My Security Planet » CGISecurity.com: Your Web Site and Application Security Resource » December 14, 2008

Feeds

13607 items (0 unread) in 75 feeds

• Jeremy Zawodny's blog
• Mozilla Webdev
• Transcendental Technical Travails
• Ian Bicking: a blog
• Hackosis

WebSecurity

• Watchfire Application Security Insider
• BlogSecurity
• sirdarckcat
• Google Online Security Blog
• CGISecurity.com: Your Web Site and Application Security Resource
• Switch/Twitch
• mybeNi websecurity
• cat slave diary
• SecuriTeam Blogs
• Curiouser and Curiouser
• Alex's Corner
• Billy (BK) Rios
• Chris Shiflett
• christian's weblog
• funkatron.com
• GNUCITIZEN
• The Spanner
• hackademix.net
• Ruby on Rails Security Project
• It's a shampoo world anyway
• Web Security Blog
• ha.ckers.org web application security lab
• Yet Another Infosec Blog
• PHP Security Blog
• Security Thoughts
• Sunnet Beskerming Security Advisories
• Disenchant's Blog
• Sylvan von Stuppe
• Larholm.com
• The Turkey Curse
• Jeremiah Grossman
• Anurag Agarwal - Application Security Evangelist
• Ivan Ristic
• deep inside | security & tools
• omg.wtf.bbq.
• BlueHat Security Briefings
• Tactical Web Application Security
• .:Computer Defense:.

Security

• tssci security
• Plynt Penetration Testing Blog
• Michael Howard's Web Log
• Security Retentive
• BindShell.Net
• Dominic White's .tHE pRODUCT
• SecurityFocus News
• Justice League
• Schneier on Security
• Rational Survivability
• terminal23
• 1 Raindrop
• hiredhacker.com
• Matasano Chargen
• Security Vulnerability Research & Defense
• Michael on Security - Musings on Information Security
• Fortify blog
• The Art of Software Security Assessment
• GDS Security Blog
• Vodun.org
• Robert Penz Blog
• Mark Curphey - SecurityBuddha.com
• Liminal states
• Security Ripcord
• ModSecurity Blog
• IBM Internet Security Systems Frequency X Blog
• Suspekt...
• extern blog SensePost;
• Zero in a bit

SEO

• SEO BlackHat: Black Hat SEO Blog
• busin3ss.name

Tools

• Opensourcetesting.org News

CGISecurity.com: Your Web Site and Application Security Resource

• 

  XMLHttpRequest will be more secure in the future

  Posted: December 14th, 2008, 10:42pm CST by Robert

  Tags:  Development   [edit]

  "Some of the most recent iterations of the XHR specifications at w3c have made some excellent security choices that will lock down the JavaScript HTTPOnly edge-case exposure vectors.The latest editorial draft of the XHR w3c spec http://dev.w3.org/2006/webapi/XMLHttpRequest/• prevents creating set-cookie/2 headers via setRequestHeader() in a case insensitive way. (but XHR is...
• 

  Writing a web services fuzzer in 5 minutes to SQL injection

  Posted: December 14th, 2008, 10:40pm CST by Robert

  Tags:  Security Tools   [edit]

  From tssci"This week, I was doing an internal penetration test for a client of a web service, which is used by applications loaded on kiosk machines around the country. I didn’t have much time to do the test, so I had a couple advantages, like having network access to the service,...
• 

  Executing scripts with non-english characters

  Posted: December 14th, 2008, 10:38pm CST by Robert

  Tags:  Defense   [edit]

  There is a write up at Coding Insecurity on filtering non ascii characters to prevent XSS attacks."I have been working on a medium-sized development project lately and, came across a peculiar phenomenon where I could execute scripts on a page without the use of less-than () symbols. Instead...