white-hat

Black hat knowledge for white hat programmers

There's always skepticism from non-programmers when honest developers learn the techniques of black hat hackers. Obviously though, we need to learn many of their tricks so we can keep our own security up to par. To what extent do you think an honest programmer needs to know the methods of malicious programmers? ...

How best to present a security vulnerability to a web development team in your own company?

Imagine the following scenario: You work at Big Co. and your coworkers down the hall are on the web development team for Big Co's public blog system, which a lot of Big Co employees and some public people use. The blog system allows any HTML and JavaScript, and you've been told that it was a choice (not by accident) but you aren't sure ...

How to demonstrate an exploit of extract($_POST)?

I am not a PHP developer but I'm assessing the security of a PHP5 application. The author relied on extract($_POST) and extract($_GET) in some places, outside of functions. My suggestion is to call extract($_POST, EXTR_PREFIX_ALL, 'form') and change the code accordingly, but his stance is that any variable is being redefined inside sub...