Web Application Security
A few people asked for slides and links from the security talk from The Ajax Experience last week:
General Links:
- OWASP: Open Web App Security Project
- Security Resources from the OpenAjax Alliance Wiki
- Mozilla on Same-Origin Policy
XSS:
- Introductions from: Wikipedia and Apache
- Cheat Sheet: Long list of XSS vectors from RSnake
- Explanation of DOM Based XSS
- Explanation of Samy is my Hero worm
- Fairly old FAQ at CGI Security
- List of XSS holes in popular web applications
CSRF:
- Introduction from: Wikipedia and here
- Article by Chris Shiflett and CSRF Redirector test tool
- CSRF FAQ at CGI Security
- Array constructor overriding and setter overriding
- A solution: SameRefererOnly
- Protecting a JSON or JavaScript Service
Blogs:
Re: Web Application Security
Thank you Joe for your presentation - I am glad I didn't open up my website to HTML comments before understanding the security risks. I now know to whitelist instead of blacklist user input, thank you!
I also exposed the company I work for to DWR and at first pass they seem very intrigued. I am hoping it opens up the corporate door to Ajax.
