Michal Špaček
My trainings
And this is what they say about them: Originally, I've arranged Michal's training primarily for my colleagues because "of course I already know these things"... Michal has changed my mind in the first hour of the first day and continued to do so for the whole two days. Thanks to this training I finally understood some of the attack/defense concepts in full depth, and especially in the right context. — Jan Pospíšil, Senior PHP developer, Czech Radio
Public trainings
Come to my public trainings, everybody's welcome:
Trainings in Prague (or remote) are held regularly in the middle of March, June, September, and December, in other cities irregularly.
In-house trainings
Any public training can also be turned into an in-house training. As an extra, I offer these in-house-only courses:
Looking for Introduction to PHP, Classes and objects in PHP? I've handed them over to Martin Hujer. I've discontinued Web application performance, Martin Michálek runs a similar training.
My articles
phpinfo() and how to stop it Stealing session ids from phpinfo() output has been a known technique for some time, and is used to bypass the HttpOnly attribute, which prohibits JavaScript from accessing a cookie marked as such (e.g. PHPSESSID). I just now thought of a solution that allows you to keep your phpinfo(): we'll simply censor the sensitive data, making phpinfo() lose some of its value to the attacker.
We call it pages, domains, servers, websites, internets and we hope the other party will understand. Maybe, maybe not, but that can always be cleared with the additional “wait, a server, don't you mean a website?” You can't just ask those questions when reading various specifications and technical documents, so they try to call things by their correct names and in a consistent manner. And they do it so well that terms like origin, site, same origin, same site, eTLD and public suffix are normally not even translated to other languages, because then nobody would understand it. And how does the attractiveness of subdomains relate to this?
The Chrome browser (and others like Edge) allows you to override both HTTP response headers and the response content. I've previously written about overriding the headers for testing purposes, let's see how you can override the body, or the content itself, as well. Starting with Chrome 117 (released in September 2023) it's also greatly simplified.
My talks
Favorites
- HTTP hlavičky, Subresource Integrity a spol. chrání vaše návštěvníky před bezpečnostními chybami
- XSS PHP CSP ETC OMG WTF BBQ, o Cross-Site Scriptingu a Content Security Policy
- Hlava není na hesla, použijte na ně raději password manager
- HTTPS, co, proč, jak, zač, nač, kdy, kde, s kým a proti komu
- Webová bezpečnost, popis několika základních útoků i méně známých triků
- Jak jsme zlepšili zabezpečení Slevomatu a jak byste měli udělat to samé
- Zahashovat heslo, uložit, …, profit!, o správném hashování hesel
Upcoming talks
…at your event or conference, let me know!
Talks
Zadní vrátka pro zvířátka Czech
October 12, 2024, LinuxDays 2024 (20 minutes)
Na velikosti eshopu nezáleží Czech
September 24, 2024, GoPay Webinář (20 minutes)
Moderní problémy vyžadují moderní řešení Czech
October 8, 2023, LinuxDays 2023 (50 minutes)
DOM XSS and Trusted Types
May 11, 2023, OWASP Czech Chapter Meeting (60 minutes)
Co zajímá Špačka na nových verzích PHP? Czech
October 6, 2022, 51. sraz přátel PHP v Praze v CareCloudu (15 minutes)
Me answering questions
CZ Podcast 319 - O bezpečnosti, nových vlastnostech prohlížečů i Shoptetu
May 6, 2024, CZ Podcast
Michal Špaček: Před připojováním na veřejné Wi-Fi sítě už nevaruju
September 5, 2022, Lupa.cz
O temné straně UX designu
March 1, 2022, BlueGhost Update
Bezpečnost na internetu
February 2, 2021, Jak na sítě
Grading How Companies (In)Securely Store Passwords
August 1, 2019, All Things Auth Podcast