Entries tagged security
I released Datasette 0.29 last weekend, the first version of Datasette to be built on top of ASGI (discussed previously in Porting Datasette to ASGI, and Turtles all the way down).[... 1612 words]
Is there anyway to game unique link verifications? Like when you get sent a link of the form https:/........com/UID=TYYN04001 How would one change the digits to reproduce another working link?
Not if they’ve been implemented correctly.[... 42 words]
By doing exactly what they’re doing already: adding more sophisticated rate limiting, and preventing users from using common weak passwords.[... 80 words]
Set up full drive encryption—that way if someone steals your laptop they won’t be able to access your data without a password.[... 95 words]
Don’t cleanse. Escape instead.[... 18 words]
I would like to setup a web-server which will be used solely by myself. What would be the safest way to do so in terms of confidentiality of the contents?
I haven’t configured them myself, but it might be worth looking in to client SSL certificates for this. That way your server won’t communicate with any browser that hasn’t installed a certificate which you generate. I believe the BBC used to use this for a lot of their important servers which they wanted to be accessible only by their own developers from across the internet (I don’t know if they still do).[... 108 words]
Input validation is, in my opinion, a red herring. Sure—if you ask the user for an integer or date you should make sure they entered one before attempting to save it anywhere or use it for processing, but injection attacks often involve text fields (e.g. names, or comments posted on Quora) and validating those on input is a recipe for banning “Tim O’Reilly” from ever creating a proper profile on your site![... 316 words]
Be very careful when implementing JSON-P for authenticated actions—evil third party sites could assemble URLs to your user’s private data and steal it. This attack has worked against Gmail in the past.[... 203 words]
It’s called the Same Origin Policy, and it’s principally about intranets. Imagine you have a URL http://intranet.corp/top-secret-...—and you then visit http://evil.example.com/ . If cross domain XHR was allowed the evil site could suck that secret document off your intranet without you realising.[... 105 words]
Probably because if you implement logout as a GET action, I can force you to log out of a site by tricking you in to visiting a page with an <img src="http://yoursite.com/logout/" width="1" height="1"> element on it.[... 64 words]
XSS attacks are common and easy, and crop up all the time. What’s new is that the number of people who are aware of the potential for XSS worms has increased hugely, so when an XSS does crop up in something popular there’s a much higher chance of someone turning it in to a worm (as happened with Twitter the other day).[... 96 words]
Absolutely never. Magic quotes was a badly designed feature, and PHP has been trying to escape its legacy for years. If you are constructing SQL strings using string concatenation you’re asking for trouble—use prepared statements or a library that interpolates and correctly escapes variables for you.[... 65 words]
For security reasons.[... 159 words]
I’ve decided to step up my involvement in Django development in the run-up to Django 1.2, so I’m currently going through several years worth of accumulated pony requests figuring out which ones are worth advocating for. I’m also ensuring I have the code to back them up—my innocent AutoEscaping proposal a few years ago resulted in an enormous amount of work by Malcolm and I don’t think he’d appreciate a repeat performance.[... 1674 words]
Ryan Janssen: Why an OAuth iframe is a Great Idea.[... 570 words]
On Monday, several high profile “celebrity” Twitter accounts started spouting nonsense, the victims of stolen passwords. Wired has the full story—someone ran a dictionary attack against a Twitter staff member, discovered their password and used Twitter’s admin tools to reset the passwords on the accounts they wanted to steal.[... 910 words]
TechCrunch report that Microsoft are accepting OpenID for their new HealthVault site, but with a catch: you can only use OpenIDs from two providers: Trustbearer (who offer two-factor authentication using a hardware token) and Verisign. "Whatever happened to the Open in OpenID?", asks TechCrunch’s Jason Kincaid.[... 451 words]
User account breaches are inevitable. We should take that in to account when designing our applications.[... 545 words]
On mezzoblue, Dave Shea reports that someone had modified every index.php and index.html file on his site to include spam links at the bottom of the page, hidden inside a
<u style="display: none;">. Dozens of other people in his comments reported the same thing happening to their sites.
Most of the arguments I hear against OpenID are based on mis-understandings of the specification, but there is one that can’t be ignored: OpenID is extremely vulnerable to phishing.[... 531 words]
Google have an open URL redirector, so you can craft a link that uses that:[... 35 words]
eval() there’s probably something wrong with your design.
I had a call on my mobile earlier today from a lady claiming to be from Orange (my phone service provider) who told me that my contract was about to expire. She asked me for my password.[... 311 words]
If you have any version of Greasemonkey installed prior to 0.3.5, which was released a few hours ago, or if you are running any of the 0.4 alphas, you need to go and upgrade right now. All versions of Greasemonkey aside from 0.3.5 contain a nasty security hole, which could enable malicious web sites to read any file from your hard drive without you knowing.[... 809 words]
My final year project is due in two weeks, and I’m going to be running on silent for most of them. I have, however, upgraded to Tiger and playing with Spotlight has given me plenty to think about.[... 414 words]
Here’s a nasty one: popular tech news site The Register was hit on Saturday by the Bofra exploit, a nasty worm which uses an iframe vulnerability in (you guessed it) Internet Explorer to install nasty things on the victim’s PC. Where it gets interesting is that the attack wasn’t against the Register themselves; it came through their third party ad serving company, Falk AG.[... 262 words]
Anyone who makes heavy use of the internet has run in to the password problem: dozens of user accounts on sites with varying degrees of trustability, leading to an unmanageable proliferation of username and password combinations. The temptation is to use the same combination on multiple sites, but doing so opens you up to the horrifying prospect of a security flaw in one site compromising al of your other accounts.[... 366 words]
There’s a nasty OS X vulnerability under discussion at the moment which lets a web page execute code on your machine by taking advantage of a flaw in the “help:” protocol. There’s a non-malicious demonstration of the exploit on this page, and Jay Allen is hosting a discussion on the exploit and ways to avoid it.[... 253 words]