Thursday, January 10th, 2008

XSS: Flash and Rails

Category: Flash, Ruby, Security

A couple of good articles on XSS and security came out at the same time. One talks about XSS in Flash, and the other on Rails: XSS Vulnerabilities in Common Shockwave Flash Files Rich Cannings has written an article explaining the issue of XSS wrt Flash: Critical vulnerabilities exist in a large number of widely Read the rest…

Posted by Dion Almaer at 12:14 pm
Comment here

3.1 rating from 15 votes

Wednesday, December 5th, 2007

Cross Site Scripting Joy: XSS in detail

Category: Comet, Security

In Cross Site Scripting Joy, Andrew Betts has taken the time to go into real detail on XSS and the fun and frolics that we have with the Same Origin Policy and beyond: So the battle over XSS as a security problem has moved on from the same origin policy, but same origin remains a Read the rest…

Posted by Dion Almaer at 6:45 am
Comment here

4.1 rating from 30 votes

Monday, December 3rd, 2007

Filtering JavaScript From HTML Content with AntiSammy

Category: Java, Security

Jason Harwig has posted about AntiSamy, the Java 1.5 compatible library that sanitizes away: < View plain text > java AntiSamy sanitizer = new AntiSamy(); CleanResults results = sanitizer.scan(request.getParameter("html")); String html = results.getCleanHTML(); if (!results.getErrorMessages().isEmpty()) {     log.warn("Input contains erorrs"); } I gave a JavaScript security talk last month, and one of the topics Read the rest…

Posted by Dion Almaer at 5:11 am

3.4 rating from 19 votes

Wednesday, November 28th, 2007

CrossFrame: a Safe Communication Mechanism Across Documents and Across Domains

Category: JavaScript, Security, Yahoo!

Julien Lecomte has written about CrossSafe, a “safe communication mechanism across documents and across domains”. We already have some solutions such as the URL fragment identifier or the Flash LocalConnection object, so why did Julien see the need for this? CrossFrame is a variant of the URL fragment identifier mechanism. In the original technique, the Read the rest…

Posted by Dion Almaer at 12:45 am

4.2 rating from 32 votes

Wednesday, November 21st, 2007

Cross Domain XHR W3C proposal

Category: Security, XmlHttpRequest

The W3C has a new proposal titled Enabling Read Access for Web Resources which defines access control primitives to be used for cross domain XHR. You can set control via a HTTP header: < View plain text > HTML Access-Control: allow < *> exclude < *> or an XML processing instruction: < View plain text Read the rest…

Posted by Dion Almaer at 6:56 am

3.4 rating from 51 votes

Monday, November 12th, 2007

Capability JavaScript: JavaScript isn’t Caja

Category: JavaScript, Security

We talked about the new Google Caja project which tries to make JavaScript safer by processing it and putting it in namespace sandboxes. Now, Ben Laurie of Google comes out and talks about it. There is a spec: Using Caja, web apps can safely allow scripts in third party content. The computer industry has only Read the rest…

Posted by Dion Almaer at 8:09 am

3.3 rating from 17 votes

Tuesday, October 30th, 2007

Joe Walker on Web Application Security

Category: Security

Joe Walker gave a standout talk on Web Application Security at The Ajax Experience. I love to watch people leaving this talk as they are usually gasping as they realise that we are not secure :) Joe has posted the slides from his talk, and has provided some great resources:

Posted by Dion Almaer at 7:38 am

4.4 rating from 25 votes

Friday, October 26th, 2007

Honeypot Captcha

Category: Security

Phil Haack has a new take on using a Honeypot technique for CAPTCHA. The most similar technique to this one is what WP-HashCash does, using JavaScript to fill out a form before it gets submitted, and assuming that evil bots don’t grok JavaScript. Unfortunately, I have found in the past that some bots seem to Read the rest…

Posted by Dion Almaer at 7:52 am

3.7 rating from 30 votes

Friday, October 12th, 2007

Making JavaScript Safe with Google Caja

Category: Google, Security

Douglas Crockford continues to bang the drum for securing JavaScript in his latest post: It is possible to make secure programming languages. Most language designers do not consider that possibility. JavaScript’s biggest weakness is that it is not secure. That puts JavaScript in very good company, but it puts web developers in an untenable position Read the rest…

Posted by Dion Almaer at 10:58 am

3.9 rating from 16 votes

Monday, October 8th, 2007

Automated security scanners choke on Ajax

Category: Ajax, Security

It looks like some of the most expensive security scanners can’t handle Ajax code. Information Week reviewed and tested 5 pricey application scanners, including software from IBM & HP, and all, sans IBM’s scanner, failed to pinpoint vulnerabilities with Ajax code: With the exception of IBM(IBM)’s Watchfire AppScan, automated Web application scanners are simply not Read the rest…

Posted by Rey Bango at 8:30 am

3.5 rating from 25 votes

Thursday, September 13th, 2007

Premature Ajax-ulations: Ajax Security… It’s Still The Web

Category: Security

Bryan Sullivan and Billy Hoffman gave a talk entitled Premature Ajax-ulations that came out of their work looking at Ajax applications, and seeing if they are secure. They came to the common conclusion that Ajax is not inherently insecure, but ignoring security makes it so: “The extra attack surface from Ajax is not from anything Read the rest…

Posted by Dion Almaer at 4:03 am

3.7 rating from 20 votes

Monday, September 10th, 2007

CrossSafe: Secure Cross Domain JSON

Category: Security

Kris Zyp has just released a beta version of CrossSafe, a tool that provides secure cross domain JSON requests and partially implements the JSONRequest specification (the get and cancel methods). You can also see a demonstration where you can pull information from Yahoo’s web services, Brad Neuberg’s transclusion web service, and a JSON object database Read the rest…

Posted by Dion Almaer at 10:00 am

3.9 rating from 28 votes

Tuesday, August 7th, 2007

Fixing browser security: SameRefererOnly, and DNS Pinning

Category: Security

Joe Walker has spoked about adding SameRefererOnly to the cookie spec. I think we could adapt an idea like HttpOnly to tackle CSRF – I’d like to see a “SameRefererOnly” marker for cookies. SameRefererOnly is an indication that a cookie should only be sent to a Site when the referring domain is the same as Read the rest…

Posted by Dion Almaer at 12:26 pm

3.9 rating from 19 votes

Cross domain JavaScript via DNS

Category: JavaScript, Security

Alex Pooley has written up his thoughts on cross domain JavaScript via DNS. Alex builds on the document.domain fun: The Problem From a naive perspective, it is not possible for a web page from domain D, to access a URL from another domain E due to security considerations. Several workarounds have been developed, namely the Read the rest…

Posted by Dion Almaer at 9:29 am

2.9 rating from 18 votes

Friday, July 20th, 2007

CSRF Redirector

Category: Security, Utility

Joe Walker will probably be happy to see this, and will be able to test DWR with it. Chris Shiflet has created a simple CSRF Redirector inspired by the XSS POST Forwarder: It’s a simple tool that makes it easy to test CSRF using POST, hopefully demonstrating how prevalent CSRF vulnerabilities are as well as Read the rest…

Posted by Dion Almaer at 5:46 am

3.8 rating from 18 votes

Friday, June 1st, 2007

Spyjax: Using a:visited to test your history

Category: JavaScript, Security

Spyjax can scare you, or excite you depending on what you want to do. By using a simple JavaScript check on the CSS style on URLs, a script can work out if you have been there: < View plain text > javascript function hasLinkBeenVisited(url) {     var link = document.createElement(‘a’);     link.href = Read the rest…

Posted by Dion Almaer at 1:27 am

3.8 rating from 37 votes