Page 1 of 1

Check this out - Free PHP Security Videos

Posted: Sat Mar 14, 2009 8:10 am
by Arne1983
Hi!

Thank you for checking out this thread.

I've been programming PHP since 2001 and I want to tell you that I just love the PHP community. There are so many people who have helped me out over the years and two weeks ago I decided that I really want to give back by doing something that will have an impact. Without this community I just wouldn't be where I am right now and I want to show my appreciation.

Over the years I've seen it happen so many times that programmers work hard on creating a great website and then that website gets hacked because the PHP code was vulnerable. Since I'm quite paranoid when it comes to security this is definitely an area where I can give back. This is why I have started creating a video series on PHP security and in the first part I talk about Cross-Site Request Forgery. You can find these videos at http://www.aachen-method.com.

In part 1 I cover the following:
- What is Cross-Site Request Forgery?
- I differentiate CSRF from XSS.
- I show you why websites of companies like ING or Google have been vulnerable in the past.
- I give a detailed explanation on how to protect your own website.
- I even give you some simple techniques that you can use right away to identify weaknesses in your own and in other people's websites.

This knowledge is essential in making your websites secure and once you have a deep understanding of PHP security you can confidently charge higher rates when you are programming for other people.

I have worked hard on making my videos easy to understand and if you watch them in sequence you will have no problem keeping up, even if you are just starting out with PHP programming. You can just copy and paste everything right into your code, it's that simple! The only thing that you might have to change is variable names so that it works with your code and that shouldn't be a problem.
And I have inserted my e-mail address at the end of every video if you happen to have a question, so please don't hesitate to contact me and I'll try to get back to you as soon as I can.

I promise you that I have no product to sell and that there aren't even any ads in the member's area. I realize that some people might regard this message as spam, especially because I'm new to this forum. However please understand that I'm just trying to show these videos to as many people as possible so that we as a community can start to eliminate these vulnerabilities from people's PHP code.

After you have inserted your e-mail address in the form on http://www.aachen-method.com you will have instant access to the first part of my video series. Right now I'm working on two more parts and I will send you an e-mail right away when they are released. That's also the only reason I'm asking for your e-mail address. I promise that I won't give your address to anyone and I won't spam you. I hate spam as much as the next guy! And if you want off my list, just hit the unsubscribe link that's included in every e-mail and we part as friends.


Arne


P.S.: Here's the link again: http://www.aachen-method.com

Re: Check this out - Free PHP Security Videos

Posted: Sat Mar 14, 2009 10:56 am
by kaisellgren
Hmm. Okay.

I have a couple of things to tell you. First of all, I have lots to talk about when it comes to security. I have noticed a few situations in your videos that would require some... how would I say it... "clarification". I think it is great to see someone actually creating videos about security and in general they seem okay. I did not watch each of your videos, actually I think I only watched the first part and the protection part as they seemed more interesting to me. Now, a few words from me:

You said that CAPTCHAs can prevent CSRFs. That is true. You said that a bot can circumvent a CAPTCHA protection. That is true, but does not really belong to the world of CSRFs. More over, your CSRF token generation is a bit... ineffectual:

Code: Select all

md5(uniqid(rand(),true))
It will do fine for preventing CSRFs, but it does not make completely sense. There is really very little point of using uniqid() in that situation, and even less does it make sense to use rand() over mt_rand().

Then you are passing $_SESSION['token'] directly into a form field without ever filtering the data.

Also, I do not think anyone is going to report to the FBI if someone has constructed a CSRF, but that was intented to be a joke, right? :)

In your session tokens vs database tokens, you said that in session token system, an attacker needs only one token and can access the whole system. In reality, a session and a database are both just ways of storing data. There is no such difference as how they perform on an application level, it is entirely up to the application to handle the storage in a proper way. Later, you say that attacker can only access the form the token was assigned to (higher security!), I would recommend replacing the word "security" with "protection". In the end of CSRF protection video, you said prevent XSS vulnerabilities. Of course, that is important, but does it really need to be in a CSRF protection video? XSS holes are not used to get CSRF tokens. Also, in the very end of this video you said attacker could access the database to read the token, but does he really need CSRF then?. I understand your thinking, but security is not that simple, unfortunately. See, a database access is a database access. Your sentence kind of says "hey, a database access always makes your CSRF protection futile". That, however, is not necessarily true.

By the way, I would recommend you to tell your clients (that is, the web browsers) to use a certain encoding, because my browser couldn't display your last name's รถ.

Inspite of a few flaws, the videos were good. I bet some people will love them.

Re: Check this out - Free PHP Security Videos

Posted: Sat Mar 14, 2009 2:02 pm
by Arne1983
kaisellgren wrote:That is true, but does not really belong to the world of CSRFs.
The point of that section was to talk about some common misconceptions. I do sometimes hear that people think CAPTCHAs protect against CSRF, which is why I included that. I also recommended against using them.
kaisellgren wrote:It will do fine for preventing CSRFs
I actually copied this approach from someone, I think it was Chris Shifflet or so, and preventing CSRF is really all I cared about at that time.
kaisellgren wrote:Then you are passing $_SESSION['token'] directly into a form field without ever filtering the data.
That is indeed a mistake which I will correct. Thank you for pointing that out.
kaisellgren wrote:Also, I do not think anyone is going to report to the FBI if someone has constructed a CSRF, but that was intented to be a joke, right? :)
I didn't want to put a smilie after it just to leave people guessing whether or not I'm serious. ;)
kaisellgren wrote:In reality, a session and a database are both just ways of storing data. There is no such difference as how they perform on an application level, it is entirely up to the application to handle the storage in a proper way.
Actually, I have defined how I use both terms before I talked about that slide. I defined a session token as a token that is valid througout the session. But I can see where you are coming from.
kaisellgren wrote:Of course, that is important, but does it really need to be in a CSRF protection video? XSS holes are not used to get CSRF tokens.
You could get someone to visit a form on a page that has a XSS vulnerability and insert a piece of JavaScript code on that page. This would help the attacker get the token and in turn use CSRF.
kaisellgren wrote:Also, in the very end of this video you said attacker could access the database to read the token, but does he really need CSRF then?. I understand your thinking, but security is not that simple, unfortunately. See, a database access is a database access. Your sentence kind of says "hey, a database access always makes your CSRF protection futile". That, however, is not necessarily true.
That section was more "tongue in cheek" than anything. I was referring to a case where someone gains full access to the database and in so doing gets the tokens. I was trying to spice things up a bit and get people to laugh, but I guess I went a bit overboard with it in this case.

Re: Check this out - Free PHP Security Videos

Posted: Sat Mar 14, 2009 2:21 pm
by kaisellgren
Arne1983 wrote:The point of that section was to talk about some common misconceptions.
I think you should make a different topic "common misconceptions" rather than putting some random thoughts on the CSRF topic ;). However, CSRF related common misconceptions are fine.
Arne1983 wrote:Actually, I have defined how I use both terms before I talked about that slide.
I see, I did not listen to/read everything.
Arne1983 wrote:You could get someone to visit a form on a page that has a XSS vulnerability and insert a piece of JavaScript code on that page. This would help the attacker get the token and in turn use CSRF.
Okay, that is a possibility, but you have a lot worse things to consider than having CSRF tokens being lost. XSS can give an attacker complete control over the website.
Arne1983 wrote:I was trying to spice things up a bit and get people to laugh, but I guess I went a bit overboard with it in this case.
Security + laughing... that formula is impossible :)

Re: Check this out - Free PHP Security Videos

Posted: Fri May 29, 2009 10:51 am
by Arne1983
I'm excited to say that part 2 of my video series is available at http://www.aachen-method.com. I'm covering Cross-Site Scripting (XSS) and how you can protect your website against it. Over the past couple of weeks I was super busy with my other projects so I couldn't focus on this course, but that's all behind me now and I can work more on this. :)

Being able to secure your code against CSRF and XSS attacks is a critical skill in being able to charge higher rates as a freelancer, so don't skip these videos.

I also recorded a new introductory video for you where I talk about how people (read: employers) can't help the perception that expensive equals best. This is supposed to serve as a sneak peek of part 3 of my video series and it's a somewhat simplified version of the reality. I'm not suggesting that you should just start charging $500/hour like a lawyer and half a dozen hot chicks will immediately surround you because they will think you are the s***.

I'm also giving a 100% honest explanation on why I'm giving away all this content. Hint: It's not what you think. Definitely watch this video first. (Did this evil ploy ... errr ... informative paragraph work in getting you to watch my video? I should become a writer for 24, I'd make a killing with my suspenseful writing!)

Make sure you sign up for my newsletter so I can notify you right away when I release more killer videos. I promise I won't give your address to anyone and I will never spam you. You can remove your address from the list at any time simply by clicking on the unsubscribe link that is included in every e-mail.

P.S.: Yeah, I'm working on this on a Friday afternoon when I'm supposed to be either working or "outside". I have no life.

P.P.S.: Here's the link again: http://www.aachen-method.com