1 month ago
Rod Begbie : a912rtag9 - Since breaking the search box on groovymother a couple of weeks ago, I've spotted a lot of XSS attempts in my logs. The phrase "a912rtag9" in particular seems to appear a lot, and it looks like it's a bot spidering search boxes across the internet. Anyon #
# copy
12 month ago
wearehugh : Category:OWASP AntiSamy Project - OWASP
# copy
15 month ago
deusx : Filtering & Escaping Cheat Sheet - Pixelated Dreams - Nice cheat sheet, but looking at the semi-random names of all these functions it's no wonder that this stuff isn't just natural.
# copy
15 month ago
deusx : Chris Shiflett: My Top Two PHP Security Practices - "I have decided to promote my Top Two PHP Security Practices, expressed in four words: Filter input Escape output"
# copy
15 month ago
wearehugh : This Blog is Susceptible to Persistent Cross Site Scripting (XSS) - O'Reilly ONLamp Blog
# copy
15 month ago
deusx : PHP: Filter Functions - Manual - "This extension serves to validate and filter data coming from some insecure source, such as user input."
# copy
19 month ago
deusx : Ned Batchelder: Xss with utf-7 - "The resulting page doesn't have any explicit declaration of its character set, so depending on your browser settings, the browser may try to auto-detect the character set, and seeing the distinctive UTF-7 byte sequences, will choose UTF-7. In UTF-7,
# copy
20 month ago
Simon Willison : Most HTML templating languages are written incorrectly - Most HTML templating languages are written incorrectly. “If you ever find yourself in the position of designing an html template language, please make the default behavior when including variables be to HTML-escape them.” I couldn’t agree more.
deusx : dtm: Most HTML templating languages are written incorrectly - "the problem with virtually every HTML templating language out there is that they make it easier for the person writing HTML templates to add an XSS hole than to avoid it."
# copy
23 month ago
wearehugh : robubu » Blog Archive » HttpOnly please - "The firefox community has been debating exactly how to implement it since 2002." I'm shocked -- shocked!
# copy
29 month ago
wearehugh : ha.ckers.org web application security lab - Archive » Cross Site Scripting Vulnerability in Google
Paul Hammond : ha.ckers.org web application security lab - Archive » Cross Site Scripting Vulnerability in Google - Google cannot be trusted implicitly because of these types of holes, in the same way any major site cannot be trusted implicitly for the same reason
# copy
29 month ago
wearehugh : Jibbering Musings » Don’t serve JSON as text/html
Simon Willison : Don't serve JSON as text/html - Another sneaky XSS trick.
Paul Hammond : Jibbering Musings » Don’t serve JSON as text/html - a browser will render that as if it was an HTML page, even if it’s really just a javascript snippet
# copy
32 month ago
Paul Hammond : A List Apart: Articles: Community Creators, Secure Your Code! - Validating and sanitizing user input is no longer optional
wearehugh : A List Apart: Articles: Community Creators, Secure Your Code!
# copy
32 month ago
kayodeok : The Ethical Hacker Network - How To Break Web Software - This chapter is excerpted from the book titled "How to Break Web Software: Functional and Security Testing of Web Applications and Web Services" by Mike Andrews, James A. Whittaker
# copy
33 month ago
kayodeok : Microsoft releases new tool to counteract cross-site scripting attacks: Anti-Cross Site Scripting Library V1.0 - The Anti-Cross Site Scripting Library can be used to provide comprehensive protection to web-based applications against Cross-Site Scripting (XSS) attacks.
# copy
36 month ago
kayodeok : Cgisecurity.com: Cross Site Scripting questions and answers - Cross site scripting (also known as XSS) occurs when a web application gathers malicious data from a user. The data is usually gathered in the form of a hyperlink which contains malicious content within it. The user will most likely click on this link fro
# copy
36 month ago
kayodeok : Digg Vulnerable to XSS - While trying to use the ‘search’ feature on Digg, I realized that it is vulnerable to Cross Site Scripting (XSS). The search string is echoed back without proper output encoding
# copy
36 month ago
kayodeok : Repeat After Me: Lack of _Output Encoding_ Causes XSS Vulnerabilities - The correct approach to solving XSS problems is to ensure that every user supplied parameter is HTML Output Encoded (Example: < is replaced with
# copy
37 month ago
kayodeok : No, ask what Bloglines can do to you - The short version, since I do seem to go on: Bloglines doesn't properly remove JavaScript from on {event} attributes, only from elements, so any post you view is capable of stealing your login cookie, including your email address, and doing anyth
Milo Vermeulen : phil ringnalda on Bloglines cross-site-scripting security hole [via]
Paul Hammond : phil ringnalda » No, ask what Bloglines can do to you - any post you view is capable of stealing your login cookie, including your email address, and doing anything in the interface
deusx : phil ringnalda » No, ask what Bloglines can do to you - "If you are depending on the search feed providers to strip dangerous markup before it gets to you, you’re putting your faith in two wrong places."
# copy
43 month ago
kayodeok : XSS (Cross Site Scripting) Cheatsheet - This page is for people who already understand the basics of XSS but want a deep understanding of the nuances regarding filter evasion
joshua : XSS (Cross Site Scripting) Cheat sheet
Isofarro : XSS (Cross Site Scripting) Cheat Sheet - Comprehensive list of Cross site scripting attack vectors. Some interesting techniques.
# copy
43 month ago
kayodeok : Mozilla Firefox Two Vulnerabilities - Two vulnerabilities have been discovered in Firefox, which can be exploited by malicious people to conduct cross-site scripting attacks and compromise a user's system
# copy
43 month ago
kayodeok : What Phishers Know That You Don't - A phishing primer. To read.
# copy
45 month ago
kayodeok : Cross Site Scripting in Mozilla Firefox - Dragging an image into the address bar will cause Firefox to navigate to the image URL even if it is a JavaScript URL and the page to be navigated from is in a different domain than the page on which the image is shown. This may potentially allow attacker
# copy
