Wednesday, January 7th, 2009

Detecting twitter users with JavaScript – handy or evil?

Category: Examples, Security

Earlier this week I blogged about a proof of concept that you can detect if a user is logged in to twitter and display their data with a few lines of JavaScript. This could be used to show for example “tweet this” buttons in a blog application. The trick is easy: use the user_timeline to Read the rest…

Posted by Chris Heilmann at 5:06 am

3.6 rating from 23 votes

Wednesday, December 31st, 2008

MD5 hash collision gets people worried about PKI

Category: Security

The paper on MD5 considered harmful today delivered at the 25th Annual Chaos Communication Congress in Berlin has got people scared again. The team showed an MD5 collision which is well explained by Simon Willison (he is so good at getting to the meat, a tough skill indeed): Use an MD5 collision to create two Read the rest…

Posted by Dion Almaer at 12:03 am

3.4 rating from 8 votes

Tuesday, December 30th, 2008

Web Security: Number one attack vector?

Category: Security

Jeremiah Grossman, our number one Web security chap, has some interesting words as we jump into 2009: It’s unanimous. Web application security is the #1 avenue of attack according to basically every industry data security report available (IBM, Websense, Sophos, MessageLabs, Cisco, APWG, MITRE, Symantec, Trend Micro, SecureWorks, ScanSafe, IC3). This is in addition to Read the rest…

Posted by Dion Almaer at 5:18 am

4.4 rating from 5 votes

Monday, November 3rd, 2008

Browser Web Security; Bolt on and then subsume

Category: Security

Jeremiah Grossman, our go to guy for Web security issues, recently write an interesting piece about how security gets bolted on, and slowly subsumed into the platform: Whether improving ease-of-use, adding new developer APIs, or enhancing security – Web browser features are driven by market share. That’s all there is to it. Product managers perform Read the rest…

Posted by Dion Almaer at 5:24 am
Comment here

2.8 rating from 13 votes

Thursday, October 23rd, 2008

Microsoft Live Labs Web Sandbox

Category: Security

The Microsoft Live Labs team has announced a new project: Web Sandbox. The team is lead by Scott Isaacs, someone who we owe thanks to, since he played a large part in the birth of dhtml (and thus, Ajax). The sandbox takes HTML, CSS, and JavaScript, and puts it in an isolated box. The goal Read the rest…

Posted by Dion Almaer at 10:00 am

3.7 rating from 39 votes

Tuesday, September 30th, 2008

Report and Case Study on CSRF

Category: Security

Bill Zeller and Ed Felten have published a report on Cross-Site Request Forgery attacks on popular Web sites: We found four major vulnerabilities on four different sites. These vulnerabilities include what we believe is the first CSRF vulnerability that allows the transfer of funds from a financial institution. We contacted all the sites involved and Read the rest…

Posted by Dion Almaer at 7:41 am
1 Comment

3.8 rating from 13 votes

Saturday, September 27th, 2008

Flash 10 and the bad news for JavaScript interaction

Category: Accessibility, Adobe, Flash, Security

Right now you can use Flash to work around a lot of JavaScript limitations and many products use an invisible Flash movie to for example batch upload files (Flickr, WordPress), play movies in a screenreader accessible manner (with DHTML controls outside the main movie – Yahoo Video, for example) or automatically add content to the Read the rest…

Posted by Chris Heilmann at 4:11 pm

4.3 rating from 54 votes

Thursday, September 25th, 2008

HTML Whitelist: Sanitize your markup

Category: HTML, Security

HTML Whitelist is the latest in the “cool little Python Web service thrown up on App Engine” by my good colleague DeWitt Clinton. It does one thing, and it does it well. You can pass the service HTML and it will return a sanitized version. For example: < View plain text > HTML // original Read the rest…

Posted by Dion Almaer at 2:54 am

3.2 rating from 17 votes

Tuesday, September 16th, 2008

Simon Willison, @Media Ajax

Category: Security

Simon Willison is talking about Ajax vulnerabilities at @media Ajax. The main thing to worry about is users injecting Javascript – cross-site scripting (XSS). Other vulerabilities people used to talk about – trusting user input and checking for SQL injection attacks – are boring/easy. If I have an XSS hole, I can steal your users’ Read the rest…

Posted by Michael Mahemoff at 9:40 am

3 rating from 12 votes

Thursday, September 4th, 2008

IE 8 Security and nosniff

Category: Security

Eric Lawrence posted on IE 8 security issues in the beta 2 release, which include: Restricting document.domain In Internet Explorer 7, the following set of calls would succeed: < View plain text > javascript // initial document.domain is     document.domain = "";  // 1. Domain property set to default value     document.domain Read the rest…

Posted by Dion Almaer at 7:43 am
Comment here

2.6 rating from 27 votes

Wednesday, September 3rd, 2008

Xsstc: Cross-site scripting through CSS data

Category: Security

Wes Biggs has posted on Xsstc, his cross-site scripting solution that uses CSS to hide the data: It turns out CSS leaks data in a very subtle way. Properties set by an external stylesheet (that is, one that is loaded using a LINK REL=”STYLESHEET” tag) are used to style the elements of the host page, Read the rest…

Posted by Dion Almaer at 5:37 am

3.7 rating from 18 votes

Wednesday, July 9th, 2008

Passpack releases Host-Proof Hosting Library

Category: Library, Security

Passpack notified me about their new library to support Host-Proof Hosting (HPH) development (touched on earlier). The library allows anyone to set up HPH on their own infrastructure. It’s mostly a browser-side library powered by JQuery, focused on transferring encrypted data, and there’s also some sample server-side PHP code. I think the most important part Read the rest…

Posted by Michael Mahemoff at 1:45 pm
Comment here

3.4 rating from 25 votes

Friday, July 4th, 2008

Evil GIFs: Hiding Java in your image

Category: Security

What if you could encode a Jar file as an image and trick the browser to run it? This is what Ben Lorica reported from a black hat briefing webinar: During a recent webinar to promote the upcoming Black Hat briefings in Las Vegas, a group of hackers announced the creation of a hybrid file Read the rest…

Posted by Dion Almaer at 12:47 am

4 rating from 30 votes

Thursday, July 3rd, 2008

IE8 showing how serious it is about security

Category: IE, Security

The IE8 team has created a blitz on its blog with a slew of posts on security. There is a ton of great stuff here, and is well worth going into detail on each post: IE8 and Trustworthy Browsing At first they set the scene: This blog post frames our approach in IE8 for delivering Read the rest…

Posted by Dion Almaer at 10:58 am

3.6 rating from 39 votes

ratproxy: Rat out those security issues in your Web app

Category: Security

Michal Zalewski, of Google, has released ratproxy, a tool to test your Web application against attacks such as XSS and XSRF: Ratproxy is a semi-automated, largely passive web application security audit tool. It is meant to complement active crawlers and manual proxies more commonly used for this task, and is optimized specifically for an accurate Read the rest…

Posted by Dion Almaer at 10:49 am
Comment here

3.8 rating from 19 votes

Friday, June 27th, 2008

The fight for cross domain XMLHttpRequest

Category: Security, XmlHttpRequest

There is a thread going on secure cross domain requests. Microsoft came out with a paper saying that the W3C standard isn’t secure, and pushing the Microsoft XDR spec: A few proposals and implementations exist like XDomainRequest in IE8, JSONRequest and the W3C’s Web Applications Working Group’s Cross Site XMLHttpRequest (CS-XHR) draft specification, which combines Read the rest…

Posted by Dion Almaer at 9:24 am

4.3 rating from 23 votes