Wednesday, January 7th, 2009
Earlier this week I blogged about a proof of concept that you can detect if a user is logged in to twitter and display their data with a few lines of JavaScript. This could be used to show for example “tweet this” buttons in a blog application. The trick is easy: use the user_timeline to Read the rest…
Wednesday, December 31st, 2008
Category: Security
The paper on MD5 considered harmful today delivered at the 25th Annual Chaos Communication Congress in Berlin has got people scared again. The team showed an MD5 collision which is well explained by Simon Willison (he is so good at getting to the meat, a tough skill indeed): Use an MD5 collision to create two Read the rest…
Tuesday, December 30th, 2008
Category: Security
Jeremiah Grossman, our number one Web security chap, has some interesting words as we jump into 2009: It’s unanimous. Web application security is the #1 avenue of attack according to basically every industry data security report available (IBM, Websense, Sophos, MessageLabs, Cisco, APWG, MITRE, Symantec, Trend Micro, SecureWorks, ScanSafe, IC3). This is in addition to Read the rest…
Monday, November 3rd, 2008
Category: Security
Jeremiah Grossman, our go to guy for Web security issues, recently write an interesting piece about how security gets bolted on, and slowly subsumed into the platform: Whether improving ease-of-use, adding new developer APIs, or enhancing security – Web browser features are driven by market share. That’s all there is to it. Product managers perform Read the rest…
Thursday, October 23rd, 2008
Category: Security
The Microsoft Live Labs team has announced a new project: Web Sandbox. The team is lead by Scott Isaacs, someone who we owe thanks to, since he played a large part in the birth of dhtml (and thus, Ajax). The sandbox takes HTML, CSS, and JavaScript, and puts it in an isolated box. The goal Read the rest…
Tuesday, September 30th, 2008
Category: Security
Bill Zeller and Ed Felten have published a report on Cross-Site Request Forgery attacks on popular Web sites: We found four major vulnerabilities on four different sites. These vulnerabilities include what we believe is the first CSRF vulnerability that allows the transfer of funds from a financial institution. We contacted all the sites involved and Read the rest…
Saturday, September 27th, 2008
Category: Accessibility, Adobe
, Flash
, Security
Right now you can use Flash to work around a lot of JavaScript limitations and many products use an invisible Flash movie to for example batch upload files (Flickr, WordPress), play movies in a screenreader accessible manner (with DHTML controls outside the main movie – Yahoo Video, for example) or automatically add content to the Read the rest…
Thursday, September 25th, 2008
HTML Whitelist is the latest in the “cool little Python Web service thrown up on App Engine” by my good colleague DeWitt Clinton. It does one thing, and it does it well. You can pass the service HTML and it will return a sanitized version. For example: < View plain text > HTML // original Read the rest…
Tuesday, September 16th, 2008
Category: Security
Simon Willison is talking about Ajax vulnerabilities at @media Ajax. The main thing to worry about is users injecting Javascript – cross-site scripting (XSS). Other vulerabilities people used to talk about – trusting user input and checking for SQL injection attacks – are boring/easy. If I have an XSS hole, I can steal your users’ Read the rest…
Thursday, September 4th, 2008
Category: Security
Eric Lawrence posted on IE 8 security issues in the beta 2 release, which include: Restricting document.domain In Internet Explorer 7, the following set of calls would succeed: < View plain text > javascript // initial document.domain is app1.example.com document.domain = "app1.example.com"; // 1. Domain property set to default value document.domain Read the rest…
Wednesday, September 3rd, 2008
Category: Security
Wes Biggs has posted on Xsstc, his cross-site scripting solution that uses CSS to hide the data: It turns out CSS leaks data in a very subtle way. Properties set by an external stylesheet (that is, one that is loaded using a LINK REL=”STYLESHEET” tag) are used to style the elements of the host page, Read the rest…
Wednesday, July 9th, 2008
Passpack notified me about their new library to support Host-Proof Hosting (HPH) development (touched on earlier). The library allows anyone to set up HPH on their own infrastructure. It’s mostly a browser-side library powered by JQuery, focused on transferring encrypted data, and there’s also some sample server-side PHP code. I think the most important part Read the rest…
Friday, July 4th, 2008
Category: Security
What if you could encode a Jar file as an image and trick the browser to run it? This is what Ben Lorica reported from a black hat briefing webinar: During a recent webinar to promote the upcoming Black Hat briefings in Las Vegas, a group of hackers announced the creation of a hybrid file Read the rest…
Thursday, July 3rd, 2008
The IE8 team has created a blitz on its blog with a slew of posts on security. There is a ton of great stuff here, and is well worth going into detail on each post: IE8 and Trustworthy Browsing At first they set the scene: This blog post frames our approach in IE8 for delivering Read the rest…
Category: Security
Michal Zalewski, of Google, has released ratproxy, a tool to test your Web application against attacks such as XSS and XSRF: Ratproxy is a semi-automated, largely passive web application security audit tool. It is meant to complement active crawlers and manual proxies more commonly used for this task, and is optimized specifically for an accurate Read the rest…
Friday, June 27th, 2008
Category: Security, XmlHttpRequest
There is a thread going on secure cross domain requests. Microsoft came out with a paper saying that the W3C standard isn’t secure, and pushing the Microsoft XDR spec: A few proposals and implementations exist like XDomainRequest in IE8, JSONRequest and the W3C’s Web Applications Working Group’s Cross Site XMLHttpRequest (CS-XHR) draft specification, which combines Read the rest…
In Episode 25, we chat about IE 8, standards, Acid3, server side JavaScript, and more.
