Search results
"tag:security"
| Title and summary | Date/time | |
|---|---|---|
|
1
|
Cringely and bad password advice
Cringely may know enough about social security fraud that the DHS want his advice, but I'm not sure he's got good advice about password security. He starts well: Identity thieves... can start a sweepstakes website that requires only free registration to ... |
20-Nov-2007 10:32:45 |
|
2
|
Web Application Security
A few people asked for slides and links from the security talk from The Ajax Experience last week: | View | Upload your own General Links: OWASP: Open Web App Security Project Security Resources from the OpenAjax Alliance Wiki Mozilla on ... |
29-Oct-2007 11:00:51 |
|
3
|
Fixing browser security: SameRefererOnly
Web security is horribly broken, and lot has been said about CSRF, XSS, DNS-Pinning, etc, but not enough about what we can do to fix the mess. I think we could adapt an idea like HttpOnly to tackle CSRF - I'd like to see a "SameRefererOnl... |
07-Aug-2007 13:33:55 |
|
4
|
CSRF, Anti-DNS Pinning and NTLM
Mark Goodwin has written a neat discussion of the extra problems that CSRF causes when used alongside DNS pinning attacks and against intranets that use NTLM authentication (AKA Integrated Windows Auth) The short version is that you might be able to use ... |
18-Apr-2007 10:22:26 |
|
5
|
New DWR Release - 2.0 RC4
I created this blog a few years ago specifically to announce releases of DWR, but I skip announcing new releases too often - I'm making amends: 2.0 RC4 RC4a (see below) is out of the oven. What's new? The biggy is Guice support. If it wasn't for the ... |
11-Apr-2007 12:24:39 |
|
6
|
How to Protect a JSON or Javascript Service
There have been lots of explanations recently of the dangers of JSON or JavaScript remoting. This post is about what you can do to protect your scripts. The Problem The issues have been explained before, so I'm going to assume some knowledge of the ... |
04-Apr-2007 09:32:14 |
|
7
|
Good marks for security features in DWR
Fortify software have been investigating security features in the most popular Ajax frameworks, and DWR v2 comes out very well indeed. From the paper: We analyzed 12 popular Ajax frameworks, ... We determined that among them only DWR 2.0 implements ... |
02-Apr-2007 22:08:23 |
|
8
|
Operator overloading in Javascript 2 and a potential monster CSRF hole
I noticed that Javascript 2 might include operator overloading, including (at least) the ability to overload the and operators. Operator overloading is really useful if you want to write a Complex number class, and really annoying when someone else ... |
22-Mar-2007 13:10:15 |
|
9
|
JSON is not as safe as people think it is, part 2
Yesterday, I blogged about how to steal data from JSON by overriding the Array constructor. Today, we break into Objects too. Mark Goodwin submitted a non-deprecated syntax that uses the __defineSetter__ feature, which was a good start (Aside: does ... |
06-Mar-2007 23:33:50 |
|
10
|
JSON is not as safe as people think it is
I saw some discussion recently about using JSON for secured data, and I'm not sure that everyone understands the risks. I believe that JSON is unsafe for anything but public data unless you are using unpredictable URLs. There are 2 problems. CSRF (Cross ... |
05-Mar-2007 19:31:52 |
|
11
|
CSRF Pharming
In short: If you still have the default password on your router then go and change it now. Don't stop to read this post before you change it. This post describes an attack that combines CSRF with an older technique - Pharming (see particularly the ... |
08-Feb-2007 09:14:56 |
|
12
|
CSRF Protection
It occurred to me that there is another way of providing protection against CSRF attacks, in addition to the ones already mentioned on Wikipedia. There are several ways to forge a request in a CSRF attack: iframe, script tag, image tag, scripted ... |
07-Feb-2007 16:11:19 |
|
13
|
CSRF Attacks or How to avoid exposing your GMail contacts
GMail is having a hard time at the moment, the latest problem is a CSRF flaw that allows anyone to read your GMail contacts. CSRF is commonly mistaken for Cross-Site Scripting (XSS); the article linked to by Digg makes this mistake, but the 2 attacks are ... |
01-Jan-2007 19:12:40 |
|
14
|
Airport Security: Explain This
So, I'm flying to the Ajax Experience, from the UK, via Frankfurt to Boston and I'd like to avoid the delays and the lottery associated with hold luggage, so I'm trying to travel carry-on. I'm well aware that all liquids recently became potentially ... |
25-Oct-2006 08:21:00 |
|
15
|
Cross-Domain Ajax. Security Implications in Depth
Some people think we should remove the "same-domain" restriction from Ajax calls, and Eric Pascarello and xml.com (amongst others) don't. I don't think we've got to the bottom of the debate yet. Eric has 2 points: "script kiddies", although he doesn't ... |
23-Nov-2005 08:23:30 |
|
16
|
Writing malicious code in Java
The underhanded C contest is all about writing C code that looks innocent enough to get past a security review, but does something nasty on the side. It got me thinking about how to subvert things in Java. Somewhat predictably the C contest was dominated ... |
28-Sep-2005 08:00:16 |
|
17
|
Security Warning: Watch out using CVS at JavaOne
Very nearly got bit by this one today. I wanted to show someone the DWR code at JavaOne, so I flipped up the the lid on my laptop and was just about to double click on a java class when it occurred to me that doing so would probably be telling someone my ... |
28-Jun-2005 06:59:21 |
|
18
|
Obscure code hell and a security hole for a bus
It would be nice to be able to say "only joking" about this code; however this code was live, on the internet. Spot the bus sized security hole. The code sample is color coded because I needed to demonstrate to some non-techies what a mess things were, ... |
16-Jun-2005 11:30:21 |