Simon Willison’s Weblog

Subscribe
Atom feed for chris-shiflett

6 items tagged “chris-shiflett”

2009

A rev=“canonical” HTTP Header. Chris Shiflett proposes optionally exposing rev=canonical information in an HTTP header, thus allowing sites to discover shorter URLs using just a HEAD request and removing the need to parse HTML. The pingback specification also uses this shortcut.

# 12th April 2009, 12:33 pm / pingback, chris-shiflett, head, http, headers, revcanonical

Twitter Don’t Click Exploit. Someone ran a successful ClickJacking exploit against Twitter users, using a transparent iframe holding the Twitter homepage with a status message fed in by a query string parameter. Thiss will definitely help raise awareness of ClickJacking! Twitter has now added framebusting JavaScript to prevent the exploit.

# 12th February 2009, 7:56 pm / framebusting, javascript, security, clickjacking, twitter, chris-shiflett

2008

End of Life for PHP 4. Apparently 8/8/8 marks the end of the line for PHP 4—no new releases, no support, not even security patches.

# 8th August 2008, 11:32 pm / php, chris-shiflett, php4

2007

CSRF Redirector. Smart tool for testing CSRF vulnerabilities, by Chris Shiflett.

# 18th July 2007, 7:45 am / chris-shiflett, csrf, security

Chris Shiflett: My Amazon Anniversary. Chris Shiflett discloses an unfixed CSRF vulnerability in Amazon’s 1-Click feature that lets an attacker add items to your shopping basket—after reporting the vulnerability to Amazon a year ago!

# 16th March 2007, 10:16 am / csrf, security, chris-shiflett, amazon

2005

Chris Shiflett: Google XSS Example (via) UTF-7 is a nasty vector for XSS.

# 24th December 2005, 5:21 pm / xss, security, google, chris-shiflett