Simon Willison’s Weblog

DNS Pinning Explained. With diagrams. # 7th August 2007, 11:01 am

(somewhat) breaking the same-origin policy by undermining dns-pinning. This is the best technical explanation of the DNS rebinding attack I’ve seen. The linked demo worked for me in Safari but not in Camino. # 2nd August 2007, 12:53 pm

Your browser is a tcp/ip relay. Thoroughly nasty new(ish) attack that breaks the same-domain policy and allows intranet content to be stolen by a malicious site. Using virtual hosts (hence requiring the Host: header) is the best known protection. # 2nd August 2007, 12:53 pm

Side-Channel Attacks and Security Theatre. “In order to mount most of these attacks the attacker must be local [...] every good security person knows that if your attacker has the ability to run stuff on your machine, it is game over, so why are we even caring about these attacks?” # 2nd August 2007, 12:30 pm

CSRF Redirector. Smart tool for testing CSRF vulnerabilities, by Chris Shiflett. # 18th July 2007, 7:45 am

Anyone who recently downloaded GreaseMonkey scripts from userscripts.org should check their scripts. I haven’t confirmed this, but this Jyte claim suggests that userscripts.org was hacked and cookie stealing code inserted in to some of the scripts. UPDATE: Not hacked; just bad scripts submitted through the regular process. # 7th July 2007, 10:43 pm

Safari Beta 3.0.1 for Windows. A nice fast turnaround on fixes for security flaws in the beta. # 14th June 2007, 9:56 am

Safari for Windows, 0day exploit in 2 hours (via) Once again, down to handling of alternative URL protocol schemes. # 12th June 2007, 1:30 pm

Security Breach. A statement from Dreamhost. # 8th June 2007, 8:16 am

Firefox promiscuous IFRAME access bug. Lets malicious sites “display disruptive or misleading contents in the context of an attacked site” and intercept keystrokes! The demo worked in Camino 1.5 as well. Avoid using Gecko-based browsers until this is patched? # 6th June 2007, 10 am

Gaping holes exposed in fully-patched IE 7, Firefox (via) Michal Zalewski released a new Firefox 2.0 vulnerability in addition to the IE cookie stealing one. # 6th June 2007, 9:57 am

IE vulnerability allows cookie stealing. Full exploit against the same-domain cookie origin policy, so malicious sites can steal cookies from elsewhere. Avoid using IE until this is patched. # 6th June 2007, 9:53 am

Unsettling. Sounds like there might be a massive scripted hack going on against out of date WordPress installs on Dreamhost. Check your site. See also discussion in the comments attached to this post. # 5th June 2007, 9:16 pm

Top XSS exploits by PageRank. Yahoo!, MSN, Google, YouTube, MySpace, FaceBook all feature. # 29th May 2007, 10:07 pm

XSSed. Cross-site scripting resource and vulnerabilities archive, including reported (unpatched) holes ordered by PageRank. # 29th May 2007, 10:03 pm

The Twitter API Respects Your Privacy. Not Twitter’s fault: The users who exposed their data through Twittervision had given that site their username and password; Twittervision was failing to hide protected updates. # 24th May 2007, 11:37 pm

There’s a hole in your Twitter. If you’ve been using friends-only messages on Twitter they may currently be exposed via the API. # 24th May 2007, 5:03 pm

Introducing http:BL (via) Project Honey Pot announce a new blacklist service for blocking comment spammers and e-mail spiders using information from their network of honey pots. # 25th April 2007, 11:39 pm

Most HTML templating languages are written incorrectly. “If you ever find yourself in the position of designing an html template language, please make the default behavior when including variables be to HTML-escape them.” I couldn’t agree more. # 15th April 2007, 8:28 pm

JSON and Browser Security. Douglas Crockford suggests using secret tokens to protect JSON content, and avoiding wrapper hacks to protect unauthorised JSON delivery as they may fall foul of undiscovered browser bugs in the future. # 11th April 2007, 12:52 am

Fortify JavaScript Hijacking FUD. Bob Ippolito points out the flaws in the recent widely disseminated JavaScript Hijacking paper. While the paper does miss some important details, it’s good that more people are now aware of the security implications involved in serving JSON up wrapped in an array. # 5th April 2007, 10:51 pm

Chris Shiflett: My Amazon Anniversary. Chris Shiflett discloses an unfixed CSRF vulnerability in Amazon’s 1-Click feature that lets an attacker add items to your shopping basket—after reporting the vulnerability to Amazon a year ago! # 16th March 2007, 10:16 am

XSS. Sanitising HTML is an extremely hard problem. The sanitize helper that ships with Rails is completely broken; Jacques Distler provides a better alternative. # 12th March 2007, 12:34 am

Security; AJAX; JSON; Satisfaction. The JSON attack I linked to earlier only works against raw arrays, which technically aren’t valid JSON anyway. # 6th March 2007, 8:06 am

JSON is not as safe as people think it is. Joe Walker reminds us that even authenticated JSON served without a callback or variable assignment is vulnerable to CSRF in Firefox, thanks to that browser letting you redefine the Array constructor. # 5th March 2007, 10:51 pm

PHP 4 phpinfo() XSS Vulnerability. Another reason not to run an open phpinfo() page on your server. # 4th March 2007, 9:24 pm

WordPress 2.1.1 dangerous, Upgrade to 2.1.2. Helping to spread the word. You’re affected if you’ve downloaded WordPress 2.1.1 in the last three or four days. # 3rd March 2007, 8:06 am

Safe JSON (via) Subtle but important point about JSON APIs: you shouldn’t use a callback or variable assignment for JSON incorporating private user data, especially if it’s at a predictable URL. # 2nd March 2007, 1:11 pm