I’ve just pushed the latest update of the most recent book in the Securing PHP ebook series – The Usual Suspects – and included an entire chapter covering cross-site scripting:
Next we come to something that’s probably a bit more widely known but often misunderstood, especially when it comes to the power that it offers to the attacker. Part of the confusion comes from the name of the attack. When you think about the attack method an XSS vulnerabilities allows, the only thing “cross site” about it is that it can possibly come in as a link from another site. Other than that, a cross-site scripting vulnerability can be more closely associated with injection. In fact, the main reason a site might have a cross-site scripting issue is because of improper output escaping.
This new chapter has loads of information about the different types of XSS issues, the different contexts it can happen in and plenty of code and configuration examples of how to prevent them. If you haven’t picked up a copy of it yet, there’s no time like the present!
Don’t forget about the first book in the Securing PHP series too! Core Concepts is a great introduction to security terminology, methods and principles that can help you lay a good foundation for more secure applications.
I’m happy to announce that the next book in the popular “Securing PHP” ebook series has been released – “Securing PHP: The Usual Suspects”!
You are the developer, you hold the power in your hands to protect your users and their information. They trust you with it, shouldn’t you do everything you can to keep that trust?
Let me guide you through a look at some of the most common issues with web applications and suggest ways to correct them along the way. Even if you’re a novice to security or to PHP, this book can help you get started down a more secure path. The OWASP Top 10 is a great guide to the common vulnerabilities, but it doesn’t provide the useful, concrete examples you need to be a more effective and secure developer. I’ll provide this foundation on topics like:
- Cross-site scripting, what it is and how to prevent it
- Poor authentication and authorization practices
- Preventing several types of injection
- Auditing potentially vulnerable components
- Protecting your users’ sensitive data
This book will help you sleep better at night knowing you’ve put in the time and work to protect your applications and the users that trust it.
You can grab a copy of it over on LeanPub right now for just $19.99 USD. The book is on an incremental rollout schedule, so right now just the first two chapters are included. The first covers various injection types (including SQL injection, one of the most widespread) and how to prevent them in your applications. The second chapter covers some of the common problems around authentication and authorization.
I’m happy to announce that my latest labor of (PHP) love has officially been released – the Securing PHP: Core Concepts ebook is now available over on LeanPub. It’s been a project I’ve been tossing around for a while now and, with encouragement from the stories of others, finally made it a priority.
I’m really happy with how the book turned out – here’s a summary of the book in case you hadn’t see it yet:
Security is a big topic. I mean *really* big. If you break it down into little chunks, there’s lots of important bits to pay attention to but it all really starts with the application. Without good secure coding practices, your application could be doomed from the start. We as PHP developers have had trouble in the past integrating these practices into our day to day development. This book walks you through some of the most common terms and practices, giving you a better picture of the whole of application security.
I’ve just put it on sale this morning and it’s already getting a great reception. You can find out more about the book and pick up a copy on the Securing PHP: Core Concepts ebook page on LeanPub.
Thanks and happy reading!