comments (not for humans)
My previous post explained how NOSQL-injection can occur when using NOSQL-databases. I showed an example using MongoDB. In this post I'll show you how to protect your application.

[...]
As described by Wikipedia, NOSQL is a movement promoting a loosely defined class of non-relational data stores that break with a long history of relational databases. These types of databases are quickly gaining popularity in the Web2.0 world, including sites like Facebook and Digg.

[...]
O3tker twittered about a framework Microsoft has created called Pex for automatically generating unit tests with high test coverage. There is a video of it here: http://channel9.msdn.com/posts/Peli/Getting-started-with-Pex-in-Visual-Studio-2008/.

[...]
Just thought I'd do a small blogpost about some of the security podcasts I'm currently subscribing to.


[...]
Unrestricted crossdomain.xml and clientaccesspolicy.xml files can be abused by malicious RIAs - or MalaRIAs - to perform actions on behalf of the user. For this PoC (proof of concept) I setup a malicious RIA to act as a proxy by comibining it with a server side application. This would allow the attacker to use the combined solution as a proxy and surf web sites with unrestricted cross domain policies through the victim's browser.

[...]

In an IdP/SP (Identity Provider/Service Provider) Single Sign-On scenario, you might also want to have Single Sign-Out, meaning you can log out of all SPs with a single click.


[...]
Microsoft recently released the SDL for agile.

[...]
A lot of flash and flex applications use an XML-file for configuration. The XML-file sets up which texts and images to show. However if we don't pay attention, this flash application can be abused for phishing or spam, because the attacker can specify which file to use in the flash - a client-side RFI (Remote File Inclusion). Luckily this is not as dangerous as server-side RFI, but it's still something you want to avoid.
[...]
To allow a Silverlight application to fetch data across domains, Silverlight employs a security policy in called clientaccesspolicy.xml. The policy allows a server admin to specify whether or not a Silverlight application running on a given domain is allowed to connect to the server to read data on behalf of the user. Unfortunately some people specify an unrestricted clientaccesspolicy.xml, which allows any server to make requests on behalf of the user, and thus allows a malicious Silverlight application to steal user data or perform actions on behalf of the user.
[...]
Most web browsers implement the Same Origin Policy which limits how javascript etc. can interact across domains. Without this policy an attacker could setup a site, and if tricked into visiting it, the attacker could read data from all your logged in sessions (gmail, banking etc.) and perform actions against those sites on your behalf. This policy was seen as a bit to restrictive for flash/flex/silverlight which may need to read data from other domains. Adobe introduced the cross domain policy to address this concern. Unfortunately a lot of sites are not paying attention to what this policy really means.
[...]