Web Security Demo

October 10, 2008

Yesterday, on an invitation from our Information Security Office (ISO), I had the pleasure of giving a talk on about injection flaws, Cross Site Scripting (CSS) and Cross Site Request Forgeries (CSRF). That talk had a surprisingly large turnout and crowd participation was good. Anyway, I took my old talk on CSRF and expanded it to include a very simple PHP script (roughly 60 lines of code) that had 2 SQL injection flaws, 2 XSS flaws and a CSRF flaw to boot. I demo’d the flaws (sample input included) and I provided another script that shows some of the fixes you can make to sure it. I’ve made the slides you see below along with my sample code and the MySQL database available in this ZIP file. For anybody with a working PHP/MySQL setup it would take seconds to stand up and you have something you can play with to see how you can take my simple hacks and turn them into something more serious. Please add a comment below if you find any problems or have any questions.



Web Security Overview and Demo
View SlideShare presentation or Upload your own. (tags: xss sql)


Leave a Reply

Your email address will not be published. Required fields are marked *