March 8, 2010 - 21:15 CET A lot of flash and flex applications use an XML-file for configuration. The XML-file sets up which texts and images to show. However if we don't pay attention, this flash application can be abused for phishing or spam, because the attacker can specify which file to use in the flash - a client-side RFI (Remote File Inclusion). Luckily this is not as dangerous as server-side RFI, but it's still something you want to avoid.
[...]

March 1, 2010 - 19:37 CET To allow a Silverlight application to fetch data across domains, Silverlight employs a security policy in called clientaccesspolicy.xml. The policy allows a server admin to specify whether or not a Silverlight application running on a given domain is allowed to connect to the server to read data on behalf of the user. Unfortunately some people specify an unrestricted clientaccesspolicy.xml, which allows any server to make requests on behalf of the user, and thus allows a malicious Silverlight application to steal user data or perform actions on behalf of the user.
[...]

February 21, 2010 - 21:36 CET Most web browsers implement the Same Origin Policy which limits how javascript etc. can interact across domains. Without this policy an attacker could setup a site, and if tricked into visiting it, the attacker could read data from all your logged in sessions (gmail, banking etc.) and perform actions against those sites on your behalf. This policy was seen as a bit to restrictive for flash/flex/silverlight which may need to read data from other domains. Adobe introduced the cross domain policy to address this concern. Unfortunately a lot of sites are not paying attention to what this policy really means.
[...]

February 8, 2010 - 13:05 CET As shown in several articles and mailinglists lately, input validation is also required when developing flash files. However a lot of sites already have a lot of existing flash files, to which they may or may not have the source code available, possibly because it was created by a 3rd party. However there is still hope.
[...]

February 8, 2010 - 12:23 CET Recently there has been a lot of fuzz about security problems in flash files. At the recent Blackhat DC 2010 Mike Bailey also discussed this very topic. These problems are not new, but have somehow avoided getting much focus earlier. Input validation and output escaping in flash seem to be ignored.
[...]

November 30, 2009 - 20:57 CET If you are in an agile team (Scrum or Kanban) and the team is distributed, it might be hard to find a good solution for the agile board. The solution might be an electronic version. Why not build your own?
[...]

November 29, 2009 - 17:31 CET In my previous posts JSONp - What's the risk? and Web2.0 - Who do you trust? I talked about the potential security problems that can occur when adding script tags and/or using jsonp. In this post I will show a couple of demos.
[...]

November 19, 2009 - 18:53 CET When it was first introduced, Mozilla Content Security Policy (CSP) seemed at bit interesting when developing new applications, but I couldn't really see any benifit for already existing apps, as they would have they would have to rewrite a lot of the code. However after many of the newer additions, I think this can help severely reduce the effect of many attacks.
[...]

October 5, 2009 - 17:36 CEST I just read about CSSHttpRequest (or AJACSS as it's also know) - a new way to do cross domain request like JSONp, but without using dynamic javascript tags.
[...]

October 5, 2009 - 17:36 CEST Using JSONp imposes some risk on your system, whether you are a providing data or using data published as JSONp.
[...]