The Glider

“Some of the most recent iterations of the XHR specifications at w3c have made some excellent security choices that will lock down the JavaScript HTTPOnly edge-case exposure vectors.The latest editorial draft of the XHR w3c spec http://dev.w3.org/2006/webapi/XMLHttpRequest/• prevents creating set-cookie/2 headers via setRequestHeader() in a case insensitive way. (but XHR is…

From tssci”This week, I was doing an internal penetration test for a client of a web service, which is used by applications loaded on kiosk machines around the country. I didn’t have much time to do the test, so I had a couple advantages, like having network access to the service,…

There is a write up at Coding Insecurity on filtering non ascii characters to prevent XSS attacks.”I have been working on a medium-sized development project lately and, came across a peculiar phenomenon where I could execute scripts on a page without the use of less-than (<) or greater-than (>) symbols. Instead…

“Google this week admitted that its staff will pick and choose what appears in its search results. It’s a historic statement – and nobody has yet grasped its significance. Not so very long ago, Google disclaimed responsibility for its search results by explaining that these were chosen by a computer algorithm….

Jeremiah has published an entry on budgeting for web application security in your company.”“Budgeting” is a word I’ve been hearing a lot of questions about recently, which is another data point demonstrating that Web application security and software security are increasingly becoming a top of mind issue. The challenge that many…

Rafel Ivgi has published an extensive list of IE8 XSS filter evasions. “Aspect9 has discovered several vulnerabilities in Microsoft Windows Internet Explorer 8.0 Beta 2. This new version of Microsoft’s famous browser includes new security improvements such as a Cross Site Scripting(XSS) filter. This version also includes a new object that…

Michal Zalewski from google has published an an extremely in depth guide describing the various behavioral differences between the major browsers. “I am happy to announce the availability of our “Browser Security Handbook” – a comprehensive, 60-page document meant to provide web application developers and information security researchers with a one-stop…

“Microsoft Corp. today patched 28 vulnerabilities, nearly all of them marked “critical,” in the biggest batch of fixes it has issued since it switched to a regular monthly update schedule more than five years ago. Of the 28 bugs quashed today, Microsoft ranked 23 of them critical, the top rating in…

F-Secure has posted the following blog entry at securityfocus.”There has been a lot of talk (link 1, link 2, link 3) during the last few days about a support article that seemingly appeared on the Apple website. In the article, Apple advised users to install an anti-virus software to make sure…

“The Carnegie-Mellon University team behind the reCAPTCHA service is continuing to expand its effort to mix basic security and useful work. CAPTCHAs are the distorted text that helps various online services ensure that the entity opening an account is a human, not a bot bent on using the service to dish…