Friday, April 06, 2007

Reflection on Chris Shiflett

This week on reflection we have Chris Shiflett. One of the very few people who have been blogging on webappsec for a long time and I am sure is amongst the top 10 visited blog on web application security. His knowledge on web application security is tremendous and his blog is a goldmine for people who are looking to learn and understand various types of web application vulnerabilities and their solutions. He has spoken at numerous conferences, published several articles and even written few books.

Chris shares with us how he got started with web application security field and how he got involved with PHP security consortium. In his own words

“I've been an avid web enthusiast since the early 90s, although the first couple of years were mostly spent exploring the technologies involved, particularly HTTP. Web application security is a natural extension of my ongoing desire to apply creativity to a solid fundamental understanding of technology. I started programming on a Commodore 64 in the early 80s, but it wasn't until the early 90s that I focused my attention on web technologies.

The PHP Security Consortium is a group of people whose focus is educating the PHP community about web application security. It began with a simple post on my blog in 2004 requesting assistance with some research I was conducting at the time. (I was researching worms that combine XSS and CSRF, an idea later brought to life by the Myspace worm.) To date, members of the PHP Security Consortium have written books and articles, spoken at industry-leading PHP and open source conferences, and collaborated on projects like the PHP Security Guide and PHPSecInfo. Very little of our work promotes the group itself, because our focus is helping people.

I'm an avid soccer fan. Living in New York provides me with the chance to play with skilled players from all over the world, so I spend almost every weekend in the park. My wife runs marathons and occasionally convinces me to run with her, but I prefer soccer. :-) “

Based out of Brooklyn, NY, USA, Chris is only 30 years old (I cannot believe so many leading people in webappsec field are below 30, which is a very promising sign for the industry). Below are his contributions to the webappsec community.


Essential PHP Security (O'Reilly, 2005)

HTTP Developer's Handbook (Sams, 2003)

Contributions to other books

Programming PHP (O'Reilly 2006)

PHP Cookbook (O'Reilly 2006)

PHP in Action (Manning, 2007)

Articles (WebAppSec only):-

Note: This is a subset of articles that are at least tangentially
related to web application security.

The articles without the link were published in PHP architect magazine and are available only upon subscription. The dates are mentioned along with the article (in case you want to look up that particular issue of the magazine). You can also find the information on his blog though.

Security Corner: Security Testing - 19 Dec 2006

Security Corner: Cross-Domain Ajax - 16 Oct 2006

Security Corner: Understanding Superglobals - 25 Jul 2006

Security Corner: Character Encoding - 28 Feb 2006

Security Corner: Email Injection - 25 Jan 2006

Security Corner: Context - 22 Dec 2005

Security Corner: Cross-Site Scripting - 21 Nov 2005

Security Corner: HTTP Response Splitting - 25 Oct 2005

Security Corner: Code Audits - 21 Sep 2005

Security Corner: Theory - 18 Jul 2005

Security Corner: Persistent Logins - 25 May 2005

Security Corner: BBCode - 19 Apr 2005

Security Corner: Magic Quotes - 21 Mar 2005

Security Corner: PHP Security Consortium - 15 Feb 2005

Guru Speak: Storing Sessions in a Database

Security Corner: Cross-Site Request Forgeries

Security Corner: Ideology

Guru Speak: How to Avoid "Page Has Expired" Warnings

Security Corner: File Uploads

Security Corner: Secure Design

Security Corner: Session Hijacking

Security Corner: Form Spoofing

Security Corner: Input Filtering

Security Corner: SQL Injection

Security Corner: Shared Hosting

Security Corner: Session Fixation

The Truth about Sessions

Foiling Cross-Site Attacks

Passport Hacking Revisited

Passport Hacking

Lectures / Talks:-

Almost all of the below mentioned talks you can find reference on chris’s blog. I tried to get the links but everytime i got sidetracked with something on his blog and eventually ran out of time. For the links, please check back again later or you can search on this blog (

PHP Under Attack - OSCON (10 Jul 2003)

PHP Attacks and Defense – ApacheCon (19 Nov 2003)

PHP Security - OSCON (26 Jul 2004)

Foiling Cross-Site Attacks - OSCON (29 Jul 2004)

Securing PHP Sessions - OSCON (30 Jul 2004)

PHP Session Security - phpworks (23 Sep 2004)

Testing PHP with Perl - New York PHP (26 Oct 2004)

PHP Security - ApacheCon (14 Nov 2004)

Testing PHP with Perl - ApacheCon (16 Nov 2004)

PHP Security - PHP Quebec (30 Mar 2005)

PHP Security Briefing - PHP Quebec (01 Apr 2005)

PHP Security Briefing - NOAA SecCon (04 May 2005)

PHP Security by Example - phptropics (13 May 2005)

PHP Security Audit HOWTO - PHP West (11 Jun 2005)

PHP Security - ApacheCon Europe (19 Jul 2005)

PHP Security Briefing - ApacheCon Europe (21 Jul 2005)

Testing PHP with Perl - ApacheCon Europe (22 Jul 2005)

PHP Security - OSCON (01 Aug 2005)

PHP Security Briefing - OSCON (03 Aug 2005)

PHP by Example - phpworks (14 Sep 2005)

PHP Security by Example - phpworks (15 Sep 2005)

PHP Security Audit HOWTO - New York PHP (27 Sep 2005)

PHP Security Audit HOWTO - Boston PHP (06 Oct 2005)

PHP Security - ZendCon (18 Oct 2005)

PHP Security Audit HOWTO - ZendCon (21 Oct 2005)

Power PHP Testing - ApacheCon (11 Dec 2005)

Agile PHP Testing - PHP Quebec (31 Mar 2006)

What's New in PHP 5 - LinuxWorld (25 Apr 2006)

PHP Security - LinuxWorld (25 Apr 2006)

PHP Security - phptek (27 Apr 2006)

Zend Framework - Boston PHP (04 May 2006)

Essential PHP Security - ApacheCon Europe (27 Jun 2006)

The Truth about XSS - ApacheCon Europe (28 Jun 2006)

Agile PHP Testing - ApacheCon Europe (29 Jun 2006)

Power PHP Testing - OSCON (24 Jul 2006)

Essential PHP Security - OSCON (25 Jul 2006)

The Truth about XSS - OSCON (26 Jul 2006)

PHP Security Testing - OSCON (27 Jul 2006)

The Truth about XSS - phpworks (13 Sep 2006)

Agile PHP Testing - phpworks (13 Sep 2006)

PHP Security Audit HOWTO - EuroOSCON (21 Sep 2006)

PHP Security Testing - DC PHP Con (19 Oct 2006)

The Truth about XSS - DC PHP Con (19 Oct 2006)

Essential PHP Security - ZendCon (30 Oct 2006)

Security 2.0 - Web Builder 2.0 (05 Dec 2006)

The Truth about Sessions - PHP Quebec (15 Mar 2007)


PHP Security Consortium (Founder)

Open Web Application Security Project

Web Application Security Consortium

Companies worked for:-

USPS, eDonkey, Brain Bulb, OmniTI

Company working for:-

OmniTI (Principal)




Personal -

Work -

Omni TI

PHP Security Consortium

Essential PHP Security


BS in Computer Science

If you haven’t been to his blog yet, then I would strongly recommend visiting it sooner as you will find plethora of information on webappsec. Every webappsec enthusiast should have it on their watchlist.

Last Week - Jeff Willians
Next Week - Ory Segal

No comments: