Simon Willison’s Weblog

How one site dealt with SQL injection attack (via) Horrifying story of developer incompetence from Autoweb: “The contractor had no idea how to find and fix the Web page vulnerability that allowed the SQL injection attack code to execute successfully.” 2nd May 2008, 9:01 pm

Mass Attack FAQ. Thousands of IIS Web servers have been infected with an automated mass XSS attack, not through a specific IIS vulnerability but using a universal XSS SQL query that targets SQL Server and modifies every text field to add the attack JavaScript. If an app has even a single SQL injection hole (and many do) it is likely to be compromised. 26th April 2008, 9:12 am

ISPs’ Error Page Ads Let Hackers Hijack Entire Web (via) Earthlink in the US served “helpful” links and ads on subdomains that failed to resolve, but the ad serving pages had XSS holes which could be used to launch phishing attacks the principle domain (and I imagine could be used to steal cookies, although the story doesn’t mention that). Seems like a good reason to start using wildcard DNS to protect your subdomains from ISP inteference. 21st April 2008, 6:51 am

PayPal Plans to Ban Unsafe Browsers. At first I thought they were going to encourage real anti-phishing features in browsers, which would be a big win for OpenID... but it turns out they’re just requiring EV SSL certificates which have been proven not to actually work. 19th April 2008, 10:45 am

Flirting with mime types [PDF] (via) Different browsers have different rules for which content types will be treated as active content (and hence could be vectors for XSS attacks). IE uses a blacklist rather than a whitelist and hence rendered active content for 696 of the tested content types. 14th April 2008, 8:18 am

CSRF presentation at RSA 2008. It terrifies me how few people understand CSRF, years after it was discovered. I’ll say it again: if you’re a web developer and you don’t know what that acronym means, go spend an hour reading about it—because the chances are your applications are vulnerable. 12th April 2008, 10:52 am

Hash Collisions (The Poisoned Message Attack). Demonstrates the MD5 weakness by providing two deliberately engineered PostScript documents with the same MD5 hash but radically different rendered output. 4th April 2008, 7:24 pm

Dangers of remote Javascript. Perl.com got hit by a JavaScript porn redirect when the domain of one of their advertisers expired and was bought by a porn company. Nat Torkington suggests keeping track of the expiration dates on any third party domains that are serving JavaScript on your site. 20th January 2008, 9:49 am

8 More Design Mistakes with Account Sign-in (via) Second of a two part series by Jared Spool. I agree with all of them with the possible exception of #15 which advocates providing a non-email password recovery solution. Security “questions” are usually dreadfully insecure, and introduce the need to lock users out of their accounts after just a few tries. 17th January 2008, 4:35 pm

openid.yahoo.com. Yahoo!’s human readable guide to OpenID, complete with tour. It looks like they’re relying on the “sign-in seal” to protect against phishing. 17th January 2008, 2:35 pm

Is your Rails app XSS safe? SafeErb is an interesting take on auto-escaping for Rails: it throws an exception if you try to render a string that hasn’t been untainted yet. 10th January 2008, 6:46 pm

XSS Vulnerabilities in Common Shockwave Flash Files. Is the word “shockwave” still relevant to Flash? Regardless, it turns out Flash can be a serious vector for XSS attacks, and many commonly used components have recently fixed holes (and hence should be updated ASAP). 6th January 2008, 9:35 am

The backdooring of SquirrelMail. A SquirrelMail developer’s account was compromised and used to insert a backdoor: the other developers initially missed the hole because it used $_SERVER[’HTTP_BASE_PATH’], which can be set with a Base-Path: HTTP header. 28th December 2007, 11:40 pm

David Airey: Google’s Gmail security failure leaves my business sabotaged (via) Gmail had a CSRF hole a while ago that allowed attackers to add forwarding filter rules to your account. David Airey’s domain name was hijacked by an extortionist who forwarded the transfer confirmation e-mail on to themselves. 26th December 2007, 12:16 pm

IPy. Handy Python module for manipulating IP addresses—use IP(ip_addr).iptype() == ’PUBLIC’ to check that an address isn’t in a private address range. 24th December 2007, 1:19 pm

Why the h can’t Rails escape HTML automatically? It would be a pretty huge change, but auto-escaping in Rails 2.0 could close up a lot of accidental XSS holes. 1st December 2007, 8:34 pm

Why Virtual Theft Should Matter to Real Life Tech Companies. Interesting trend: sites that profit from sales of virtual goods (such as Habbo Hotel) are seeing users use phishing attacks to steal those goods from each other. 18th November 2007, 11:21 am

Django Changeset 6671. Malcolm Tredinnick: “Implemented auto-escaping of variable output in templates”. Fantastic—Django now has protection against accidental XSS holes, turned on by default. 14th November 2007, 5:05 pm

A Roundup Of Leopard Security Features (via) Thomas Ptacek’s overview of the new security features in Leopard. Guest Accounts are worthless from a security P.O.V., but I still plan to use one for our PowerBook that’s now just a media player. 31st October 2007, 5:30 pm

Django security fix released. Django’s internationalisation system has a denial of service hole in it; you’re vulnerable if you are using the i18n middleware. Fixes have been made available for trunk, 0.96, 0.95 and 0.91. 26th October 2007, 9:47 pm

Site-specific browsers and GreaseKit. New site-specific browser tool which lets you include a bunch of Greasemonkey scripts. For me, the killer feature of site-specific browsers is still cookie isolation (to minimise the impact of XSS and CSRF holes) but none of the current batch of tools advertise this as a feature, and most seem to want to share the system-wide cookie jar. 25th October 2007, 7:56 am

MyOpenID adds Information Card Support. First client SSL certificates, now Information Cards. MyOpenID is certainly taking browser-based phishing solutions seriously. 18th October 2007, 9:10 pm

Gozi Trojan. The full security paper on the Gozi trojan: how it was discovered, how it was traced and details of the “customer interface for on-line purchases of stolen data” at the other end (which, incidentally, was ridden with security holes). 17th October 2007, 10:03 pm

Global Hackers Create a New Online Crime Economy (via) Fascinating, detailed look at the evolution of the hacker service economy. Of particular interest: a web application that sells access to hacked machines to identity thieves on a timeshare basis. 17th October 2007, 9:46 pm

Two months with Ruby on Rails. Good rant—covers both the good and the bad. The first complaint is the lack of XSS protection by default in the template language. Django has the same problem, but the solution was 90% there when I saw Malcolm at OSCON. 9th October 2007, 12:23 pm

The Storm Worm. Bruce Schneier describes the Storm Worm, a fantastically advanced piece of malware that’s been spreading for nearly a year and is proving almost impossible to combat. Its effects are virtually invisible but infected machines are added to a multi-million machine botnet apparently controlled by anonymous Russian hackers. 6th October 2007, 12:25 am

Rails 1.2.4: Maintenance release. “Session fixation attacks are mitigated by removing support for URL-based sessions”—I’ve always hated URL-based sessions; I’d be interested to hear if their removal from Rails causes legitimate problems for anyone. 5th October 2007, 11:42 pm

Amazon makes you lie to log off (via) Amazingly, the only way to sign out of Amazon these days is to use the “If you’re not XXX, click here” link—the traditional “sign out” link has quietly vanished. 2nd October 2007, 1:19 pm

Cronto. I saw a demo of this the other day—it’s a neat anti-phishing scheme that also protects against man in the middle attacks. It works using challenge/response: an image is shown which embeds a signed transaction code; the user then uses an application on their laptop or mobile phone to decode the image and enters the resulting code back in to the online application. 2nd October 2007, 1:14 am

WebRunner 0.7—New and Improved. A simple application for running a site-specific browser for a service (e.g. Twitter, Gmail etc). This is a great idea: it isolates your other browser windows from crashes and also isolates your cookies, helping guard against CSRF attacks. 27th September 2007, 1:55 pm

Google GMail E-mail Hijack Technique. Apparently Gmail has a CSRF vulnerability that lets malicious sites add new filters to your filter list—meaning an attacker could add a rule that forwards all messages to them without your knowledge. 27th September 2007, 10:29 am

HTTPOnly cookie support in Firefox. Five years after the bug was filed, HTTPOnly cookie support has gone in to the Mozilla 1.8 branch. This is a defence in depth feature that has been in IE for years—it lets you set cookies that aren’t available to JavaScript, and hence can’t be hijacked in the event of an XSS flaw. 6th September 2007, 6:27 am

E-Voting Ballots Not Secret; Vendors Don’t See Problem. “You know things are bad when questions about a technical matter like security are answered by a public-relations firm.” 20th August 2007, 3:19 pm

VeriSign’s SeatBelt OpenID plugin for Firefox. The first good example of browser integration for OpenID. It catches phishing attempts by watching out for rogue OpenID consumers that don’t redirect to the right place. 17th August 2007, 5:37 pm

Bruce Schneier interviews Kip Hawley. The head of the Transportation Security Administration in conversation with one of his most eloquent critics. 7th August 2007, 3:23 pm

DNS Pinning Explained. With diagrams. 7th August 2007, 11:01 am

(somewhat) breaking the same-origin policy by undermining dns-pinning. This is the best technical explanation of the DNS rebinding attack I’ve seen. The linked demo worked for me in Safari but not in Camino. 2nd August 2007, 12:53 pm

Your browser is a tcp/ip relay. Thoroughly nasty new(ish) attack that breaks the same-domain policy and allows intranet content to be stolen by a malicious site. Using virtual hosts (hence requiring the Host: header) is the best known protection. 2nd August 2007, 12:53 pm

Side-Channel Attacks and Security Theatre. “In order to mount most of these attacks the attacker must be local [...] every good security person knows that if your attacker has the ability to run stuff on your machine, it is game over, so why are we even caring about these attacks?” 2nd August 2007, 12:30 pm

CSRF Redirector. Smart tool for testing CSRF vulnerabilities, by Chris Shiflett. 18th July 2007, 7:45 am

Anyone who recently downloaded GreaseMonkey scripts from userscripts.org should check their scripts. I haven’t confirmed this, but this Jyte claim suggests that userscripts.org was hacked and cookie stealing code inserted in to some of the scripts. UPDATE: Not hacked; just bad scripts submitted through the regular process. 7th July 2007, 10:43 pm

Safari Beta 3.0.1 for Windows. A nice fast turnaround on fixes for security flaws in the beta. 14th June 2007, 9:56 am

Safari for Windows, 0day exploit in 2 hours (via) Once again, down to handling of alternative URL protocol schemes. 12th June 2007, 1:30 pm

Security Breach. A statement from Dreamhost. 8th June 2007, 8:16 am

Firefox promiscuous IFRAME access bug. Lets malicious sites “display disruptive or misleading contents in the context of an attacked site” and intercept keystrokes! The demo worked in Camino 1.5 as well. Avoid using Gecko-based browsers until this is patched? 6th June 2007, 10 am

Gaping holes exposed in fully-patched IE 7, Firefox (via) Michal Zalewski released a new Firefox 2.0 vulnerability in addition to the IE cookie stealing one. 6th June 2007, 9:57 am

IE vulnerability allows cookie stealing. Full exploit against the same-domain cookie origin policy, so malicious sites can steal cookies from elsewhere. Avoid using IE until this is patched. 6th June 2007, 9:53 am

Unsettling. Sounds like there might be a massive scripted hack going on against out of date WordPress installs on Dreamhost. Check your site. See also discussion in the comments attached to this post. 5th June 2007, 9:16 pm

Top XSS exploits by PageRank. Yahoo!, MSN, Google, YouTube, MySpace, FaceBook all feature. 29th May 2007, 10:07 pm

XSSed. Cross-site scripting resource and vulnerabilities archive, including reported (unpatched) holes ordered by PageRank. 29th May 2007, 10:03 pm

The Twitter API Respects Your Privacy. Not Twitter’s fault: The users who exposed their data through Twittervision had given that site their username and password; Twittervision was failing to hide protected updates. 24th May 2007, 11:37 pm

There’s a hole in your Twitter. If you’ve been using friends-only messages on Twitter they may currently be exposed via the API. 24th May 2007, 5:03 pm

Introducing http:BL (via) Project Honey Pot announce a new blacklist service for blocking comment spammers and e-mail spiders using information from their network of honey pots. 25th April 2007, 11:39 pm

Most HTML templating languages are written incorrectly. “If you ever find yourself in the position of designing an html template language, please make the default behavior when including variables be to HTML-escape them.” I couldn’t agree more. 15th April 2007, 8:28 pm

JSON and Browser Security. Douglas Crockford suggests using secret tokens to protect JSON content, and avoiding wrapper hacks to protect unauthorised JSON delivery as they may fall foul of undiscovered browser bugs in the future. 11th April 2007, 12:52 am

Fortify JavaScript Hijacking FUD. Bob Ippolito points out the flaws in the recent widely disseminated JavaScript Hijacking paper. While the paper does miss some important details, it’s good that more people are now aware of the security implications involved in serving JSON up wrapped in an array. 5th April 2007, 10:51 pm

Chris Shiflett: My Amazon Anniversary. Chris Shiflett discloses an unfixed CSRF vulnerability in Amazon’s 1-Click feature that lets an attacker add items to your shopping basket—after reporting the vulnerability to Amazon a year ago! 16th March 2007, 10:16 am

XSS. Sanitising HTML is an extremely hard problem. The sanitize helper that ships with Rails is completely broken; Jacques Distler provides a better alternative. 12th March 2007, 12:34 am

Security; AJAX; JSON; Satisfaction. The JSON attack I linked to earlier only works against raw arrays, which technically aren’t valid JSON anyway. 6th March 2007, 8:06 am

JSON is not as safe as people think it is. Joe Walker reminds us that even authenticated JSON served without a callback or variable assignment is vulnerable to CSRF in Firefox, thanks to that browser letting you redefine the Array constructor. 5th March 2007, 10:51 pm

PHP 4 phpinfo() XSS Vulnerability. Another reason not to run an open phpinfo() page on your server. 4th March 2007, 9:24 pm

WordPress 2.1.1 dangerous, Upgrade to 2.1.2. Helping to spread the word. You’re affected if you’ve downloaded WordPress 2.1.1 in the last three or four days. 3rd March 2007, 8:06 am

Safe JSON (via) Subtle but important point about JSON APIs: you shouldn’t use a callback or variable assignment for JSON incorporating private user data, especially if it’s at a predictable URL. 2nd March 2007, 1:11 pm

The Psychology of Security. I haven’t even started on this yet, but I bet it’s worth reading. 9th February 2007, 1:27 am

Microsoft confirms Vista Speech Recognition remote execution flaw. “I have verified that I can create a sound file that can wake Vista speech recognition, open Windows Explorer, delete the documents folder, and then empty the trash.” 1st February 2007, 5:19 pm

MySpace Allegedly Kills Computer Security Website. No need for the allegedly; it’s been confirmed. MySpace got GoDaddy.com to redirect DNS for seclists.org after a list of phished user accounts posted to the full disclosure mailing list list was archived there. 26th January 2007, 9:57 am

The NHL’s All-Star voting disaster. The NHL ran an online poll to decide which players are picked for their All-Star Game. The only authentication was a poorly implemented CAPTCHA. Unsurprisingly, it got gamed. 19th January 2007, 9:50 am

MySpace: Too Much of a Good Thing? CSS customization really was just the result of forgetting to strip HTML. They “eventually” decided to filter out JavaScript(!) 17th January 2007, 9:09 am

Details of Google’s Latest Security Hole. For a brief while you could use Blogger Custom Domains to point a Google subdomain at your own content, letting you hijack Google cookies and steal accounts for any Google services. 14th January 2007, 1:36 pm

The Adobe PDF XSS Vulnerability. If you host a PDF file anywhere on your site, you’re vulnerable to an XSS attack due to a bug in Acrobat Reader versions below 8. The fix is to serve PDFs as application/octet-stream to avoid them being displayed inline. 11th January 2007, 4:23 pm

Choosing Secure Passwords. Bruce Schneier describes the state of the art in password cracking software. 11th January 2007, 2:55 pm

A Cost Analysis of Windows Vista Content Protection (via) Vista’s content protection is a nightmare for hardware manufacturers and consumers alike. It’s far worse than even BoingBoing readers would expect. 24th December 2006, 10:34 am

Never store passwords in a database! The reddit.com developers just learnt this the hard way. It might be time to change some of your passwords. 16th December 2006, 12:01 am

Real-World Passwords. Random passwords phished from MySpace are surprisingly decent. 14th December 2006, 2:14 pm

BT acquires Counterpane Internet Security (via) They just bought Bruce Schneier. 25th October 2006, 10:57 am

Better Metrics for Security—Understanding the Symantec Internet Security Threat Report. Mozilla defends against yet more spurious bug count reports. 27th September 2006, 9:54 am

Parsing XML can open network sockets (via) Yikes. Something to bare in mind. 18th August 2006, 2:27 pm

Bruce Schneier Facts. “SSL is invulnerable to man-in-the-middle attacks. Unless that man is Bruce Schneier.” 17th August 2006, 2:19 pm

Schneier on Security: New Airline Security Rules. “I’m sure glad I’m not flying anywhere this week” says Bruce. Now I wish I wasn’t! 10th August 2006, 4:26 pm

On the total nondisclosure of the 8/9/06 [Rails] security vulnerability. The best argument I’ve seen in favour of full disclosure. 10th August 2006, 2:53 pm

Rails 1.1.5: Mandatory security patch. Upgrade now, and spread the word. 9th August 2006, 8:55 pm

Why is XSS so common? Because dev tools don’t escape things by default. 2nd August 2006, 8:57 pm

Don’t serve JSON as text/html. Another sneaky XSS trick. 5th July 2006, 11:46 pm

Mozilla causing XSS in Livejournal. Their recent worm attack was caused by the -moz-binding CSS property. 22nd January 2006, 9:37 pm

Xanga Hit By Script Worm (in December) (via) Description of an XSS worm that hit Xanga last month. 21st January 2006, 8:47 pm

DHS Funding Open Source Security. Paying for “source code analysis technology” coverage of Linux, Apache, PostgreSQL and more. 17th January 2006, 10:18 pm

Chris Shiflett: Google XSS Example (via) UTF-7 is a nasty vector for XSS. 24th December 2005, 5:21 pm

Zero-Day Exploit Targets IE (via) Remote code execution. No patch yet; disable Active Scripting instead. 22nd November 2005, 6:24 am

Cross-site request forgery (CSRF). Somehow this vulnerability is news to me. 6th May 2005, 11:07 pm

Usable Security: Look Beyond the “Fundamental Conflict”. Security and usability are not conflicting goals. 18th March 2005, 2:27 am

Not linking is not security. Ridiculous: Harvard rejects applicants who “hacked” by guessing a URL. 8th March 2005, 8:47 pm

Schneier on Security: Cryptanalysis of SHA-1. If you want to understand the “breaking” of SHA-1, this is the place to go. Surprisingly accessible. 19th February 2005, 3:12 pm

Schneier on Security: SHA-1 Broken. Whoa. 16th February 2005, 4:47 am

Internet Explorer 7. It’s been announced, but the stated focus is security and anti-phishing. No news on improved CSS. 15th February 2005, 7:04 pm

Secure wireless email on Mac OS X. Doug Bowman’s tutorial on SSH Tunnel Manager and wireless security. 8th February 2005, 11:20 am

User Education Is Not the Answer to Security Problems. Smart thinking on security from Jakob Nielsen. 1st November 2004, 1:22 pm

Net security threats growing fast. 30,000+ PCs a day are being compromised for botnets. 20th September 2004, 6:44 pm

OS X Security Update 2004-09-07 (via) Plenty of important fixes; a must-have. 8th September 2004, 3:45 pm

IE in Windows XP SP2. An overview of the new security changes. 10th August 2004, 7:39 pm

Race conditions in security UI. A vulnerability that is even more effective against advanced users (i.e. fast typists). 2nd July 2004, 4:14 pm

Bruce vs. Bruce (via) Schneier and Sterling discuss security and technology. 15th June 2004, 10:04 pm

Daring Fireball: Security Cannot Be Spun. Apple’s communication handling of the recent security problem was atrocious. 31st May 2004, 4 am

Background Images Security Flaw? Styling :visited links can reveal a user’s browser history. 24th May 2004, 8:24 pm

Mac OS X helpviewer security flaw fixed. Hit Software Update. Not sure if this fixes the telnet: variety though. 22nd May 2004, 5:08 am

Mac OS X URI Handler Arbitrary Code Execution (via) Very nasty: affects all web browsers, allows compromise by malicious web sites. 18th May 2004, 3:39 pm

Why Windows is a Security Nightmare. The pain of Windows Update over a 56K modem. 18th May 2004, 5:50 am

Bruce Schneier: We are all security customers. How can the US get the best return on investment for homeland security? 4th May 2004, 6:34 pm

M.I.T Card Information (via) Who’s bright idea was it to introduce a poorly secured swipe card system in a school full of hard-core techies? 25th April 2004, 8:58 pm

Will Trade Passwords For Chocolate (via) I’m not at all surprised. Most people see passwords as more of an annoyance than a security measure. 20th April 2004, 4:27 am

XP Service Pack 2 Review. Several welcome security improvements for those still suffering on Windows ;) 21st March 2004, 9:14 pm

Slouching toward Big Brother (via) Security is a trade-off 30th January 2004, 7:18 pm

Election boxes easy to mess with (via) More on Diebold’s ludicrous security 30th January 2004, 7:11 pm

non-consensual http user tracking using caches. Interesting security issue involving HTTP caching headers 20th January 2004, 10:37 pm

Blaster and the great blackout (via) Bruce Schneier writes for Salon.com 17th December 2003, 3:10 am

Microsoft Security FAQ (via) Point your less technical friends here 17th December 2003, 2:50 am

Debian’s Response. Praise for Debian’s handling of their recent security incident 9th December 2003, 3:16 am

Silly JavaScript Security. “Sorry, you do not have permission to press this key,” 5th December 2003, 10:42 pm