March 22, 2010 - 13:59 CET

In an IdP/SP (Identity Provider/Service Provider) Single Sign-On scenario, you might also want to have Single Sign-Out, meaning you can log out of all SPs with a single click.

[...]

February 8, 2010 - 13:05 CET As shown in several articles and mailinglists lately, input validation is also required when developing flash files. However a lot of sites already have a lot of existing flash files, to which they may or may not have the source code available, possibly because it was created by a 3rd party. However there is still hope.
[...]

February 8, 2010 - 12:23 CET Recently there has been a lot of fuzz about security problems in flash files. At the recent Blackhat DC 2010 Mike Bailey also discussed this very topic. These problems are not new, but have somehow avoided getting much focus earlier. Input validation and output escaping in flash seem to be ignored.
[...]

November 29, 2009 - 17:31 CET In my previous posts JSONp - What's the risk? and Web2.0 - Who do you trust? I talked about the potential security problems that can occur when adding script tags and/or using jsonp. In this post I will show a couple of demos.
[...]

November 19, 2009 - 18:53 CET When it was first introduced, Mozilla Content Security Policy (CSP) seemed at bit interesting when developing new applications, but I couldn't really see any benifit for already existing apps, as they would have they would have to rewrite a lot of the code. However after many of the newer additions, I think this can help severely reduce the effect of many attacks.
[...]

October 5, 2009 - 17:36 CEST I just read about CSSHttpRequest (or AJACSS as it's also know) - a new way to do cross domain request like JSONp, but without using dynamic javascript tags.
[...]

October 5, 2009 - 17:36 CEST Using JSONp imposes some risk on your system, whether you are a providing data or using data published as JSONp.
[...]

June 15, 2009 - 22:31 CEST What happens if you submit the same parameter twice in an HTTP request? This is what Luca Carettoni and Stefano Dipaola asked themselves. And the answer they found, which was presented at OWASP AppSecEU09, was both scary and interesting.
[...]

May 19, 2009 - 22:47 CEST Last week I attended and spoke at the OWASP AppSec09 conference in Krakow. It was a four day conference with two days of training and two days of presentations.
[...]

April 22, 2009 - 17:28 CEST "That does not mean, however, that blocking < and > when ouputting user data in javascript isn't necessary", David said.
[...]