Giorgio Maone’s new ABE project looks pretty cool. Exposing the loose and often unnecessary boundaries between web applications shines a different light on some old problems in web application security.  Enforcing greater formalization and limiting the attack surface presented by these boundaries is a great thing. Yeah, yeah, I know, Giorgio doesn’t like us, etc…, whatever.  😉



Björn Engelmann, Joachim Posegga, and LocalRodeo developer Martin Johns have authored an excellent paper on a new Cross-site Scripting detection system called XSSDS.  Stay tuned to noxss.org for a new browser extension based on this technology.  The XSSDS approach is similar in some ways to the IE8 XSS Filter approach, although it’s worth noting that until recently Martin’s team had…


IE8 Beta 2

If you haven’t already seen, Internet Explorer 8 Beta 2 is out – go get it! Now is a good time to thank everyone who helped make the IE8 XSS Filter a reality.  This project wouldn’t have been possible without your hard work, support, leadership, guidance, brainstorming, pentesting, coding, and testing. THANK YOU: Zhenya and…


IE 8 XSS Filter Architecture / Implementation revealed + some other news

I’ve just posted some detail on the Internet Explorer 8 XSS Filter Architecture / Implementation over on the SWI Blog.  It would be great to get some feedback and answer any questions you may have — just drop me a mail using the Email link to the left. In other news, Gareth Heyes has been spending some time testing the XSS Filter implementation.  Gareth has written…


IE8 XSS Filter design philosophy in-depth

It’s great to see some positive reaction to the potential of our XSS Filter.  Now we just need to deliver! In this blog post I’ll try to shed some light on our design philosophy. To understand how we have arrived at our current filtering approach, it is useful to look back to the XSS Filter’s…


IE8 goes on the offensive against XSS!

IE has announced the new XSS Filter feature which will debut in IE8 Beta 2!  Stay tuned to my blog in the coming weeks for more details on how the filter works, its history, its limitations, and some lessons learned during the development process.


Lead my team!

My team (SWI React) is hiring for a lead position.  Details: Job Title: Lead Software Development Engineer Job Category: Software Development Product: Trustworthy Computing Date Posted: 02/16/2008 Job Code: 223577 Location: WA – Redmond Travel Required:    Do you consider yourself a hacker? Is breaking code a passion? And more importantly, can you teach others how to leverage your thinking? Microsoft’s…


XSS-Focused Attack Surface Reduction

All web browsers expose what have been referred to as XSS “attack vectors” – various techniques that XSS attacks can leverage to achieve script execution.  The best and most well regarded list of these behaviors is RSnake’s XSS Cheat Sheet. The existence of these attack vectors can at minimum present a challenge to filters and…


The Kill-Bit FAQ – Part 1 of 3 posted to SVRD blog

Check out my ActiveX Kill-Bit FAQ which is now being posted to the SVRD blog.  There are three parts, the first of which is now live.  Parts two and three should be up by the end of the week.