August 31, 2010 - 22:26 CEST

The brand new Rails 3.0 by default escapes data used in views. This is great news, because it hopefully means the applications will be protected from XSS by default, as long as you stick to the built-in helpers (UrlHelper etc.).

[...]

July 6, 2010 - 19:45 CEST My previous post explained how NOSQL-injection can occur when using NOSQL-databases. I showed an example using MongoDB. In this post I'll show you how to protect your application.
[...]

June 27, 2010 - 22:00 CEST As described by Wikipedia, NOSQL is a movement promoting a loosely defined class of non-relational data stores that break with a long history of relational databases. These types of databases are quickly gaining popularity in the Web2.0 world, including sites like Facebook and Digg.
[...]

May 18, 2010 - 22:30 CEST Just thought I'd do a small blogpost about some of the security podcasts I'm currently subscribing to.

[...]

April 5, 2010 - 12:02 CEST Unrestricted crossdomain.xml and clientaccesspolicy.xml files can be abused by malicious RIAs - or MalaRIAs - to perform actions on behalf of the user. For this PoC (proof of concept) I setup a malicious RIA to act as a proxy by comibining it with a server side application. This would allow the attacker to use the combined solution as a proxy and surf web sites with unrestricted cross domain policies through the victim's browser.
[...]

March 22, 2010 - 13:59 CET

In an IdP/SP (Identity Provider/Service Provider) Single Sign-On scenario, you might also want to have Single Sign-Out, meaning you can log out of all SPs with a single click.

[...]

March 8, 2010 - 21:15 CET A lot of flash and flex applications use an XML-file for configuration. The XML-file sets up which texts and images to show. However if we don't pay attention, this flash application can be abused for phishing or spam, because the attacker can specify which file to use in the flash - a client-side RFI (Remote File Inclusion). Luckily this is not as dangerous as server-side RFI, but it's still something you want to avoid.
[...]

March 1, 2010 - 19:37 CET To allow a Silverlight application to fetch data across domains, Silverlight employs a security policy in called clientaccesspolicy.xml. The policy allows a server admin to specify whether or not a Silverlight application running on a given domain is allowed to connect to the server to read data on behalf of the user. Unfortunately some people specify an unrestricted clientaccesspolicy.xml, which allows any server to make requests on behalf of the user, and thus allows a malicious Silverlight application to steal user data or perform actions on behalf of the user.
[...]

February 21, 2010 - 21:36 CET Most web browsers implement the Same Origin Policy which limits how javascript etc. can interact across domains. Without this policy an attacker could setup a site, and if tricked into visiting it, the attacker could read data from all your logged in sessions (gmail, banking etc.) and perform actions against those sites on your behalf. This policy was seen as a bit to restrictive for flash/flex/silverlight which may need to read data from other domains. Adobe introduced the cross domain policy to address this concern. Unfortunately a lot of sites are not paying attention to what this policy really means.
[...]

February 8, 2010 - 13:05 CET As shown in several articles and mailinglists lately, input validation is also required when developing flash files. However a lot of sites already have a lot of existing flash files, to which they may or may not have the source code available, possibly because it was created by a 3rd party. However there is still hope.
[...]