Interstell, Inc.

Security, Application Security, and Software Research

Category: Application Security

Two More Ways to Protect Your Web Site from Uploaded Malware

If your website has to accept file uploads, you might already have read my previous blog posts about protecting your Java-based site or your PHP-based site. Those posts talked about how to make sure that the uploaded file was the kind of file you were expecting — a PDF, an Excel worksheet, a JPEG, and the like. That protects your site against exploits that target how the web server handles […]

Continue Reading →

4 Ways to Protect Your PHP Website from File Uploads

Introduction Does your PHP website need to accept uploads? Do you maybe let customers upload graphics, or maybe PDFs? If you do, I have good news, and bad news. First, the bad news: Accepting uploads is stunningly dangerous. There might be rogue code lurking in that JPG that could compromise your WordPress site (like CVE-2014-1905). There might be exploit code hiding in the PDF (like in CVE-2013-0724) you just let someone […]

Continue Reading →

Your Java Web App Allows Uploads? I Am SO Sorry!

Introduction Does your Java web application have to allow users to upload files? My condolences! Uploading a file to your web server is like inviting the Trojans to bring in their horse. A big horse, made of wood, that sounds suspiciously hollow. Except for whatever’s rolling around in there. In some cases, that’s literally what’s happening! Such a dangerous operation requires extraordinary protections, and in this post, I’ll cover one […]

Continue Reading →

XSS – Sometimes a Threat Needs a Specific Response

Ordinarily, I try to stay away from defending against specific attacks. Instead, I prefer to write software that is resistant to attacks using generalized defenses like input protections. However, there are some cases where an attack is so pervasive and its results so devastating that it deserves its own set of defenses. Cross site scripting (XSS) is one such attack. Sitting at #3 in OWASP’s most recent top ten vulnerabilities, […]

Continue Reading →

Can’t Use Whitelists for your PHP Web App? Don’t Abandon Hope!

In my last post, I refreshed your memory about how whitelists are a great way protecting very focused Java web applications like financial systems. They’re not so great if you need to allow a wide range of input types, maybe even to the point of allowing customers to enter HTML tags. So what about PHP applications? If a whitelist won’t do, you could write a module to filter all possible types of input, but you’d […]

Continue Reading →