Websec.io - Web Application Security http://websec.io Latest Articles en-us Mon, 11 Dec 2017 01:42:12 -0600 30 Building a Secure API - Part 5 http://websec.io/2017/08/16/Build-Secure-API-Part5.html http://websec.io/2017/08/16/Build-Secure-API-Part5.html Build out the secure login and request authorization flow in a few final steps Wed, 16 Aug 2017 00:00:00 -0500 Building a Secure API - Part 4 http://websec.io/2017/06/21/Build-Secure-API-Part4.html http://websec.io/2017/06/21/Build-Secure-API-Part4.html Building out the database and models to power the API Wed, 21 Jun 2017 00:00:00 -0500 Building a Secure API - Part 3 http://websec.io/2017/05/12/Build-Secure-API-Part3.html http://websec.io/2017/05/12/Build-Secure-API-Part3.html Improving the Slim structure to make it more extendable Fri, 12 May 2017 00:00:00 -0500 Building a Secure API - Part 2 http://websec.io/2017/05/01/Build_Secure-API-Part2.html http://websec.io/2017/05/01/Build_Secure-API-Part2.html Take the first steps into using Slim to create a secure API Mon, 01 May 2017 00:00:00 -0500 Building a Secure API - Part 1 http://websec.io/2017/04/14/Build-Secure-API-Part1.html http://websec.io/2017/04/14/Build-Secure-API-Part1.html API security doesn't have to be confusing if you build it in from the start. Fri, 14 Apr 2017 00:00:00 -0500 Build Security In - Introduction (Part 1) http://websec.io/2017/02/20/Build-Security-In-Introduction-Part1.html http://websec.io/2017/02/20/Build-Security-In-Introduction-Part1.html Get started building security into your applications Mon, 20 Feb 2017 00:00:00 -0600 Securing Legacy Applications - Part 2 http://websec.io/2016/12/30/Securing-Legacy-Applications-Part2.html http://websec.io/2016/12/30/Securing-Legacy-Applications-Part2.html Securing legacy code can be tricky, here's a few more hints Fri, 30 Dec 2016 00:00:00 -0600 Securing Legacy Applications - Part 1 http://websec.io/2016/09/13/Security-Legacy-Applications-Part1.html http://websec.io/2016/09/13/Security-Legacy-Applications-Part1.html Securing legacy code can be tricky, here's a few "quick hits" to get you started Tue, 13 Sep 2016 00:00:00 -0500 Defaulting to Secure http://websec.io/2016/08/17/Defaulting-to-Secure.html http://websec.io/2016/08/17/Defaulting-to-Secure.html Defaulting to secure settings in your tools helps keep the world a safer place Wed, 17 Aug 2016 00:00:00 -0500 Passwords are Dead, Long Live Passwords http://websec.io/2016/08/11/Passwords-Dead-Long-Live-Passwords.html http://websec.io/2016/08/11/Passwords-Dead-Long-Live-Passwords.html Passwords are a thorn in the security of any application. How can we fix this? Thu, 11 Aug 2016 00:00:00 -0500 The Importance of Effective Validation http://websec.io/2016/06/28/Importance-Effective-Validation.html http://websec.io/2016/06/28/Importance-Effective-Validation.html Good validation practices on incoming data can save lots of trouble down the line. Tue, 28 Jun 2016 00:00:00 -0500 Risky Business http://websec.io/2016/04/28/Risky-Business.html http://websec.io/2016/04/28/Risky-Business.html Proper risk evaluation can minimize the impact an attack can have on your apps. Thu, 28 Apr 2016 00:00:00 -0500 Security Policy Evaluation in Laravel with PropAuth http://websec.io/2015/10/07/Security-Policy-Evaluation-Laravel-PropAuth.html http://websec.io/2015/10/07/Security-Policy-Evaluation-Laravel-PropAuth.html Property-based policy evaluation is a more flexible alternative to the usual hard-coded checks Wed, 07 Oct 2015 00:00:00 -0500 Security is for Beginners http://websec.io/2015/07/02/Security-For-Beginners.html http://websec.io/2015/07/02/Security-For-Beginners.html Why isn't application security taught as a beginner concept? Thu, 02 Jul 2015 00:00:00 -0500 Input Validation Strategies - Introduction http://websec.io/2015/02/10/Input-Validation-Strategies-Intro.html http://websec.io/2015/02/10/Input-Validation-Strategies-Intro.html Validating input can help prevent most common security issues - let's learn how. Tue, 10 Feb 2015 00:00:00 -0600 Securing Requests with JWT (JSON Web Tokens) http://websec.io/2014/08/04/Securing-Requests-with-JWT.html http://websec.io/2014/08/04/Securing-Requests-with-JWT.html JWTs can provide an extra layer of validation and protecton for you requests. Mon, 04 Aug 2014 00:00:00 -0500 "Fun with Input Handling: Regex, Logs & Serializing" http://websec.io/2014/06/13/Fun-with-Input-Handling-regex-logs-serializing.html http://websec.io/2014/06/13/Fun-with-Input-Handling-regex-logs-serializing.html Validating input isn't just about values, it's about context too. Fri, 13 Jun 2014 00:00:00 -0500 Versioning Data Validation http://websec.io/2014/02/17/Versioning-Data-Validation.html http://websec.io/2014/02/17/Versioning-Data-Validation.html Input validation is a must for any application but changing rules can make it tricky. Mon, 17 Feb 2014 00:00:00 -0600 Input Filtering & Validation with Aura.Filter http://websec.io/2013/12/31/Input-Filtering-Validation-Aura-Filter.html http://websec.io/2013/12/31/Input-Filtering-Validation-Aura-Filter.html The Aura.Filter component provides effective and easy to use data filtering & validation features. Tue, 31 Dec 2013 00:00:00 -0600 Iniscan - A Security Best Practices php.ini Scanner http://websec.io/2013/12/06/Iniscan-Security-Best-Practices-phpini-Scanner.html http://websec.io/2013/12/06/Iniscan-Security-Best-Practices-phpini-Scanner.html Securing your configuration is important - let this tool help Fri, 06 Dec 2013 00:00:00 -0600 "Core Concepts: Access Control (A Primer)" http://websec.io/2013/11/22/Access-Control-Primer.html http://websec.io/2013/11/22/Access-Control-Primer.html Good access control systems (and its management) are key to an application's security. Fri, 22 Nov 2013 00:00:00 -0600 Implementing Custom Two-Factor Auth (with Twilio) http://websec.io/2013/10/28/Implementing-Custom-Two-Factor-Auth-Twilio.html http://websec.io/2013/10/28/Implementing-Custom-Two-Factor-Auth-Twilio.html Implement your own SMS-based two-factor authentication via the Twilio API. Mon, 28 Oct 2013 00:00:00 -0500 Two-Factor with a Wave - Using Clef http://websec.io/2013/09/26/Two-Factor-with-Wave-Using-Clef.html http://websec.io/2013/09/26/Two-Factor-with-Wave-Using-Clef.html The Clef service provides an interactive, easy to implement two-factor solution. Thu, 26 Sep 2013 00:00:00 -0500 "Core Concepts: Trust Boundaries" http://websec.io/2013/08/27/Core-Concepts-Trust-Boundaries.html http://websec.io/2013/08/27/Core-Concepts-Trust-Boundaries.html Trust boundaries are the gatekeepers for data in your applications. Tue, 27 Aug 2013 00:00:00 -0500 "Security Standards: XACML - Extensible Access Control Markup Language" http://websec.io/2013/08/01/Security-Standard-XACML.html http://websec.io/2013/08/01/Security-Standard-XACML.html The XACML standard from OASIS provides an attribute-based authentication structure. Thu, 01 Aug 2013 00:00:00 -0500 The Plight of the Password http://websec.io/2013/06/21/The-Plight-of-the-Password.html http://websec.io/2013/06/21/The-Plight-of-the-Password.html Passwords must die, find out how to help that along in your own applications. Fri, 21 Jun 2013 00:00:00 -0500 Effective Security Logging with Monolog http://websec.io/2013/05/16/Effective-Security-Logging-Monolog.html http://websec.io/2013/05/16/Effective-Security-Logging-Monolog.html Logging is a tricky subject - what to log, when to log and what tools to use. Thu, 16 May 2013 00:00:00 -0500 The Secure Development Lifecycle http://websec.io/2013/05/02/The-Secure-Development-Lifecycle.html http://websec.io/2013/05/02/The-Secure-Development-Lifecycle.html Learn about Microsoft's industry standard secure development practices. Thu, 02 May 2013 00:00:00 -0500 Effective Validation with Respect http://websec.io/2013/04/01/Effective-Validation-with-Respect.html http://websec.io/2013/04/01/Effective-Validation-with-Respect.html The Respect Validation library helps validate and protect from bad user data. Mon, 01 Apr 2013 00:00:00 -0500 DREADing Your Security http://websec.io/2013/03/20/DREADing-Your-Security.html http://websec.io/2013/03/20/DREADing-Your-Security.html Using the DREAD threat modeling framework you can get a better view of the risk of your application. Wed, 20 Mar 2013 00:00:00 -0500 Two-Factor the Yubikey Way http://websec.io/2013/03/05/Two-Factor-the-Yubikey-Way.html http://websec.io/2013/03/05/Two-Factor-the-Yubikey-Way.html The Yubikey USB hardware token makes two-factor authentication as easy as pushing a button. Tue, 05 Mar 2013 00:00:00 -0600 Safety in PHP Dependencies with Composer http://websec.io/2013/02/18/Safety-PHP-Dependencies-Composer.html http://websec.io/2013/02/18/Safety-PHP-Dependencies-Composer.html Composer providies easy package management for PHP developers, but be careful with what you use. Mon, 18 Feb 2013 00:00:00 -0600 "API Authentication: HMAC with Public/Private Hashes" http://websec.io/2013/02/14/API-Authentication-Public-Private-Hashes.html http://websec.io/2013/02/14/API-Authentication-Public-Private-Hashes.html Implementing a public/private HMAC hashing layer to your API helps authenticate and validate the request. Thu, 14 Feb 2013 00:00:00 -0600 Beware the Mass Assignment http://websec.io/2013/02/04/Beware-the-Mass-Assignment.html http://websec.io/2013/02/04/Beware-the-Mass-Assignment.html Mass assignment vulnerabilities can be a hard-to-find issue in your applications. Learn how to prevent them. Mon, 04 Feb 2013 00:00:00 -0600 "Core Concepts: Attack Surface" http://websec.io/2013/01/28/Core-Concepts-Attack-Surface.html http://websec.io/2013/01/28/Core-Concepts-Attack-Surface.html Knowing the exposed points of your application can help heighten your security and defenses. Mon, 28 Jan 2013 00:00:00 -0600 Password Hashing with Zend\Crypt http://websec.io/2013/01/21/Password-Hashing-with-Zend-Crypt.html http://websec.io/2013/01/21/Password-Hashing-with-Zend-Crypt.html The Zend\Crypt component of the Zend Framework makes bcrypting your passwords simple. Mon, 21 Jan 2013 00:00:00 -0600 Google's Two-Factor Auth - Online or Offline http://websec.io/2013/01/11/Googles-Two-Factor-Auth-Online-Offline.html http://websec.io/2013/01/11/Googles-Two-Factor-Auth-Online-Offline.html The Google Authenticator smartphone application makes two-factor auth simple, even without a connection. Fri, 11 Jan 2013 00:00:00 -0600 Two-Factor Auth Integration with Duo Security http://websec.io/2013/01/09/Two-Factor-Auth-Integration-with-Duo-Security.html http://websec.io/2013/01/09/Two-Factor-Auth-Integration-with-Duo-Security.html Using the Duo Security API you can manage multiple users and integrations, all through a REST interface Wed, 09 Jan 2013 00:00:00 -0600 Easy Two-Factor Authentication with Authy http://websec.io/2013/01/07/Easy-Two-Factor-with-Authy.html http://websec.io/2013/01/07/Easy-Two-Factor-with-Authy.html Using the Authy REST API, you can quickly and easily integrate two-factor auth into your system. Mon, 07 Jan 2013 00:00:00 -0600 Security in the Round http://websec.io/2012/12/31/Security-in-the-Round.html http://websec.io/2012/12/31/Security-in-the-Round.html Keeping the "bigger picture" in mind when assessing the security of your application is vital. Mon, 31 Dec 2012 00:00:00 -0600 SQLi in NoSQL - A Word of Warning http://websec.io/2012/12/19/NoSQL-Injection.html http://websec.io/2012/12/19/NoSQL-Injection.html Just because you're using a NoSQL db doesn't mean you're safe from SQL injections. Wed, 19 Dec 2012 00:00:00 -0600 "Core Concepts: Attack Patterns" http://websec.io/2012/11/26/Core-Concepts-Attack-Patterns.html http://websec.io/2012/11/26/Core-Concepts-Attack-Patterns.html Attack patterns provide a common language to refer to threat types and methods of attack. Mon, 26 Nov 2012 00:00:00 -0600 STRIDEing for Security http://websec.io/2012/11/19/STRIDEing-for-Security.html http://websec.io/2012/11/19/STRIDEing-for-Security.html The STRIDE method of threat modeling gives you a simple way to evaluate the possible weak points in your application. Mon, 19 Nov 2012 00:00:00 -0600 Code Defensively http://websec.io/2012/11/12/Code-Defensively.html http://websec.io/2012/11/12/Code-Defensively.html Sometimes the best defense is a good offense - "think like an attacker" with these hints to prevent exploits. Mon, 12 Nov 2012 00:00:00 -0600 The External CSRF Threat & Protecting Your App http://websec.io/2012/10/29/External-CSRF-Threat-Protecting-Your-App.html http://websec.io/2012/10/29/External-CSRF-Threat-Protecting-Your-App.html Cross-site Request Forgeries are still a common threat. Learn how to protect your app from this pesky issue. Mon, 29 Oct 2012 00:00:00 -0500 Fail Fast Securely http://websec.io/2012/10/22/Fail-Fast-Securely.html http://websec.io/2012/10/22/Fail-Fast-Securely.html One key to keeping an app secure is the when & how of dealing with failure. Mon, 22 Oct 2012 00:00:00 -0500 "Core Concepts: Defense in Depth" http://websec.io/2012/10/12/Core-Concepts-Defense-in-Depth.html http://websec.io/2012/10/12/Core-Concepts-Defense-in-Depth.html Part of the "Core Concepts" series, examines the "Defence in Depth" thought pattern to secure your app. Fri, 12 Oct 2012 00:00:00 -0500 An Introduction to Content Security Policy http://websec.io/2012/10/02/Intro-to-Content-Security-Policy.html http://websec.io/2012/10/02/Intro-to-Content-Security-Policy.html Learn how to protect your site with a Content Security Policy limiting Javascript, CSS and reporting. Tue, 02 Oct 2012 00:00:00 -0500 Using Mozilla Persona with PHP & jQuery http://websec.io/2012/10/01/Using-Mozilla-Persona-with-PHP-jQuery.html http://websec.io/2012/10/01/Using-Mozilla-Persona-with-PHP-jQuery.html An introduction to this new tool and implementing it with jQuery and a bit of PHP Mon, 01 Oct 2012 00:00:00 -0500 "Tools of the Trade: WebGoat & DVWA" http://websec.io/2012/09/21/Tools-of-the-Trade-Webgoat-DVWA.html http://websec.io/2012/09/21/Tools-of-the-Trade-Webgoat-DVWA.html Learn about the WebGoat and Damn Vulnerable Web Application tools to practice your testing skills. Fri, 21 Sep 2012 00:00:00 -0500 "Dirty Data: Protecting Your App from Your Users" http://websec.io/2012/09/14/Dirty-Data-Protect-App-Users.html http://websec.io/2012/09/14/Dirty-Data-Protect-App-Users.html All user data is tainted, but how to you effectively deal with it? Read on... Fri, 14 Sep 2012 00:00:00 -0500 Encrypted Sessions with PHP http://websec.io/2012/09/10/Encrypted-Sessions-with-PHP.html http://websec.io/2012/09/10/Encrypted-Sessions-with-PHP.html Use a simple custom session handler in PHP to protect your session data on the server. Mon, 10 Sep 2012 00:00:00 -0500 A Silent Threat - PHP in EXIF http://websec.io/2012/09/05/A-Silent-Threat-PHP-in-EXIF.html http://websec.io/2012/09/05/A-Silent-Threat-PHP-in-EXIF.html Wed, 05 Sep 2012 00:00:00 -0500 "TCrypto: Encrypted data storage for PHP applications" http://websec.io/2012/08/29/TCrypto-Encrypted-Data-Storage-for-PHP.html http://websec.io/2012/08/29/TCrypto-Encrypted-Data-Storage-for-PHP.html Learn how to use the TCrypto library to protect your data. Wed, 29 Aug 2012 00:00:00 -0500 Preventing XXE in PHP http://websec.io/2012/08/27/Preventing-XXE-in-PHP.html http://websec.io/2012/08/27/Preventing-XXE-in-PHP.html XML External Entity attacks are a lesser-known threat, learn how to protect your PHP application. Mon, 27 Aug 2012 00:00:00 -0500 "Shared Hosting: PHP Session Security" http://websec.io/2012/08/24/Shared-Hosting-PHP-Session-Security.html http://websec.io/2012/08/24/Shared-Hosting-PHP-Session-Security.html A few things to think about when using PHP sessions, especially on a shared server. Fri, 24 Aug 2012 00:00:00 -0500 Effective File Upload Handling Tips http://websec.io/2012/08/21/Effective-Upload-Handling-Tips.html http://websec.io/2012/08/21/Effective-Upload-Handling-Tips.html Handling user input can be tricky, file uploads even more so - here's some do's, don't and musts. Tue, 21 Aug 2012 00:00:00 -0500 "OWASP Top Ten: Broken Authentication and Session Management" http://websec.io/2012/08/18/OWASP-Top-Ten-User-Auth-Management.html http://websec.io/2012/08/18/OWASP-Top-Ten-User-Auth-Management.html A look at one of the "Top 10" from the OWASP largest vulnerabilities list Sat, 18 Aug 2012 00:00:00 -0500 "Casting Your Net: Securing Your Site with Skipfish" http://websec.io/2012/08/17/Casting-Your-Net-Secure-Site-Skipfish.html http://websec.io/2012/08/17/Casting-Your-Net-Secure-Site-Skipfish.html See how to use this simple tool to help find flaws in your applications. Fri, 17 Aug 2012 00:00:00 -0500 Protect Yourself with the Google Safe Browsing API http://websec.io/2012/08/15/Protect-Yourself-Google-Safe-Browsing-API.html http://websec.io/2012/08/15/Protect-Yourself-Google-Safe-Browsing-API.html Google offers an API that tells you if a site is "safe". Read on to learn how to use it. Wed, 15 Aug 2012 00:00:00 -0500 Playing Your Cards Close - Custom Error & Exception Handling http://websec.io/2012/08/14/Playing-Your-Cards-Close-Error-Exception-Handling.html http://websec.io/2012/08/14/Playing-Your-Cards-Close-Error-Exception-Handling.html Default PHP error handling shares way too much information - learn how to use custom handlers to prevent it. Tue, 14 Aug 2012 00:00:00 -0500 Stay Safe in Your Php.ini http://websec.io/2012/08/13/Stay-Safe-in-Your-Phpini.html http://websec.io/2012/08/13/Stay-Safe-in-Your-Phpini.html The default settings in PHP's configuration aren't all secure, here's a few you should change. Mon, 13 Aug 2012 00:00:00 -0500 Can't Trust the $_SERVER http://websec.io/2012/08/11/Can't-Trust-the-$_SERVER.html http://websec.io/2012/08/11/Can't-Trust-the-$_SERVER.html PHP's $_SERVER suportglobal contains some values that come from the user - be careful what you use! Sat, 11 Aug 2012 00:00:00 -0500 "OWASP Top Ten: Cross-Site Scripting (XSS)" http://websec.io/2012/08/10/OWASP-Top-Ten-Cross-Site-Scripting.html http://websec.io/2012/08/10/OWASP-Top-Ten-Cross-Site-Scripting.html A look at one of the "Top 10" from the OWASP largest vulnerabilities list Fri, 10 Aug 2012 00:00:00 -0500 http://websec.io http://websec.io Mon, 11 Dec 2017 01:42:12 -0600