[ciapug] September 4th Meeting Recap

Chris Hettinger cjh at raccoon.com
Wed Sep 5 11:25:01 CDT 2007 

Morning,

I want to thank everyone that were able to attend last night.
Thanks again to Tony Clifton and Captain Jack Communication for hosting
us and giving a quality demonstration of XSS vulnerabilities. I believe
everyone commented that they learned something new from it.

--------------------------------------------
Recap
--------------------------------------------

Tony Clifton demonstrated Cross-Site Scripting (XSS) attacks:
Tony setup a test sever yet hobbled it's configuration to illustrate 
some common mistakes. Then demonstrated the effects of XSS attacks and 
how some simple configuration changes and coding practices could have 
prevented the attacks success.

- Tested two sites maintained by CIAPUG members
- Identified the potential causes in configuration and code
   * Improper PHP configuration settings
   * Self sabotage; creating global variable work a rounds even if 
register_globals is OFF;

- Outlined the steps toward prevention
   * Proper PHP configuration
     - register_global = OFF
     - allow_url_include = OFF
   * Proactive Firewall configuration; avoid unnecessary holes
   * Proper input validation
   * Keeping open-source software up-to-date and patched
   * Do NOT create register_global work a rounds in your code for 
simplicity sake; i.e. $include_dir = $_REQUEST['include_dir'];


Additional topics discussed
- Object Relational Mapping tools; Propel and ADODB Active Record
- Web Application Frameworks; selected for next topic
- Expanding the scope of the group to include topics relavent to web
application development; JavaScript, Python, CSS, XML


--------------------------------------------
Next Meeting
--------------------------------------------
Monday October 1st @ 7 PM
Captain Jack Communication
1555 SE Delaware Avenue, Suite G, Ankeny
http://tinyurl.com/24q8gm

Topic: Web Application Frameworks

Beginning in October, meetings will be scheduled for the first Monday of 
each month. Revisions to this schedule will be announced on the mailing 
list in the event of a conflict.

More information about the ciapug mailing list