Insistently Marketing Persistent XSS

Want to make your site secure? Write secure code. Want to make it less secure? Add someone else’s code to it. Even better, do it in the “cloud.” The last few HTML injection articles here demonstrated the reflected variant of the attack. The exploit appears within the immediate response to the request that contains the […]

Implicit HTML, Explicit Injection

When designing security filters against HTML injection you need to outsmart the attacker, not the browser. HTML’s syntax is more forgiving of mis-nested tags, unterminated elements, and entity-encoding compared to formats like XML. This is a good thing, because it ensures a User-Agent renders a best-effort layout for a web page rather than bailing on […]

Know Your JavaScript (Injections)

HTML injection vulnerabilities make a great Voigt-Kampff test for proving you care about security. We need some kind of tool to deal with developers who take refuge in the excuse, “But it’s not exploitable.” Companies like MasterCard and VISA created the PCI standard to make sure web sites care about vulns like XSS. Parts of […]

A Lesser XSS Attack Greater Than Your Regex Security

I know what you’re thinking. “Did my regex block six XSS attacks or five?” You’ve got to ask yourself one question: “Do I feel lucky?” Well, do ya, punk? Maybe you read a few HTML injection (cross-site scripting) tutorials and think a regex solves this problem. Maybe. Let’s revisit that thinking. We’ll need an attack […]

HIQR for the SPQR

Friends, Romans, visitors, lend me your eyes. I’ve added an HTML injection quick reference (HIQR) to the site. It’s not in iambic pentameter, but there’s a certain rhythm to the placement of quotation marks, less-than signs, and alert() functions. For those unfamiliar with HTML injection (or cross-site scripting in the vulgate), it’s a vulnerability that […]

JavaScript Is Harmless

In the preface to my “Mitigating…” talk I offer this Orwellian summation of the state of JavaScript as it relates to browser security: War is peace. Freedom is slavery. Ignorance is strength. JavaScript is harmless. I then put forth arguments and examples for securing the client from JavaScript-related mishaps by adopting HTML5. The goal, to quote another […]

My Zombie Incursion into Amazon.com

This is how it began. Over two years ago I unwittingly planted the seeds of an undead horde into the pages of my book, Seven Deadliest Web Application Attacks. Only recently did I discover the rotted fruit of those seeds festering within the pages of Amazon. Visit the book’s Amazon page. Click on the “Look […]

Cross-Site Tracing (XST): The misunderstood vulnerability

In January 2003 Jeremiah Grossman divulged a method to bypass the HttpOnly1 cookie restriction. He named it Cross-Site Tracing (XST), unwittingly starting a trend to attach “cross-site” to as many web-related vulnerabilities as possible. Alas, the “XS” in XST evokes similarity to XSS (Cross-Site Scripting) which has the consequence of leading people to mistake XST […]

Primordial cross-site scripting (XSS) exploits

The Hacking Web Apps book covers HTML Injection and cross-site scripting (XSS) in Chapter 2. Within the restricted confines of the allotted page count, it describes one of the most pervasive attacks that plagues modern web applications. Yet XSS is old. Very, very old. Born in the age of acoustic modems barely a Planck Era after […]