The document discusses common web security threats like cross-site scripting (XSS) and cross-site request forgery (CSRF). It notes that over half of identity theft cases are internal and that the web remains vulnerable. The document recommends ways to prevent XSS like sanitizing user input and using nonces to prevent CSRF. Additional resources are provided for further information on XSS and CSRF.

1. PREVENTING XSS & CSRF
Dave Ross • Suburban Chicago PHP & Web Development Meetup

2. 2½ years ago
http://www.slideshare.net/csixty4/intro-to-php-security

3. REALITY CHECK

4. “More than half of identity theft
cases are inside jobs”
Judith Collins, Associate Criminal Justice Professor @ Michigan State University
“who recently completed a study of 1,037 such cases”

5. THE WEB IS STILL
A NASTY PLACE

6. BROWSER SECURITY IS
BETTER

7. PHP IS BETTER

8. REGISTER_GLOBALS IS
DEPRECATED IN 5.3.0

9. THREATS:

10. XSS - CROSS SITE SCRIPTING

11. NON-PERSISTENT XSS

12. PARAMETERS ECHOED
BACK TO THE USER

13. <IMG SRC=”HTTP://SEARCH.AMAZON.COM?S=
<SCRIPT>ALERT(‘TEST’);</SCRIPT>” />

14. PERSISTENT XSS

15. INJECT <IFRAME> &
<SCRIPT> INTO CONTENT

16. BLOG COMMENTS,
FORUM POSTS

17. STRIP OUT TAGS

18. I RECOMMEND REMOVING
TAGS ON DISPLAY, NOT SAVE

19. CSRF - CROSS-SITE REQUEST
FORGERY

20. <IMG SRC=”HTTP://TWITTER.COM/POST?TEXT=I’M A BIG FAT DORK” />

21. USE A NONCE.

22. HTTP://HA.CKERS.ORG/XSS.HTML

23. HTTP://WWW.CGISECURITY.COM/CSRF-FAQ.HTML