Simon Willison’s Weblog

Items tagged quora, security

Filters: quora × security ×


Is there anyway to game unique link verifications?  Like when you get sent a link of the form https:/........com/UID=TYYN04001 How would one change the digits to reproduce another working link?

Not if they’ve been implemented correctly.

[... 42 words]

How could GitHub improve the password security of its users?

By doing exactly what they’re doing already: adding more sophisticated rate limiting, and preventing users from using common weak passwords.

[... 80 words]

What steps can I take to protect my data in case my laptop gets stolen?

Set up full drive encryption—that way if someone steals your laptop they won’t be able to access your data without a password.

[... 95 words]

What Javascript tools are there for cleansing input?

Don’t cleanse. Escape instead.

[... 18 words]

I would like to setup a web-server which will be used solely by myself. What would be the safest way to do so in terms of confidentiality of the contents?

I haven’t configured them myself, but it might be worth looking in to client SSL certificates for this. That way your server won’t communicate with any browser that hasn’t installed a certificate which you generate. I believe the BBC used to use this for a lot of their important servers which they wanted to be accessible only by their own developers from across the internet (I don’t know if they still do).

[... 108 words]

What are the best practices to avoid XSS and SQL Injections attacks (platform agnostic)?

Input validation is, in my opinion, a red herring. Sure—if you ask the user for an integer or date you should make sure they entered one before attempting to save it anywhere or use it for processing, but injection attacks often involve text fields (e.g. names, or comments posted on Quora) and validating those on input is a recipe for banning “Tim O’Reilly” from ever creating a proper profile on your site!

[... 316 words]

Why would someone browse the web with JavaScript disabled?

Security conscious users (who understand the implications of XSS and CSRF attacks) sometimes disable JavaScript completely, or use a tool like the NoScript extension to disable it for all sites and only re-enable it on a small whitelist of sites that they trust.

[... 67 words]

What are the JSON security concerns in web development?

Be very careful when implementing JSON-P for authenticated actions—evil third party sites could assemble URLs to your user’s private data and steal it. This attack has worked against Gmail in the past.

[... 203 words]

Why do browsers allow cross-domain JavaScript to execute but not XMLHttpRequests?

It’s called the Same Origin Policy, and it’s principally about intranets. Imagine you have a URL http://intranet.corp/top-secret-...—and you then visit http://evil.example.com/ . If cross domain XHR was allowed the evil site could suck that secret document off your intranet without you realising.

[... 105 words]

Why do some websites implement their logout link as a form post via JavaScript versus a plain old GET request?

Probably because if you implement logout as a GET action, I can force you to log out of a site by tricking you in to visiting a page with an <img src="http://yoursite.com/logout/" width="1" height="1"> element on it.

[... 64 words]

Why are XSS attacks spreading like fire these days?

XSS attacks are common and easy, and crop up all the time. What’s new is that the number of people who are aware of the potential for XSS worms has increased hugely, so when an XSS does crop up in something popular there’s a much higher chance of someone turning it in to a worm (as happened with Twitter the other day).

[... 96 words]

In what circumstances should one use “magic quotes” in PHP?

Absolutely never. Magic quotes was a badly designed feature, and PHP has been trying to escape its legacy for years. If you are constructing SQL strings using string concatenation you’re asking for trouble—use prepared statements or a library that interpolates and correctly escapes variables for you.

[... 65 words]

Why do some people disable JavaScript in their browser?

For security reasons.

[... 159 words]