Simon Willison’s Weblog

Subscribe
Atom feed for xss

59 items tagged “xss”

2008

ISPs’ Error Page Ads Let Hackers Hijack Entire Web (via) Earthlink in the US served “helpful” links and ads on subdomains that failed to resolve, but the ad serving pages had XSS holes which could be used to launch phishing attacks the principle domain (and I imagine could be used to steal cookies, although the story doesn’t mention that). Seems like a good reason to start using wildcard DNS to protect your subdomains from ISP inteference.

# 21st April 2008, 6:51 am / isp, subdomains, dns, security, earthlink, xss, wildcarddns

Flirting with mime types [PDF] (via) Different browsers have different rules for which content types will be treated as active content (and hence could be vectors for XSS attacks). IE uses a blacklist rather than a whitelist and hence rendered active content for 696 of the tested content types.

# 14th April 2008, 8:18 am / ie, internet-explorer, browsers, contenttypes, security, xss

Dangers of remote Javascript. Perl.com got hit by a JavaScript porn redirect when the domain of one of their advertisers expired and was bought by a porn company. Nat Torkington suggests keeping track of the expiration dates on any third party domains that are serving JavaScript on your site.

# 20th January 2008, 9:49 am / perldotcom, oreilly, nat-torkington, javascript, security, domains, xss

Is your Rails app XSS safe? SafeErb is an interesting take on auto-escaping for Rails: it throws an exception if you try to render a string that hasn’t been untainted yet.

# 10th January 2008, 6:46 pm / xss, safeerb, rails, ruby, security

XSS Vulnerabilities in Common Shockwave Flash Files. Is the word “shockwave” still relevant to Flash? Regardless, it turns out Flash can be a serious vector for XSS attacks, and many commonly used components have recently fixed holes (and hence should be updated ASAP).

# 6th January 2008, 9:35 am / flash, xss, security, shockwave

2007

Why the h can’t Rails escape HTML automatically? It would be a pretty huge change, but auto-escaping in Rails 2.0 could close up a lot of accidental XSS holes.

# 1st December 2007, 8:34 pm / rails, autoescaping, django, security, xss

Django Changeset 6671. Malcolm Tredinnick: “Implemented auto-escaping of variable output in templates”. Fantastic—Django now has protection against accidental XSS holes, turned on by default.

# 14th November 2007, 5:05 pm / malcolmtredinnick, django, autoescaping, xss, security, python, templating

Site-specific browsers and GreaseKit. New site-specific browser tool which lets you include a bunch of Greasemonkey scripts. For me, the killer feature of site-specific browsers is still cookie isolation (to minimise the impact of XSS and CSRF holes) but none of the current batch of tools advertise this as a feature, and most seem to want to share the system-wide cookie jar.

# 25th October 2007, 7:56 am / greasekit, csrf, javascript, greasemonkey, cookies, safari, security, sitespecificbrowsers, webkit, xss, chris-messina

Two months with Ruby on Rails. Good rant—covers both the good and the bad. The first complaint is the lack of XSS protection by default in the template language. Django has the same problem, but the solution was 90% there when I saw Malcolm at OSCON.

# 9th October 2007, 12:23 pm / rails, django, python, ruby, xss, security

Designing for a security breach

User account breaches are inevitable. We should take that in to account when designing our applications.

[... 545 words]

Top XSS exploits by PageRank. Yahoo!, MSN, Google, YouTube, MySpace, FaceBook all feature.

# 29th May 2007, 10:07 pm / yahoo, msn, google, youtube, facebook, xss, pagerank, security

XSSed. Cross-site scripting resource and vulnerabilities archive, including reported (unpatched) holes ordered by PageRank.

# 29th May 2007, 10:03 pm / xss, pagerank, security

Most HTML templating languages are written incorrectly. “If you ever find yourself in the position of designing an html template language, please make the default behavior when including variables be to HTML-escape them.” I couldn’t agree more.

# 15th April 2007, 8:28 pm / xss, security, templating, daniel-martin

XSS. Sanitising HTML is an extremely hard problem. The sanitize helper that ships with Rails is completely broken; Jacques Distler provides a better alternative.

# 12th March 2007, 12:34 am / xss, security, rails, jacques-distler

Security; AJAX; JSON; Satisfaction. The JSON attack I linked to earlier only works against raw arrays, which technically aren’t valid JSON anyway.

# 6th March 2007, 8:06 am / json, security, xss

PHP 4 phpinfo() XSS Vulnerability. Another reason not to run an open phpinfo() page on your server.

# 4th March 2007, 9:24 pm / php, phpinfo, xss, security

MySpace: Too Much of a Good Thing? CSS customization really was just the result of forgetting to strip HTML. They “eventually” decided to filter out JavaScript(!)

# 17th January 2007, 9:09 am / myspace, css, javascript, xss, security

Details of Google’s Latest Security Hole. For a brief while you could use Blogger Custom Domains to point a Google subdomain at your own content, letting you hijack Google cookies and steal accounts for any Google services.

# 14th January 2007, 1:36 pm / xss, domainsecurity, google, security

The Adobe PDF XSS Vulnerability. If you host a PDF file anywhere on your site, you’re vulnerable to an XSS attack due to a bug in Acrobat Reader versions below 8. The fix is to serve PDFs as application/octet-stream to avoid them being displayed inline.

# 11th January 2007, 4:23 pm / security, adobe, pdf, vulnerability, xss

If you are subject to an XSS, the same domain policy already ensures that you're f'd. An XSS attack is the "root" or "ring 0" attack of the web.

Alex Russell

# 8th January 2007, 10:48 pm / alex-russell, security, xss

2006

Why is XSS so common? Because dev tools don’t escape things by default.

# 2nd August 2006, 8:57 pm / xss, security

How the myspace SWF hack worked. If Flash is a vector for XSS, is this the end of Flash badges?

# 17th July 2006, 6:04 pm / xss, swf, flash, myspace

Don’t serve JSON as text/html. Another sneaky XSS trick.

# 5th July 2006, 11:46 pm / security, json, xss, http

Mozilla causing XSS in Livejournal. Their recent worm attack was caused by the -moz-binding CSS property.

# 22nd January 2006, 9:37 pm / mozilla, css, livejournal, security, xss

Xanga Hit By Script Worm (in December) (via) Description of an XSS worm that hit Xanga last month.

# 21st January 2006, 8:47 pm / xanga, worm, xss, security

2005

Chris Shiflett: Google XSS Example (via) UTF-7 is a nasty vector for XSS.

# 24th December 2005, 5:21 pm / xss, security, google, chris-shiflett

2004

The Register hit by XSS

Here’s a nasty one: popular tech news site The Register was hit on Saturday by the Bofra exploit, a nasty worm which uses an iframe vulnerability in (you guessed it) Internet Explorer to install nasty things on the victim’s PC. Where it gets interesting is that the attack wasn’t against the Register themselves; it came through their third party ad serving company, Falk AG.

[... 262 words]

2002

Security and coding style

A couple of good web development security resources:

[... 127 words]