Simon Willison’s Weblog

Items tagged xss, security

Filters: xss × security ×


Is your Rails app XSS safe? SafeErb is an interesting take on auto-escaping for Rails: it throws an exception if you try to render a string that hasn’t been untainted yet. # 10th January 2008, 6:46 pm

XSS Vulnerabilities in Common Shockwave Flash Files. Is the word “shockwave” still relevant to Flash? Regardless, it turns out Flash can be a serious vector for XSS attacks, and many commonly used components have recently fixed holes (and hence should be updated ASAP). # 6th January 2008, 9:35 am

Why the h can’t Rails escape HTML automatically? It would be a pretty huge change, but auto-escaping in Rails 2.0 could close up a lot of accidental XSS holes. # 1st December 2007, 8:34 pm

Django Changeset 6671. Malcolm Tredinnick: “Implemented auto-escaping of variable output in templates”. Fantastic—Django now has protection against accidental XSS holes, turned on by default. # 14th November 2007, 5:05 pm

Site-specific browsers and GreaseKit. New site-specific browser tool which lets you include a bunch of Greasemonkey scripts. For me, the killer feature of site-specific browsers is still cookie isolation (to minimise the impact of XSS and CSRF holes) but none of the current batch of tools advertise this as a feature, and most seem to want to share the system-wide cookie jar. # 25th October 2007, 7:56 am

Two months with Ruby on Rails. Good rant—covers both the good and the bad. The first complaint is the lack of XSS protection by default in the template language. Django has the same problem, but the solution was 90% there when I saw Malcolm at OSCON. # 9th October 2007, 12:23 pm

Designing for a security breach

User account breaches are inevitable. We should take that in to account when designing our applications.

[... 545 words]

Top XSS exploits by PageRank. Yahoo!, MSN, Google, YouTube, MySpace, FaceBook all feature. # 29th May 2007, 10:07 pm

XSSed. Cross-site scripting resource and vulnerabilities archive, including reported (unpatched) holes ordered by PageRank. # 29th May 2007, 10:03 pm

Most HTML templating languages are written incorrectly. “If you ever find yourself in the position of designing an html template language, please make the default behavior when including variables be to HTML-escape them.” I couldn’t agree more. # 15th April 2007, 8:28 pm

XSS. Sanitising HTML is an extremely hard problem. The sanitize helper that ships with Rails is completely broken; Jacques Distler provides a better alternative. # 12th March 2007, 12:34 am

Security; AJAX; JSON; Satisfaction. The JSON attack I linked to earlier only works against raw arrays, which technically aren’t valid JSON anyway. # 6th March 2007, 8:06 am

PHP 4 phpinfo() XSS Vulnerability. Another reason not to run an open phpinfo() page on your server. # 4th March 2007, 9:24 pm

MySpace: Too Much of a Good Thing? CSS customization really was just the result of forgetting to strip HTML. They “eventually” decided to filter out JavaScript(!) # 17th January 2007, 9:09 am

Details of Google’s Latest Security Hole. For a brief while you could use Blogger Custom Domains to point a Google subdomain at your own content, letting you hijack Google cookies and steal accounts for any Google services. # 14th January 2007, 1:36 pm

The Adobe PDF XSS Vulnerability. If you host a PDF file anywhere on your site, you’re vulnerable to an XSS attack due to a bug in Acrobat Reader versions below 8. The fix is to serve PDFs as application/octet-stream to avoid them being displayed inline. # 11th January 2007, 4:23 pm

If you are subject to an XSS, the same domain policy already ensures that you’re f’d. An XSS attack is the “root” or “ring 0” attack of the web.

Alex Russell # 8th January 2007, 10:48 pm

Why is XSS so common? Because dev tools don’t escape things by default. # 2nd August 2006, 8:57 pm

Don’t serve JSON as text/html. Another sneaky XSS trick. # 5th July 2006, 11:46 pm

Mozilla causing XSS in Livejournal. Their recent worm attack was caused by the -moz-binding CSS property. # 22nd January 2006, 9:37 pm

Xanga Hit By Script Worm (in December) (via) Description of an XSS worm that hit Xanga last month. # 21st January 2006, 8:47 pm

Chris Shiflett: Google XSS Example (via) UTF-7 is a nasty vector for XSS. # 24th December 2005, 5:21 pm

The Register hit by XSS

Here’s a nasty one: popular tech news site The Register was hit on Saturday by the Bofra exploit, a nasty worm which uses an iframe vulnerability in (you guessed it) Internet Explorer to install nasty things on the victim’s PC. Where it gets interesting is that the attack wasn’t against the Register themselves; it came through their third party ad serving company, Falk AG.

[... 262 words]

Security and coding style

A couple of good web development security resources:

[... 127 words]