Current Thoughts on DNS Rebinding

RSnake and Dan Kaminsky have been talking about session fixation via DNS Rebinding.  As you may recall, an attacker can’t abuse your Foo.com cookies in a rebinding attack, though they can walk your browser around Foo.com content and control the session.  The gist of what these guys are talking about is how the attacker can…

0

Thoughts on Legacy Character Sets

One of the things I have taken from the IE XSS Filter project is a healthy fear of legacy character sets.  If you’ve followed Chris Weber, Scott Stender, or Yosuke Hasegawa’s work, you know that even Unicode is…  interesting.  But at least in the Unicode world there are standards and evolving best practices dictating how…

0