Bad Code Entitles Good Exploits

I have yet to create a full taxonomy of the mistakes developers make that lead to insecure code. As a brief note towards that effort, here’s an HTML injection (aka cross-site scripting) example that’s due to a series of tragic assumptions that conspire to not only leave the site vulnerable, but waste lines of code …

A Lesser XSS Attack Greater Than Your Regex Security

I know what you’re thinking. “Did my regex block six XSS attacks or five?” You’ve got to ask yourself one question: “Do I feel lucky?” Well, do ya, punk? Maybe you read a few HTML injection (cross-site scripting) tutorials and think a regex solves this problem. Maybe. Let’s revisit that thinking. We’ll need an attack …

Regex-based security filters sink without anchors

In June 2010 the Stanford Web Security Research Group released a study of clickjacking countermeasures employed across Alexa Top-500 web sites. It’s an excellent survey of different approaches taken by web developers to prevent their sites from being subsumed by an iframe tag. One interesting point emphasized in the paper is how easily regular expressions …