Search results

	Title and summary	Date/time
1	Fixing browser security: SameRefererOnly Web security is horribly broken, and lot has been said about CSRF, XSS, DNS-Pinning, etc, but not enough about what we can do to fix the mess. I think we could adapt an idea like HttpOnly to tackle CSRF - I'd like to see a "SameRefererOnl...	07-Aug-2007
2	CSRF, Anti-DNS Pinning and NTLM Mark Goodwin has written a neat discussion of the extra problems that CSRF causes when used alongside DNS pinning attacks and against intranets that use NTLM authentication (AKA Integrated Windows Auth) The short version is that you might be able to u...	18-Apr-2007
3	How to Protect a JSON or Javascript Service There have been lots of explanations recently of the dangers of JSON or JavaScript remoting. This post is about what you can do to protect your scripts. The Problem The issues have been explained before, so I'm going to assume some knowledge of the p...	04-Apr-2007
4	JSON is not as safe as people think it is I saw some discussion recently about using JSON for secured data, and I'm not sure that everyone understands the risks. I believe that JSON is unsafe for anything but public data unless you are using unpredictable URLs. There are 2 problems. CSRF (Cr...	05-Mar-2007
5	CSRF Pharming In short: If you still have the default password on your router then go and change it now. Don't stop to read this post before you change it. This post describes an attack that combines CSRF with an older technique - Pharming (see particularly the sec...	08-Feb-2007
6	CSRF Protection It occurred to me that there is another way of providing protection against CSRF attacks, in addition to the ones already mentioned on Wikipedia. There are several ways to forge a request in a CSRF attack: iframe, script tag, image tag, scripted windo...	07-Feb-2007
7	CSRF Attacks or How to avoid exposing your GMail contacts GMail is having a hard time at the moment, the latest problem is a CSRF flaw that allows anyone to read your GMail contacts. CSRF is commonly mistaken for Cross-Site Scripting (XSS); the article linked to by Digg makes this mistake, but the 2 attacks ...	01-Jan-2007

Categories | Tags | Advanced Search

Tags

Recent Blog Entries

App Engine and Java
The world is now split into Python programmers, making funny 'Goo' noises over App Engine, and everyone else who are wondering when/if this will be available in their language or if they are going to have to change their spots. Of all the languages to...
Commercial Support for DWR
Short version: Commercial support and development assistance is now available for DWR. Long version: SitePen has been offering support packages for a while, but you've had to ask. But it's now an advertised service, if you want help with Dojo, DWR o...
IE8 Review
I've been playing with IE8 beta 1, and I've got some thoughts ... In terms of user visible HTML rendering features, I think IE 8 beta 1 is possibly the biggest release of IE in nearly 11 years since April 1997 when IE 4.0 alpha 1 was released. The his...
InfoQ Interview
InfoQ interviewed me, and asked: What are some of the major features planned for [DWR] version 3.0? When is 3.0 slated for release? Is it still sometime in June? What does the incremental release schedule look like before the final 3.0 release? What ...
DWR + Aptana Jaxer
I've been working with the guys from Aptana for the past week or so on adapting DWR to be a remoting layer for Jaxer. Jaxer is a way to run JavaScript on the server. But it's not just JavaScript as an alternative to Java/Ruby/PHP/etc. Jaxer is Mozil...
IWebMvc Preview
Jose Noheda has released a preview of a library that glues together DWR, Dojo, Spring and Hibernate/JPA. It's a 0.1 release and he's looking for feedback. Despite the name, it's not really another Web MVC framework, but more along the lines of AppFu...
2 Wrongs Making a Right: (false && false) = true
I just had one of those times when I thought I totally lost the ability to do simple logic. Take a look at this screenshot: I'll break it down: req.readyState = 4, and batch.async = false. Last time I checked 4 = 4. So blatantly (4 != 4) is false. ...
Microsoft Anti-Trust Retrospective
It was about 5 years between Netscape 4 and Mozilla 1.0. In that time, they lost about 80% market share. It was about 5 years between IE6 and IE7. In that time, they lost about 10% market share. Just in case there was any doubt about the argument tha...
The roller coaster of Open Source
Frank Zammetti, wrote this, and as I'd written bits of this, he asked me to write a forward, which goes something like this: The funny thing about getting heavily involved in an open source project is the roller coaster ride you embark on. There's t...

May 2008
Mon	Tue	Wed	Thu	Fri	Sat	Sun
			1	2	3	4
5	6	7	8	9	10	11
12	13	14	15	16	17	18
19	20	21	22	23	24	25
26	27	28	29	30	31
Apr \| Today \| Jun

Getahead - Joe Walker's Blog

"tag:csrf"