REST and XSRF, Part One

Hi everyone. In case you missed my talk at Black Hat, “REST for the Wicked”, I wanted to give you the Cliffs Notes version here. This will be a two-part post; the first will deal with attack techniques and the second will describe appropriate design and implementation mitigations for the attacks.   The SOAP vs….


Show some respect to XSS has just posted an article of mine on the dangers of XSS. (Although they still have my old bio from when I worked at HP, I’ll have to get that changed!)


SQL injection in classic ASP

In light of the recent wake of SQL injection attacks on ASP sites, I’d like to highlight some relevant resources for learning about and responding to the threat. Bala Neerumalla has written a detailed document for preventing SQL injection in ASP (that is, classic ASP, not ASP.NET). The Security Vulnerability Research & Defense blog has posted an analysis of the attack,…


Cross-domain XHR will destroy the internet

  Ok, maybe “destroy the internet” is a little harsh. But let’s take a look the impact that implementation of the current W3C working draft for cross domain access would have on browser security. Some people might argue that there’s no more risk from cross-domain XHR than there is from cross-domain Flash or Silverlight, but…


BlueHat shows some love to web app security

If you haven’t heard yet, BlueHat v7 is dedicating the entire block of morning sessions to web app security issues. I’ll be there, talking about my first 30 days as the new web app sec guy on the SDL team. Hope to see you there!