About

Avatar von Björn Schotte
  • SQL injections for dummies – and how to fix them (Update)

    Well, database operations are bread-and-butter work for most PHP applications. PHP and MySQL, for example, have been like brother and sister for many years. You may have heard about „SQL injections“, a bad taste from the outside world of $_GET, $_POST, $_COOKIE and the like. Everybody should know that you shouldn’t pass variables from outside…

  • Detect and fix security vulnerabilities on server side within seconds.

    (See bigger version with better quality at https://chorizo-scanner.com/flash_morcilla ) This video shows you how Morcilla, our brand new PHP extension, lets Chorizo! have a look inside your application on the server. We are able to hook into every PHP function and trace the payloads of Chorizo!. By default, Morcilla hooks into the whole MySQL function…

  • The proxy mode of Chorizo – and a sneak peak to Morcilla, Chorizo’s little sister.

    Web applications nowadays use AJAX features to provide a very comfortable interface to their users. XmlHttpRequest is the technique that is used to pull data from the server in the background. Have you ever asked yourself how to track down security issues in your XmlHttpRequests without losing too much time? Well, Chorizo gives you the…

  • To be one step ahead with AppArmor in your web server’s environment

    Our first experiences with Novell’s AppArmor Imagine you plan to offer an application service hosted on a common LINUX box. That is not very difficult at all, so you have to go on and choose your favourite distribution, installing and configuring some servers (e.g. web- and database servers) and finally adding your web based application…

  • Stacking up the free accounts: recursive scans

    Chorizo’s standard account already contains recursive scans from the current URL. This means that Chorizo! is able to follow URLs from forms etc. automatically until a recursive level that you are able to set. From now on, the free accounts also benefit from this feature which makes it very handy to scan sites more deeply.…

  • Improving Usability on „My Chorizo“ page: the host signature file

    In the spirit of Web2.0 applications, we constantly improve Chorizo! and silently update the application with the newest features. In order to scan a host, you have to prove that you are the owner of the host by uploading a unique signature file to your host’s document root. Some of our users had trouble uploading…

  • 3,500 users in 2 days. Awaiting the birth of the bloody alien sausage.

    Geez! What a week. Right after the announces at several newstickers and websites (on heise security German and heise Security English, an extensive German review at dynamic-webpages.de and one in French at nexen.net) on Monday, more than 3,500 users (and counting) registered at our small security sausage tool and created hundreds of thousands security scans…

  • Commoditizing PHP security

    We think it’s time to commoditize PHP web application security. You may have heard of Chorizo!. We’re proud to announce that from now on it’s possible to register for a free account on chorizo-scanner.com. With this free account, it’s possible to use the Chorizo! application service as a proxy and scan 1 host. All scan…

  • Web2.0 (In)Security

    On the webmontag.de gathering at Munich, Johann gave a session about „Web2.0 (In)Security“. With the emerge of more and more Web2.0 applications Security is a must for every developer. Johann explained for example why XSS hurts more in Web2.0 than in Web1.0. You can download the slides here (attention, German language). Web2.0 also seems to…