Wednesday, September 22nd, 2010

Evercookie – using a lot of solutions to force a persistent cookie

Category: Security

Samy has put together an impressive solution to store persistent cookies on user’s computers even when they have cookies disabled. The Evercookie script reaches deep into the toolbox to fish out some very interesting and devious tricks for local storage: Standard HTTP Cookies Local Shared Objects (Flash Cookies) Storing cookies in RGB values of auto-generated, Read the rest…

Posted by Chris Heilmann at 2:59 pm

3 rating from 2 votes

Monday, May 24th, 2010

Busting framebusters – clickjacking is still a big issue

Category: JavaScript, Security

If you followed the security world a bit in the last year (or fell for the “don’t click this button” Twitter worm) you will have noticed that clickjacking still is a big problem. Clickjacking basically means that you embed a third party web site into yours inside an iframe and give this frame a opacity Read the rest…

Posted by Chris Heilmann at 5:38 am

3 rating from 1 votes

Thursday, April 1st, 2010

Stop sniffing my breadcrumbs!

Category: CSS, JavaScript, Mozilla, Security

Chris Blizzard has done a nice roundup of David Baron’s post, the bug and the post on the security blog which discusses the :visited issue. We have seen :visited sniffing for good as well as ill (Aza wrote about using it to detect what networks you are on which can help you put up the Read the rest…

Posted by Dion Almaer at 12:01 am

4.1 rating from 14 votes

Friday, November 20th, 2009

Full Frontal ’09: Chris Heilmann on Javascript Security

Category: JavaScript, Security

It’s another Javascript conference! Full Frontal has kicked off in Brighton this morning (fullfrontal09 on twitter). First up is Ajaxian and Yahoo Chris Heilmann on Javascript security. The main theme is let’s use Javascript sensibly and don’t just blame the language when other things are creating the risks too. Chris walks us through the history Read the rest…

Posted by Michael Mahemoff at 6:00 am
Comment here

2.9 rating from 17 votes

Wednesday, November 11th, 2009

BrowserScope checks your security too

Category: Security

FAIL toStaticHTML API What is what I got when I pointed a Chrome dev channel build at the new security tests on BrowserScope. Collin Jackson and Adam Barth have written up the test suites. Steve is excited to see this: The new security tests in Browserscope were developed by Adam Barth from UC Berkeley, and Read the rest…

Posted by Dion Almaer at 4:55 am

1.8 rating from 62 votes

Thursday, October 29th, 2009

YUI 2.8.0 now Caja compliant

Category: Library, Security

Caja is one of the most promising attempts to deliver secure web applications not prone to the attacks that normal JavaScript solutions sadly enough allow for. Let’s face it – the concept of global variables and the lack of sandboxed environments in addition to the fun that is browser security holes makes the web as Read the rest…

Posted by Chris Heilmann at 11:48 am

2 rating from 61 votes

Wednesday, October 21st, 2009

Implied globals in browsers

Category: IE, JavaScript, Security

Stoyan Stefanov has done some testing on so called implied globals in browsers. One of the interesting finds was that the meta description is accessible in JavaScript using object property notation on IE and other browsers. < View plain text > HTML <meta name="description" content="test me" /> < View plain text > javascript alert(description.content); // Read the rest…

Posted by Chris Heilmann at 10:35 am

2.1 rating from 53 votes

Friday, May 29th, 2009

Taking apart crazy JavaScript code; Interview question fodder

Category: Security

Scott Schiller looks like he had some fun taking apart Analyzing Javascript Malware: Obfuscated Evil where he takes a peak into a gnarly JavaScript piece of malware that was just seen in the wild on Facebook: Since Javascript must be downloaded to run on the client, its source is easily accessible. The code can be Read the rest…

Posted by Dion Almaer at 6:04 am
Comment here

3.3 rating from 6 votes

Monday, May 4th, 2009

Extension wars – NoScript vs. AdBlockPlus

Category: JavaScript, Security

One of the dirtiest secrets of the Internet is that it runs on ads for monetization. All of us who surf the web and use systems had lots and lots of free lunches because of advertisements being shown on web sites. The only difference to TV is that they are less obtrusive and you can Read the rest…

Posted by Chris Heilmann at 11:04 am

3.1 rating from 31 votes

Friday, March 27th, 2009

XSS Rays: Scan pages for XSS holes

Category: Security

Gareth Heyes has released XSS Rays, an open source library for detecting XSS holes via a bookmarklet: The code works by creating connections to the target links/paths using iframes, each iframe is assign a name which is the url to return to on successful execution (the originating url). This allows cross domain links to be Read the rest…

Posted by Dion Almaer at 4:33 am
1 Comment

2.7 rating from 21 votes

Thursday, March 26th, 2009

Amazon Wish Lists Are Dreadfully Insecure

Category: Security

Kent Brewster couldn’t hold back anymore and posted on a vulnerability on the Amazon Wish List system that means that anyone can play with your wish lists. You can imagine people “having fun” and adding a huge number of porn elements to your setup. Kent tells us: Old friends may remember the How to Tell Read the rest…

Posted by Dion Almaer at 2:44 am

4.1 rating from 21 votes

Wednesday, March 25th, 2009

Fuzzy CSS Grammar

Category: CSS, Security

Jesse Ruderman, security extraordinaire, has created many fuzzers in his time including a JavaScript one, and this time he has created a CSS gramar fuzzer: I wrote a CSS grammar fuzzer to test Gecko’s CSS parser. This fuzzer’s tricks: Declarative context-free grammar. This makes it easy to add new CSS features to the fuzzer, or Read the rest…

Posted by Dion Almaer at 6:39 am
Comment here

3.9 rating from 14 votes

Thursday, February 12th, 2009

If a button says don’t click, don’t – Twitter being flooded by clickjacking spam.

Category: Security

Twitter is currently running hot with tweets that announce that you shouldn’t click followed by a tinyurl. The page behind the tinyurl has a button that tells people not to click it – which of course they do. When they click the button they send the tweet telling other gullible people not to click the Read the rest…

Posted by Chris Heilmann at 1:41 pm

4.4 rating from 24 votes

Thursday, January 29th, 2009

Twitter’s protected updates privacy problem

Category: Security

This morning I had a fun email (in 60 pixel letters) concerning TweetEffect – a Twitter analysis tool I’ve written (details on my blog). In essence I was being accused of making protected updates of the Twitter user available to the world. I tried it out and couldn’t reach their updates. I then started wondering Read the rest…

Posted by Chris Heilmann at 2:13 pm

3.6 rating from 13 votes

Saturday, January 24th, 2009

Captcha cracking in JavaScript with Canvas and neural nets

Category: Canvas, Security

Everybody’s favourite glass shield to protect web apps are CAPTCHAS. These are the distorted characters displayed on a page that a user has to enter before gaining access or sending off a form. They annoy normal users, are largely inaccessible to blind users or dyslexic people and are not that safe as we think they Read the rest…

Posted by Chris Heilmann at 5:42 am

4.4 rating from 45 votes

Thursday, January 15th, 2009

Seeding the clipboard in Flash10 with Zero Clipboard

Category: Flash, Library, Security

Following the bombshell of Adobe announcing that Flash 10 will not support unsolicited clipboard access from Flash and JavaScript as malicious flash ads flooded clipboards a lot of developers were wondering how to make the “copy to clipboard” still work without having to do it in Flash itself. An interesting and also slightly creepy approach Read the rest…

Posted by Chris Heilmann at 9:21 pm

4.4 rating from 14 votes