Stefan Esser (Jun 11, 2009)
at Dutch PHP Conference 2009 (English - US)
This workshop is meant for PHP programmers that know the basics of PHP but have no or only a bit insight into the security problems they have to deal with when developing web applications. During the workshop the most important subjects of web application security will be introduced, which are:
* Input filtering
* Cross Site Scripting (XSS)
* Cross Site Request Forgery (CSRF)
* SQL Injection
* Session Managament
* PHP Code Inclusion and Evaluation
Every subject will be introduced from the attacker's and the programmer's point of view, because for an effective defense it is vital to understand the tricks of the offense.
Quicklink: http://joind.in/601
Jun 12, 2009, 10:08 by ianb
Covered pretty much all the basics of web app security, with some nice snippets of more unusual stuff - which was exactly what it was billed as. Very knowledgeable speaker, there were quite a few examples of types of exploits, but maybe could have been something included on the more general process of testing the security of your web apps.
Jun 13, 2009, 08:02 by jach
Good tutorial. Coverd all the basic. If he had put in a bit more examples and maybe some advanced stuff it would hvae been perfect.
Jun 14, 2009, 11:17 by rooster
This was advertised as a "crash course" so I was expecting to hear a lot of things I had heard before, whilst keeping my fingers crossed for something new.
I found the parts about UTF-7 and character encoding particularly interesting, along with the union selects (sql injection).
Whilst Stefan didn't come across as an excited or enthusiastic speaker (maybe because of issues on the day) it is very clear that he knows his stuff and it's nice to come away with an "expert" view on the way certain strategies should be implemented.
In my opinion, the "crash course" aspect of security could be left for the standard sessions (one hour talk) and this kind of tutorial day would be better used as an intermediate to advanced session, skipping or skimming over the basics and going straight to the juicy stuff. [My rating won't reflect that comment because the title was clear enough]
Currently not open for comment.
Jun 11, 2009, 14:41 by relaxnow
Only saw a quart of this tutorial (after morning coffee break and before lunch).
Talk mentioned all of the important security issues out there right now and how to fix them.
Unfortunately it was a talk aimed at beginners in the field of WebAppSec and I was hoping for more advanced topics (my fault, it's a 'Crash Course').
Good talk!