One of the more interesting aspects of so called 'Rich Internet Applications' involves User Interface Markup Languages such as XUL (By Mozilla, been around awhile) and XAML/XBAP (.NET 3.0 the new kid on the block). Essentially these languages allow you to 'paint' buttons, menu bars, grids, forms, messageboxes, and other GUI components...
Wikipedia's founder has announced a search engine allowing users to control the search results in a way similar to how digg works. I dabble in Search Engine Optimization (SEO) and I expect a huge shift if the other major search engines such as google and yahoo adopt similar models. Typically people will...
We've been stating for years 'developers need to learn to code securely' sure this is great, however is essentially limited to skilled professionals. This isn't to say we shouldn't keep teaching however rather than simply focusing on those paying attention we should start babysitting the remaining majority. So how do you watch...
"Perhaps PHP should stand for Pretty Hard to Protect: A week after a prominent bug finder and developer left the PHP Group, data from the National Vulnerability Database has underscored the need for better security in PHP-based Web applications." ... "The concerns come as attackers and security researchers have increasingly focused on...
I assisted Jeremiah Grossman and Rsnake in compiling a list of application security issues in the year 2006 that can be found on Jeremiah's blog. That is all.
Ok I know I'm a little early but here's my yearly list of application security predictions. Admittedly I may be a year or two early on a few of them, however read them over and give them some thought. Rich Internet Applications (RIA) .net 3.0 WPF and Adobe Flex The next big...
Apparently Stefan Esser (a key player in PHP's Security Response Team) has called it quits. Steffen is known for finding various vulnerabilities in PHP and working with the PHP Security team to identify and prevent issues in PHP itself. From his blog (Mirroring since his site appears to be getting slammed hard):...
"The recent wave of Web worms on MySpace and other social networking sites represent a new generation of more sophisticated worms -- ones that employ the pervasive cross-site scripting (XSS) flaws found on many Websites. Early worms were more for wreaking havoc and proof-of-concept purposes (think Code Red and Melissa), but the...
The Web Application Security Consortium is proud to present 'MX Injection: Capturing and Exploiting Hidden Mail Servers' written by Vicente Aguilera Diaz of Internet Security Auditors. In this article Vicente discusses how an attacker can inject additional commands into an online web mail application communicating with an IMAP/SMTP server. Article Link: http://www.webappsec.org/projects/articles/121106.shtml
"But in the rush to add interactive features, security has often been overlooked. Several high profile attacks have exploited weaknesses in sites using Web 2.0 technologies. The Yamanner worm hit Yahoo mail users, exploiting JavaScript and Ajax code to collect email addresses, while the Samy and Spaceflash worms spread among MySpace users...
"A while ago on the Spywareguide Blog, I covered a technique being used in Peer to Peer land involving URLs being embedded in Quicktime movies, which would then pop open a website. This has now been taken to the next level, with an intensive and seemingly never ending Phish attack, the sole...
" The hype surrounding AJAX and security risks is hard to miss. Supposedly, this hot new technology responsible for compelling web-based applications like Gmail and Google Maps harbors a dark secret that opens the door to malicious hackers. Not exactly true. Even the most experienced Web application developers and security experts have...
