Welcome to MSDN Blogs Sign in | Join | Help

Browse by Tags

All Tags » Web Application... » Computer Security   (RSS)
Tuesday, December 15, 2009 10:50 AM

Happy 10th birthday Cross-Site Scripting!

On the 16th of January, 2000, the following names were suggested and bounced around among a small group of Microsoft security engineers: Unauthorized Site Scripting Unofficial Site Scripting URL Parameter Script Insertion Cross Site Scripting Synthesized
Posted by dross | 0 Comments
Tuesday, November 17, 2009 12:38 PM

Current Thoughts on DNS Rebinding

RSnake and Dan Kaminsky have been talking about session fixation via DNS Rebinding . As you may recall, an attacker can't abuse your Foo.com cookies in a rebinding attack, though they can walk your browser around Foo.com content and control the session.
Posted by dross | 0 Comments
Tuesday, November 03, 2009 1:21 PM

Thoughts on Legacy Character Sets

One of the things I have taken from the IE XSS Filter project is a healthy fear of legacy character sets. If you've followed Chris Weber , Scott Stender , or Yosuke Hasegawa ’s work, you know that even Unicode is... interesting. But at least in the Unicode
Posted by dross | 0 Comments
Wednesday, March 25, 2009 11:33 AM

New webappsec tools

Chris Weber's Watcher: http://www.lookout.net/2009/03/20/watcher-security-tool-a-free-web-app-security-testing-and-compliance-auditing-tool/ Watcher plugs into the Fidder HTTP proxy and monitors for all sorts of web app vulns, from the common to the obscure.
Posted by dross | 1 Comments
Friday, January 30, 2009 1:30 PM

XSS Filter Improvements in IE8 RC1

I've just posted detail up on the SVRD Blog about some improvements and bug fixes to the XSS Filter feature in IE8 RC1 .
Posted by dross | 1 Comments
Wednesday, January 14, 2009 11:53 AM

Video Roundup (Martin Johns and more!)

Recently I got Martin Johns connected with Helen Wang 's group in Microsoft Research. Check out Martin's excellent talk @MSR, Secure Code Generation for Web Applications . Here are a few other gems I discovered on content.digitalwell.washington.edu: Techniques
Posted by dross | 3 Comments
Saturday, December 20, 2008 6:10 PM

ABE

Giorgio Maone's new ABE project looks pretty cool. Exposing the loose and often unnecessary boundaries between web applications shines a different light on some old problems in web application security. Enforcing greater formalization and limiting the
Posted by dross | 2 Comments
Tuesday, September 30, 2008 11:15 AM

XSSDS

Björn Engelmann, Joachim Posegga, and LocalRodeo developer Martin Johns have authored an excellent paper on a new Cross-site Scripting detection system called XSSDS . Stay tuned to noxss.org for a new browser extension based on this technology. The XSSDS
Posted by dross | 6 Comments
Friday, August 29, 2008 3:18 PM

IE8 Beta 2

If you haven’t already seen, Internet Explorer 8 Beta 2 is out – go get it ! Now is a good time to thank everyone who helped make the IE8 XSS Filter a reality. This project wouldn’t have been possible without your hard work, support, leadership, guidance,
Posted by dross | 0 Comments
Tuesday, August 19, 2008 4:29 PM

IE 8 XSS Filter Architecture / Implementation revealed + some other news

I've just posted some detail on the Internet Explorer 8 XSS Filter Architecture / Implementation over on the SWI Blog . It would be great to get some feedback and answer any questions you may have -- just drop me a mail using the Email link to the left.
Posted by dross | 1 Comments
Thursday, July 03, 2008 11:55 PM

IE8 XSS Filter design philosophy in-depth

It's great to see some positive reaction to the potential of our XSS Filter. Now we just need to deliver! In this blog post I’ll try to shed some light on our design philosophy. To understand how we have arrived at our current filtering approach, it is
Posted by dross | 3 Comments
Wednesday, July 02, 2008 9:29 AM

IE8 goes on the offensive against XSS!

IE has announced the new XSS Filter feature which will debut in IE8 Beta 2! Stay tuned to my blog in the coming weeks for more details on how the filter works, its history, its limitations, and some lessons learned during the development process.
Posted by dross | 1 Comments
Monday, March 10, 2008 1:06 PM

XSS-Focused Attack Surface Reduction

All web browsers expose what have been referred to as XSS “attack vectors” – various techniques that XSS attacks can leverage to achieve script execution. The best and most well regarded list of these behaviors is RSnake’s XSS Cheat Sheet . The existence
Posted by dross | 4 Comments
Wednesday, September 12, 2007 10:34 AM

MashupOS

The standard IFRAME-based isolation technique for web apps is starting to show its age. We need something better! Microsoft Research has posted a new paper scheduled to appear at SOSP '07 : Protection and Communication Abstractions for Web Browsers in
Posted by dross | 0 Comments
Friday, August 03, 2007 11:17 AM

Pinning / Rebinding / Quick-Swap DNS Links

A group at Stanford has been researching these issues and recently published Protecting Browsers from DNS Rebinding Attacks . Also, Dan Kaminski has published his slides from Blackhat 2007, Black Ops 2007: Design Reviewing The Web .
Posted by dross | 0 Comments
More Posts Next page »
 
Page view tracker