files should not be used for security restrictions”Read More »
Here are 7 .htaccess snippets for you to secure your website, by using .htaccess as a kind of Web Application Firewall (WAF). You can use this information to block exploits and rogue HTTP requests on your website.
…7 Snippets to use .htaccess as a Web Application FirewallRead More »