comments (not for humans)
As shown in several articles and mailinglists lately, input validation is also required when developing flash files. However a lot of sites already have a lot of existing flash files, to which they may or may not have the source code available, possibly because it was created by a 3rd party. However there is still hope.
[...]
Recently there has been a lot of fuzz about security problems in flash files. At the recent Blackhat DC 2010 Mike Bailey also discussed this very topic. These problems are not new, but have somehow avoided getting much focus earlier. Input validation and output escaping in flash seem to be ignored.
[...]
If you are in an agile team (Scrum or Kanban) and the team is distributed, it might be hard to find a good solution for the agile board. The solution might be an electronic version. Why not build your own?
[...]
In my previous posts JSONp - What's the risk? and Web2.0 - Who do you trust? I talked about the potential security problems that can occur when adding script tags and/or using jsonp. In this post I will show a couple of demos.
[...]
When it was first introduced, Mozilla Content Security Policy (CSP) seemed at bit interesting when developing new applications, but I couldn't really see any benifit for already existing apps, as they would have they would have to rewrite a lot of the code. However after many of the newer additions, I think this can help severely reduce the effect of many attacks.
[...]
I just read about CSSHttpRequest (or AJACSS as it's also know) - a new way to do cross domain request like JSONp, but without using dynamic javascript tags.
[...]
Using JSONp imposes some risk on your system, whether you are a providing data or using data published as JSONp.
[...]
What happens if you submit the same parameter twice in an HTTP request? This is what Luca Carettoni and Stefano Dipaola asked themselves. And the answer they found, which was presented at OWASP AppSecEU09, was both scary and interesting.
[...]
Last week I attended and spoke at the OWASP AppSec09 conference in Krakow. It was a four day conference with two days of training and two days of presentations.
[...]
"That does not mean, however, that blocking < and > when ouputting user data in javascript isn't necessary", David said.
[...]