Articles I've written

Stealing session ids with phpinfo() and how to stop it

Stealing session ids from phpinfo() output has been a known technique for some time, and is used to bypass the HttpOnly attribute, which prohibits JavaScript from accessing a cookie marked as such (e.g. PHPSESSID). I just now thought of a solution that allows you to keep your phpinfo(): we'll simply censor the sensitive data, making phpinfo() lose some of its value to the attacker.

(read more…)

Check vulnerable packages with composer audit
January 25, 2023

When a security vulnerability is discovered in one of the PHP libraries you use, there are several options how you can learn about the bug before it's too late. I've written about PHP Security Advisories Database in one of my previous posts and how you can use it with Roave Security Advisories and a few other ways. However all of them require an extra package or a tool.

(read more…)

Don't let security bugs catch you off guard
November 9, 2020 (updated September 19, 2023)

At the end of August, a critical security bug was discovered and immediately fixed in one of the popular PHP frameworks, Nette. Although the author of the framework, David Grudl, did everything possible, some did not learn about the bug in time and did not update their sites and web apps. Let me tell you a few tips not only for PHP, that will help you to know about similar problems as soon as possible.

(read more…)

My web security training, now available remotely
June 9, 2020

I'm organizing another round of my training, this time remotely. Afternoons, for half of the regular price.

(read more…)

Last dates for Intro to PHP, Classes & objects in PHP training
October 10, 2017 (updated March 1, 2018)

The time has come and after 6 years I'm closing my public training Introduction to PHP and Classes and objects in PHP, the last round this December. I'm also writing some new courses.

(read more…)

FPD means Full Path Disclosure
April 29, 2012 (updated April 22, 2024)

FPD is one of approximately 17576 three-letter abbreviations used on the Internet, and one of the few where the letter F doesn't stand for, um, let's say friend. The meaning of the acronym that I'd like to talk about is important for web application security: FPD means Full Path Disclosure.

(read more…)

All articles