XSS protection: check! No SQL injection: check! Proper use of HTTPS: check! Clickjacking defences: uh, click what now?! This is one of those risks which doesn’t tend to get a lot of coverage but it can be a malicious little bugger when exploited by an attacker. Originally described by Jeremiah Grossman [http://jeremiahgrossman.blogspot.com.au/2008/10/clickjacking-web-pages-can-see-and-hear.html] of WhiteHat Security fame back in 2008, a clickjacking attack relies on creating a veneer of...

A couple of days ago I wrote about Why I am the world’s greatest lover (and other worthless security claims) [https://www.troyhunt.com/2013/05/why-i-am-worlds-greatest-lover-and.html] and it  really seemed to resonate with people. In short, whacking a seal on your website that talks about security awesomeness in no way causes security awesomeness. Andy Gambles gets that and shared this tweet with me: [https://twitter.com/andygambles/status/332065425485611008] So let’s check out exactly what’s...

I’ve been considering purchasing one of these t-shirts: This shirt would announce to everyone who crosses my path that I am, in fact, the world’s greatest lover. They would know this because I have a t-shirt that tells them so and it would give them enormous confidence in my sexual prowess. If ever I was challenged on the claim, I could quite rightly say that nobody has ever demonstrated that this is not the case and there are no proven incidents that disprove it. Sound ridiculous? Of cou...

I’m pushing the “Publish” button on this just before I go on stage at Web Directions Code [http://code13melb.webdirections.org/] because all things going well, what I’m going to talk about in this post will form part of my demo about securing web services. I’m making some (admittedly very simple) code available and providing some resources that will hopefully help everything I talk about with regards to unprotected wireless traffic make sense. I’d like to begin by introducing you to Pineapple...

I’ve been a little bit busy the last few months and here’s why – my first Pluralsight course, the OWASP Top 10 Web Application Security Risks for ASP.NET [http://www.pluralsight.com/training/Courses/TableOfContents/owasp-top10-aspdotnet-application-security-risks] . Actually, if I’m honest, it’s been a lot longer than that in the making as my writing about the OWASP Top 10 goes all the way back to right on three years ago now. It begin with the blog series [https://www.troyhunt.com/2010/05/owasp...

Just over a year ago to the day, my wife and I walked into the Apple store in Sydney’s CBD and bought her a shiny new MacBook Air. Macs weren’t familiar territory for us so we happily accepted the offer for a staff member to walk us through some of the nuts and bolts of OSX. That was a handy little starter and we left the store none the wiser that the machine now had a serious security risk that wouldn’t become apparent for another year. A couple of weeks ago I wrote about my new favourite devi...

You know how security people get all uppity about SSL this and SSL that? Stuff like posting creds over HTTPS isn’t enough, you have to load login forms over HTTPS as well and then you can’t send auth cookies over HTTP because they’ll get sniffed and sessions hijacked and so on and so forth. This is all pretty much security people rhetoric designed to instil fear but without a whole lot of practical basis, right? That’s an easy assumption to make because it’s hard to observe the risk of insuffic...

HTTPS or SSL or TLS or whatever you want to call it can be a confusing beast. Some say it’s just about protecting your password and banking info whilst the packets are flying around the web but I’ve long said that SSL is not about encryption [https://www.troyhunt.com/2011/01/ssl-is-not-about-encryption.html]. As an indication of how tricky the whole situation is, OWASP talks about insufficient transport layer security [https://www.troyhunt.com/2011/11/owasp-top-10-for-net-developers-part-9.html...

Despite the anniversary continually falling on that most foolish of days, it appears I have indeed been renewed and will now go into my third year of MVP’dom. For those of you not familiar with the process, every year as an MVP’s renewal date approaches, the powers that be at Microsoft look at what you’ve done and work out if you’ve aligned closely enough with the MVP ethos [http://mvp.microsoft.com/en-us/becoming-an-mvp.aspx] to deserve a renewal. As part of the process, MVPs keep track of t...

Since a very young age, many of us have been taught that C is for cookie [http://www.youtube.com/watch?v=Ye8mB6VsUHw] and that apparently, “That’s good enough for me”. Except it’s not – the hidden depths of the cookie were never really explored so is it any wonder that after being ingrained with such a trivial view of cookies from such a young age that so many of us are handling them in an insecure fashion? You see, there’s far more to cookies than meets the eye and I want to delve into a coupl...