Summary: This week Arlo, Erick and Ryan talk about what they think every entry level developer should know about web application security and the minimal amount of effort that should be taken when developing. Keep in mind, there is much much more information out there about different types of web security vulnerablilities. This list is just a friendly discussion between developers and sharing experiences and knowledge with entry level developers. Download: Direct Link Itunes: itunes link Who’s going to want to hack me? NOT WHO BUT HOW: Welcome to the world of robot scrapping. what you looking for? lots of automated tools lots online databases: exploit-db.com Automating form submissions Mail highjacking Unicode exploits (IE) XSS Persistent Non-Persistent Shell exploits SQL injections (BIGGEST ONE) SECURITY THROUGH OBSCURITY IS NOT SECURITY What can I do as a Developer SQL Injections input sanitation DO mysql_real_escape_string look into prepared statements do it based on connection to database DON’T addslashes, etc... trust user input even if it is stored in database XSS Input sanitation Persistent Non-persistent Unicode Bugs (UTF8) (Erick?) PHP (mb_ functions) Shell exploits (Ryan?) vulnerable exec shell_exec system proc_open passthru `` - backticks protection escapeshellcmd escapeshellarg Mentioned Links XSS SQL Injection Exploit DB
