Third Twist [Malware, plugins, sandboxes]

Twist #3 — Same Origin Policy restricts the DOM access and JavaScript behavior of content loaded from multiple origins. Malware only cares about plugin and browser versions. The web relies on browsers’s ability aggregate resources from multiple origins. This lets us enjoy everything from improved performance by offloading static resources to Content Delivery Networks, staying up […]

Twist Two [SQL Injection]

Twist #2 — The time saved by not using parameterized queries to build SQL statements should be used to read about using parameterized queries. Nothing much to add here that I haven’t already exhausted. Instead, revisit some web hacking history with one of the first SQL injection attacks from 1999, created by Rain Forest Puppy. The following […]

Twist the First [Design vs. Implementation]

In which the exposition of Twelve Web (In)Security Truths (TWIST) begins. Twist #1 — Software execution is less secure than software design, but running code has more users. A site you send people to visit is infinitely more useable than the one you describe to people. (Value differs from usability. Before social media flamed out […]

The Twelve Web Security Truths

My current writing project has taken time away from adding new content lately. Here’s a brief interlude of The Twelve Web Security Truths I’ve been toying with as a side project. They are modeled on The Twelve Networking Truths from RFC 1925. Software execution is less secure than software design, but executing code attracts actual […]