Escaping Escapes
Sometimes a server will escape special characters that are injected: For instance, injecting a " character and having it reflect as \": Injection: xss" Reflection: x="xss\"";y=42; Fail. Sometimes,...
View ArticleClik here to view.
It’s a DOM Event
All user input must be properly escaped and encoded to prevent cross-site scripting. While the idea of sanitizing user input is nothing new to most developers, many of them encode special characters...
View ArticleContent Security Policy
What is it and why should I care? Content Security Policy (CSP) is a new(ish) technology put together by Mozilla that Web apps can use as an additional layer of protection against Cross-Site Scripting...
View Article#HackerKast 8: Recap ofJPMC Breach, Hacking Rewards Programs and TOR Version...
After making fun of RSnake being cold in Texas, we started off this week’s HackerKast, with some discussion about the recent JP Morgan breach. We received more details about the breach that affected...
View Article#HackerKast 10: XSS Vulnerability in jQuery, Let’s Encrypt, and Google...
We kicked off this week’s episode chatting about a new XSS vulnerability that was uncovered in the very popular jQuery Validation Plugin. This plugin is used widely as a simple form validator and the...
View ArticleInfancy of Code Vulnerabilities
I was reading something about modern browser behavior and it occurred to me that I hadn’t once looked at Matt’s Script Archive from the mid 1990s until now. I kind of like looking at old projects...
View Article#HackerKast 13 Bonus Round: FlashFlood – JavaScript DoS
In this week’s HackerKast bonus footage, I wrote a little prototype demonstrator script that shows various concepts regarding JavaScript flooding. I’ve run into the problem before where people seem to...
View Article#HackerKast 29 Bonus Round: Formaction Scriptless Attack
Today on HackerKast, Matt and I discussed something called a Formaction Scriptless Attack. Content Security Policy (CSP) has put a big theoretical dent in cross site scripting. I say theoretical...
View ArticleClik here to view.
Bayes’ Theorem and What We Do
Back in 2012, The Atlantic Monthly published a behind-the-scenes article about Google Maps. This is the passage that struck me: The best way to figure out if you can make a left turn at a particular...
View ArticleWhy is Passive Mixed Content so serious?
One of the most important tools in web security is Transport Layer Security (TLS). It not only protects sensitive information during transit, but also verifies that the content has not been modified....
View Article
