Grepping for bugs in PHP
Today I used the following commands to grep through PHP source code to find some bugs. I thought they may be useful to someone else so I thought I would stick them on here. This list is by no means extensive however they are the ones I found most useful.
Find user input/output for possible XSS:
grep -i -r “echo” *
grep -i -r “\$_GET” *
grep -i -r “\$_” * | grep “echo”
grep -i -r “\$_GET” * | grep “echo”
grep -i -r “\$_POST” * | grep “echo”
grep -i -r “\$_REQUEST” * | grep “echo”
Web Application Security Timeline (WAST) v1.0
In order to know where we’re going, we have to understand where we have come from.
Over the weekend I had the idea of creating the Web Application Security Timeline (WAST) and posted an RFC yesterday in this post: http://www.ethicalhack3r.co.uk/security/web-application-security-timeline-rfc/. After much feedback from the WebAppSec community from various mailing lists, Twitter, email and this blog I present to you version 1.0!
“This timeline was created by Ryan Dewhurst from the accumulation of feedback from the WebAppSec community to visualise and allow others to visualise the significant events in the short history of web application security. This image holds no copyright or has any restrictions of use, think of this image as yours and do as you wish with it. If you believe that any of the information on the timeline is incorrect or have any other feedback on improvements please email ryandewhurst-A-gmail.com with the subject of ‘wast’.”
Web Application Security Timeline (WAST) v1.0
Web Application Security Timeline RFC
In order to know where we’re going, we have to understand where we have come from.
I began wondering a couple of days ago, how did we get here? What was the evolution of web application security? To answer this question I decided to put together a Web Application Security Timeline.
The timeline I present to you today is just a start, I hope to make it more comprehensive with feedback from the community. So I ask for your comments!
- What were the most significant events in the short history of web application security?
- What is missing from the timeline?
- How would you improve it?
Web Application Security Timeline DRAFT
Barclays bank #fail
Look what I saw in a Barclays bank window during my trip to Gibraltar! PCI Fail?
Persistent BeEF
No, not that kind of beef!
“BeEF is a browser exploitation framework. This tool will demonstrate the collecting of zombie browsers and browser vulnerabilities in real-time. It provides a command and control interface which facilitates the targeting of individual or groups of zombie browsers.”
http://www.bindshell.net/tools/beef/
BeEF is a tool used to enhance the exploitation of Cross Site Scripting (XSS) attacks by providing a complete and easy to use exploitation framework. It currently sports Metasploit integration, keylogging, port scanning, TOR detection and many other cool features. You no longer have an excuse to fill your reports with ‘XSS’ pop-up boxes!
