Insecure Web

Facebook Phishing site: fbstarter.com

Mauvis Ledford — Thu, 30 Apr 2009 16:49:30 +0000

I got a Facebook mail from a friend today titled “Look at this!” with a link to fbstarter.com. The site itself, looks just like FaceBook (even the code view and CSS – screenshot here) – but the site itself didn’t seem to offer much except for a login. I put in dummy information and was redirected [...]

XSS exploits in 8 of AOL’s properties including Engadget, TUAW, and Social Thing enabled sites

Mauvis Ledford — Thu, 30 Apr 2009 15:00:55 +0000

Update 05-27-2009: A web developer at AOL is investigating these issues and in the meantime this post has been temporary disabled. It’ll return for educational purposes when the issues are resolved.

Protected: XSS exploits in 8 of AOL’s properties including Engadget, TUAW, and Social Thing enabled sites

Mauvis Ledford — Thu, 30 Apr 2009 15:00:28 +0000

There is no excerpt because this is a protected post.

Secure yourself from the recent PDF exploits by disabling JavaScript

Bryan Migliorisi — Sat, 21 Feb 2009 03:35:59 +0000

A recent PDF exploit has been running wild across the internet for the past few days. Not unlike many other Adobe Acrobat exploits, this one relies on the fact that Acrobat and Acrobat Reader ship with JavaScript enabled by default. Shame on you, Adobe. What is interesting about this exploit is that you do not even [...]

Newish web-based PDF attack in the wild (with real exploit code)

Mauvis Ledford — Fri, 20 Feb 2009 05:39:04 +0000

At work, a client recently contacted us about some random ads that were popping up on their site - interestingly enough through Adobe Acrobat. While I’m on a mac and didn’t experience the popups firsthand, I did pinpoint the problem to come from a hidden iframe located on the page (The client is a news [...]

Password Policies

Bryan Migliorisi — Wed, 04 Feb 2009 20:46:32 +0000

Poor, or non existent, password policies are leaving too many people open to attack. In fact, there are many companies and websites who continue to require weak and insecure passwords. Yes, they require them. I know that my bank does this. So does American Express and ING Direct. Try to enter a password with special characters. [...]

Secure your Ajax requests: part 2

Mauvis Ledford — Fri, 19 Dec 2008 17:55:49 +0000

In the previous post, Bryan showed you how to prevent a JSON payload to be rendered across domains by simply adding a string of text at the beginning of the payload that either 1) invalidates it (script tags are only allowed to pull in valid JavaScript before they do anything) or 2) creates an infinite [...]

Secure your Ajax requests with jQuery

Bryan Migliorisi — Fri, 21 Nov 2008 20:18:00 +0000

Ajax requests suffer from the same Cross Site Request Forgery attack vectors as normal pages. Many developers assume that a given ajax request will only take place on their site, and therefor skip out on the security. Not true. Google found out the hard way when security researcher Jeremiah Grossman uncovered a flaw in [...]

HTTP Methods: GET vs POST

Bryan Migliorisi — Fri, 21 Nov 2008 17:54:01 +0000

HyperText Transfer Protocol, or HTTP, is the protocol of the web. It is what transports data from client to server and back. The HTTP specification defines several HTTP methods for transferring different types of data. Most of the methods defined are used for proxys and specialty applications. HTTP GET and POST [...]

An Introduction to Web Application Security

Bryan Migliorisi — Sun, 09 Nov 2008 00:51:13 +0000

When writing a web application, many times developers will focus more on features and usability than anything else Security is often an afterthought. Usually, security is only a concern once a vulnerability has been not only discovered, but exploited. As developers, designers and software architects, we must ensure that the security of [...]