About

Avatar von Björn Schotte
  • Web2.0 Security: Warum im Web2.0 Gefahren lauern

    Aus dem Symantec Internet Security Threat Report: 69% aller Vulnerabilities passieren in Webapplikationen. Die Mitre Corporation CVE Datenbank bestätigt: 21,5% aller Lücken sind XSS Lücken. Johann-Peter Hartmann, CTO Mayflower GmbH, zeigte auf der AJAX in Action in Frankfurt dieser Woche, warum insbesondere Web2.0 und XSS besonders weh tun: bis zu 100% der üblichen MVC (Model,…

  • Understanding successful tracing of security vulnerabilities

    Web applications can easily become very complex. Several hundreds of thousands of lines of code (no HTML templates!) is usual at larger corporate solutions. This also means that your PHP applications follows the standards like object oriented programming, nested classes etc. When it comes down to detect security vulnerabilities, a lot of tools are available.…

  • SQL injections for dummies – and how to fix them (Update)

    Well, database operations are bread-and-butter work for most PHP applications. PHP and MySQL, for example, have been like brother and sister for many years. You may have heard about „SQL injections“, a bad taste from the outside world of $_GET, $_POST, $_COOKIE and the like. Everybody should know that you shouldn’t pass variables from outside…

  • Detect and fix security vulnerabilities on server side within seconds.

    (See bigger version with better quality at https://chorizo-scanner.com/flash_morcilla ) This video shows you how Morcilla, our brand new PHP extension, lets Chorizo! have a look inside your application on the server. We are able to hook into every PHP function and trace the payloads of Chorizo!. By default, Morcilla hooks into the whole MySQL function…

  • The proxy mode of Chorizo – and a sneak peak to Morcilla, Chorizo’s little sister.

    Web applications nowadays use AJAX features to provide a very comfortable interface to their users. XmlHttpRequest is the technique that is used to pull data from the server in the background. Have you ever asked yourself how to track down security issues in your XmlHttpRequests without losing too much time? Well, Chorizo gives you the…

  • To be one step ahead with AppArmor in your web server’s environment

    Our first experiences with Novell’s AppArmor Imagine you plan to offer an application service hosted on a common LINUX box. That is not very difficult at all, so you have to go on and choose your favourite distribution, installing and configuring some servers (e.g. web- and database servers) and finally adding your web based application…

  • Stacking up the free accounts: recursive scans

    Chorizo’s standard account already contains recursive scans from the current URL. This means that Chorizo! is able to follow URLs from forms etc. automatically until a recursive level that you are able to set. From now on, the free accounts also benefit from this feature which makes it very handy to scan sites more deeply.…

  • Improving Usability on „My Chorizo“ page: the host signature file

    In the spirit of Web2.0 applications, we constantly improve Chorizo! and silently update the application with the newest features. In order to scan a host, you have to prove that you are the owner of the host by uploading a unique signature file to your host’s document root. Some of our users had trouble uploading…

  • 3,500 users in 2 days. Awaiting the birth of the bloody alien sausage.

    Geez! What a week. Right after the announces at several newstickers and websites (on heise security German and heise Security English, an extensive German review at dynamic-webpages.de and one in French at nexen.net) on Monday, more than 3,500 users (and counting) registered at our small security sausage tool and created hundreds of thousands security scans…