Web Application Security, Part 2 with Scott Arciszewski
In this weeks episode we continue our discussion with Scott Arciszewski about all things Security and Cryptography. We start off the show by highlighting what a SQL injection attack is and the differences between (emulated) prepared statements. This leads us on to look into how to securely handle file uploads, what a reverse shell is and how to defend yourself against XSS/CSRF attacks. From here we touch upon the recent inclusion of libsodium into PHP, why mcrypt should be avoided, and the side-channel vulnerabilities that brought way to Meltdown and Spectre. Finally, we mention how computers generate seemingly random numbers, what a Web Application Firewall (WAF) is, and how WARD goes about protecting your systems.
- Scott Arciszewski on Twitter
- Paragon Initiative Enterprises
- The 2018 Guide to Building Secure PHP Software
- Are PDO prepared statements sufficient to prevent SQL injection?
- Preventing SQL Injection in PHP Applications
- paragonie/easydb - Easy-to-use PDO wrapper for PHP projects.
- Security at the expense of usability comes at the expense of security.
- Security B-Sides Orlando 2017
- TimThumb WebShot Code Execution Exploit (Zeroday)
- Reverse shell !?!
- paragonie/anti-csrf - Full-Featured Anti-CSRF Library
- Using Libsodium in PHP Projects
- paragonie/sodium_compat - Pure PHP polyfill for ext/sodium
- It Turns Out, 2017 is the Year of Simply Secure PHP Cryptography
- The ECB Penguin
- Cache-timing attacks on AES
- Side-Channel Attacks on Everyday Applications
- Meltdown and Spectre
- PCID is now a critical performance/security feature on x86
- If You’re Typing the Word MCRYPT Into Your PHP Code, You’re Doing It Wrong
- Myths about /dev/urandom
- PHP - random_bytes
- PHP - random_int
- Ward - Web Application Realtime Defender