Happy 10th birthday Cross-Site Scripting!

On the 16th of January, 2000, the following names were suggested and bounced around among a small group of Microsoft security engineers: Unauthorized Site ScriptingUnofficial Site ScriptingURL Parameter Script InsertionCross Site ScriptingSynthesized ScriptingFraudulent Scripting The next day there was consensus – Cross Site Scripting.  In retrospect, I think this was a good choice given the…

Current Thoughts on DNS Rebinding

RSnake and Dan Kaminsky have been talking about session fixation via DNS Rebinding.  As you may recall, an attacker can’t abuse your Foo.com cookies in a rebinding attack, though they can walk your browser around Foo.com content and control the session.  The gist of what these guys are talking about is how the attacker can…

Thoughts on Legacy Character Sets

One of the things I have taken from the IE XSS Filter project is a healthy fear of legacy character sets.  If you’ve followed Chris Weber, Scott Stender, or Yosuke Hasegawa’s work, you know that even Unicode is…  interesting.  But at least in the Unicode world there are standards and evolving best practices dictating how…

Good Bug

Credit goes to Alex “Kuza55” Kouzemtchenko for identifying a weakness in the XSS Filter OBJECT tag heuristic.  The original heuristic failed to properly sanitize OBJECT tags with the DATA attribute set.  Alex found that it is possible to use the DATA attribute to instantiate the PDF handler, then reference content to be loaded using a PARAM element. …


The MSHTML (Trident) Host Security FAQ

I’ve posted a two-part FAQ addressing security considerations for apps that host MSHTML.  Check it out over at the SRD blog! The MSHTML Host Security FAQ: Part I of IIThe MSHTML Host Security FAQ: Part II of II

New webappsec tools

Chris Weber’s Watcher: http://www.lookout.net/2009/03/20/watcher-security-tool-a-free-web-app-security-testing-and-compliance-auditing-tool/ Watcher plugs into the Fidder HTTP proxy and monitors for all sorts of web app vulns, from the common to the obscure. Gareth Heyes’ XSS Rays: http://www.thespanner.co.uk/2009/03/25/xss-rays/ XSS Rays runs in the browser as a bookmarklet and scans for XSS on demand.


IE8 is here!

http://www.microsoft.com/ie What are you waiting for?  Go get it!


XSS Filter Improvements in IE8 RC1

I’ve just posted detail up on the SVRD Blog about some improvements and bug fixes to the XSS Filter feature in IE8 RC1.


Video Roundup (Martin Johns and more!)

Recently I got Martin Johns connected with Helen Wang’s group in Microsoft Research.  Check out Martin’s excellent talk @MSR, Secure Code Generation for Web Applications. Here are a few other gems I discovered on content.digitalwell.washington.edu: Techniques and Tools for Engineering Secure Web ApplicationsGary Wassermann, 3/13/2008 Improving Software Security with Precise Static and Runtime AnalysisBenjamin Livshits, 6/26/2006…