I've been focusing on work and neglecting my blog lately, but I want to take a moment to highlight HTML Purifier, a tool developed by Edward Yang. Edward contacted me a few days ago to let me know that he has just released version 2.0, and because this post is tardy, version 2.0.1 is already available.

What is HTML Purifier? In Edward's own words:

HTML Purifier is a standards-compliant HTML filter library written in PHP. HTML Purifier will not only remove all malicious code (better known as XSS) with a thoroughly audited, secure yet permissive whitelist, it will also make sure your documents are standards compliant, something only achievable with a comprehensive knowledge of W3C's specifications.

...read more

---

Planet Web Security
at 2007-08-12 15:10:18

If you want to keep up with the latest in web application security, you might want to add Planet Web Security to your reading list. In his announcement, Christian Matthies offers this brief description:

I am pleased to announce the launch of Planet Web Security, founded with the intention to bring together similarly themed news and rants related to web security and to display them in one place.

It's still in its infancy, so I'm sure it will only get better as more relevant blogs are added. Comparing it to my own planet (not specific to web application security), I can already identify a few blogs that should probably be added:

• Andrew van der Stock
• iPhone Security Concern
  at 2007-08-12 15:10:18
  

  Nitesh Dhanjani just posted a reminder of an AT&T/Cingular vulnerability he first mentioned over a year ago. If you've recently purchased an iPhone, here's the scary part:

  The AT&T/Cingular voicemail system is configured by default not to ask for a password when you check your voicemail from the handset. Unfortunately, the AT&T/Cingular voicemail system trusts Caller ID to determine if the handset is calling it.

  I'm not going to claim that Caller ID spoofing is easy, but Paris Hilton can do it. I'm just saying.

  Until this vulnerability is fixed, Nitesh recomme
  
  

  ...read more
  
  

  ---

  CSRF Redirector
  at 2007-08-12 15:10:18
  

  Inspired by the XSS POST Forwarder, I just created the CSRF Redirector. It's a simple tool that makes it easy to test CSRF using POST, hopefully demonstrating how prevalent CSRF vulnerabilities are as well as reducing the misconception that forging a POST request is complicated.

  To use it, construct a URL of the form http://shiflett.org/csrf.php?csrf=URL&NAME=VALUE, where URL is the (URL-encoded) target site, and NAME and VALUE represent a name-value pair, of which there can be zero or more.

  For example, the following IFrame exploits the Amazon vulnerability:

  <iframe src="http://
  
  ...read more
  
  
  Lessons from the LAMP generation - tilllate.com
   at 2007-08-12 15:10:17
  Last night we were treated to Silvan and Stefans whirlwind history of tilllate.com, delivered to a packed webtuesday - thanks to search.ch for hosting and apologies to those that got stuck out in the corridor - a search for bigger meeting spaces is in progress.
  The talk - described here translates (loosely) to “tilllate.com: From 0.1 to 30 Servers”;
  
  With 100 million pageviews and 1 million visitors a month, tilllate.com is one of the biggest web platforms in Switzerland. The site currently comprises 60′000 lines of code and 430 database tables, served by a cluster of over 30 servers. Software and infrastructure is the responsibilit
  
  ...read more