For nearly a decade, those of us in web security have been doing a disservice to ourselves and, more importantly, our customers. Like Pavlov, we've trained people to respond to certain stimuli. Rather than a bell, we've relied heavily on the alert() dialog box to prove our point--that cross-site...
Aspect Security has just released, through OWASP , a new tool called " Scrubbr ". Scrubbr is a Java program which connects to your database (MySQL 5+, MS SQL 2005+, and Oracle) directly and analyzes databases or specific tables looking for XSS strings. The strings are defined via an XML--it...
Our Ajax Security book from Addison Wesley has been published! By now I'm sure everyone is tried of me talking about the book and its merits, so let's see what some of experts in the web security space are saying about it: Andrew van der Stock The Executive Director of OWASP reviewed a draft...
Update: Hmmm. I think I'm looking at the wrong thing. This needs more testing/tracing to see exactly whats going on. Just a quick update from yesterday's post . It appears that Mozilla Rhino (a JavaScript interpreter written in Java) uses Java's String object to represent JavaScript strings...
While reading through an article about Firefox 3 on Security Focus today I snarfed my drink when I read the following passage: The group also rewrote the Password Manager in JavaScript from C++ to eliminate memory errors, Schroepfer said. Digging a little deeper I find an article talking about how OS...
Bryan and I got to see the cover of our book Ajax Security before it went to the printers today. It included what is known in the industry as a praise quote , where someone who is famous in a certain space reads the manuscript and provides a quote for the book. Byran and I received the following quote...
Its time again for AjaxWorld , the largest Ajax conference in the US. Bryan and I are thrilled. AjaxWorld offered us back -to- back sessions so we can do a 90+ minute workshop on how to break into Ajax applications. We will not only hit the major themes like increased attack surface, code transparency...
I’m really excited to be speaking at Shmoocon again and especially excited about my presentation this Saturday at 1pm. Javascript Malware for a Gray Goo Tomorrow focuses on the increased scope of damage caused by Cross-Site Scripting (XSS) vulnerabilities in the last year. The Web 2.0 revolution...