Simon Willison’s Weblog

Subscribe
Atom feed for jeremiah-grossman

3 items tagged “jeremiah-grossman”

2008

When visiting any Web page, the site owner is easily able to ascertain what websites you've visited (CSS color hacks) or places you're logged-in (JavaScript errors / IMG loading behavior). They can also automatically exploit your online bank, social network, and webmail accounts (XSS). Additionally, the browser could be instructed to hack devices on the intranet, including DSL routers and printers. And, if that's not enough, they could turn you into a felon by forcing requests to illegal content or hack other sites (CSRF).

Jeremiah Grossman

# 3rd November 2008, 12:43 pm / jeremiah-grossman, security, xss, csrf

Crossdomain.xml Invites Cross-site Mayhem. A useful reminder that crossdomain.xml files should be treated with extreme caution. Allowing access from * makes it impossible to protect your site against CSRF attacks, and even allowing from a “circle of trust” of domains can be fatal if just one of those domains has an XSS hole.

# 15th May 2008, 8:06 am / jeremiah-grossman, flash, javascript, security, csrf, xss, crossdomainxml

CSRF presentation at RSA 2008. It terrifies me how few people understand CSRF, years after it was discovered. I’ll say it again: if you’re a web developer and you don’t know what that acronym means, go spend an hour reading about it—because the chances are your applications are vulnerable.

# 12th April 2008, 10:52 am / jeremiah-grossman, csrf, rsa, rsa2008, security