August 31, 2010 - 22:26 CEST

The brand new Rails 3.0 by default escapes data used in views. This is great news, because it hopefully means the applications will be protected from XSS by default, as long as you stick to the built-in helpers (UrlHelper etc.).

[...]

March 8, 2010 - 21:15 CET A lot of flash and flex applications use an XML-file for configuration. The XML-file sets up which texts and images to show. However if we don't pay attention, this flash application can be abused for phishing or spam, because the attacker can specify which file to use in the flash - a client-side RFI (Remote File Inclusion). Luckily this is not as dangerous as server-side RFI, but it's still something you want to avoid.
[...]

February 8, 2010 - 13:05 CET As shown in several articles and mailinglists lately, input validation is also required when developing flash files. However a lot of sites already have a lot of existing flash files, to which they may or may not have the source code available, possibly because it was created by a 3rd party. However there is still hope.
[...]

February 8, 2010 - 12:23 CET Recently there has been a lot of fuzz about security problems in flash files. At the recent Blackhat DC 2010 Mike Bailey also discussed this very topic. These problems are not new, but have somehow avoided getting much focus earlier. Input validation and output escaping in flash seem to be ignored.
[...]

November 29, 2009 - 17:31 CET In my previous posts JSONp - What's the risk? and Web2.0 - Who do you trust? I talked about the potential security problems that can occur when adding script tags and/or using jsonp. In this post I will show a couple of demos.
[...]

November 19, 2009 - 18:53 CET When it was first introduced, Mozilla Content Security Policy (CSP) seemed at bit interesting when developing new applications, but I couldn't really see any benifit for already existing apps, as they would have they would have to rewrite a lot of the code. However after many of the newer additions, I think this can help severely reduce the effect of many attacks.
[...]

October 5, 2009 - 17:36 CEST I just read about CSSHttpRequest (or AJACSS as it's also know) - a new way to do cross domain request like JSONp, but without using dynamic javascript tags.
[...]

October 5, 2009 - 17:36 CEST Using JSONp imposes some risk on your system, whether you are a providing data or using data published as JSONp.
[...]

April 22, 2009 - 17:28 CEST "That does not mean, however, that blocking < and > when ouputting user data in javascript isn't necessary", David said.
[...]

March 10, 2009 - 20:02 CET David grabbed the keyboard and jotted down two new examples.
[...]