Many people tried to compare buffer overflows (BOF) with XSS and even the new XSS Book has the subtitle “XSS Is the New Buffer Overflow, JavaScript Malware Is the New Shell Code”. The conclusion’s most of the time, that there are many similar things but the most important difference is, that XSS vulnerabilities are much [...]

Christian Matthies aka. christ1an has announced the first public release of the so called PHPIDS which was written by him, Mario Heiderich and Lars Strojny. PHPIDS (PHP-Intrusion Detection System) is a simple to use, well structured, fast and state-of-the-art security layer for your PHP based web application. The IDS neither strips, sanitizes nor filters any [...]

Over a month ago I wrote a blog posting called “Protect your Web Applications through Encryption” in which I started to talk about “crypto-defense” for web applications or better say, I started with it one posting before where I wrote about “Secure Data Transfer over HTTP without SSL“. The basic idea was very simple, I [...]

Once more this is just an information for the readers of my blog. Yesterday Ronald van den Heetkamp has published a blog posting about what Cross Site Request Forgeries aka CSRFs are. From my point of view it’s the best explanation on this attack class on the Internet. Great job Ronald You can find the [...]

Today I’ve got a mail through one of the thousands of mailinglists I’m subscribed to and hey, the linked article in this mail is from my point of view about one of the most stupid ideas ever. The link pointed to http://www.foreignpolicy.com/story/cms.php?story_id=3798 where Mikko Hypponen, chief research officer at F-Secure wrote an article about a [...]

A few days ago, RSnake wrote a blog posting about a Firefox extension called ”XSS Warning“ which was written by Gianni Amato. The idea of the extension is quiet simple because all it does is just analyze the URL ind the URL bar when you start the request. Gianni did all of this with just [...]

Last week was the third OWASP Switzerland Local Chapter meeting which was a great success and so I’ll also post my summary which I already sent out to our mailinglist here into my blog because this way perhaps some other interested people will join us at the next meeting Hi everyone, for those of you [...]

People may ask me, what’s up with my risk metrics research because I wrote several times, that I’m working on such stuff. It’s true that I’m still working on that because I really love that topic but it has a very low priority in my actual research time. I’ve some ideas which I think that [...]

Perhaps a few people out there who read my blog periodical noticed that this week there wasn’t any activity from my side. This was because I was teaching an IT security training course with web application security as the principal topic. For me it was very special because the students where at the age of [...]

The next OWASP Europe Application Security Conference will be held in Milan, Italy on May 15th-17th 2007 and it will be the first OWASP conference where I’ll be present. Unfortunately I missed the CfP and so I can’t have a speech there but I think even to hear other presentations and meet cool people is [...]