I had an interesting conversation the other day. It was one of those conversations that forced me to re-evaluate some assumptions I didn’t even know I had. Don’t you just love those kinds of conversations? I had mentioned to a friend that I worked for OCLC. The company is well-known in central Ohio, so folks […]
Two More Ways to Protect Your Web Site from Uploaded Malware
If your website has to accept file uploads, you might already have read my previous blog posts about protecting your Java-based site or your PHP-based site. Those posts talked about how to make sure that the uploaded file was the kind of file you were expecting — a PDF, an Excel worksheet, a JPEG, and […]
4 Ways to Protect Your PHP Website from File Uploads
Introduction Does your PHP website need to accept uploads? Do you maybe let customers upload graphics, or maybe PDFs? If you do, I have good news, and bad news. First, the bad news: Accepting uploads is stunningly dangerous. There might be rogue code lurking in that JPG that could compromise your WordPress site (like CVE-2014-1905). […]
Your Java Web App Allows Uploads? I Am SO Sorry!
Introduction Does your Java web application have to allow users to upload files? My condolences! Uploading a file to your web server is like inviting the Trojans to bring in their horse. A big horse, made of wood, that sounds suspiciously hollow. Except for whatever’s rolling around in there. In some cases, that’s literally what’s […]
XSS – Sometimes a Threat Needs a Specific Response
Ordinarily, I try to stay away from defending against specific attacks. Instead, I prefer to write software that is resistant to attacks using generalized defenses like input protections. However, there are some cases where an attack is so pervasive and its results so devastating that it deserves its own set of defenses. Cross site scripting […]