| [ naslovna ] | [ za webmastere ] |  |
Alert
07-05-2008 19:17 Microsoft Fixes Feature.  I read that in the latest MSIE7 patch round, they fixed the UXSS image issue[1] I talked about in early 2007. The attack was pretty easy to perform. Here is how it works, in case you didn't know about it. First, you create an image. If you have Photoshop which is the quickest way, you can set a watermark inside the image as meta data. Inside the copyright field you can enter whatever you like. HTML, Javascripts, Iframes that fetch Trojans. To Firefox and Opera users, the image will >> Kompletan tekst: 0x000000 07-05-2008 19:17 Microsoft Fixes Feature. I read that in the latest MSIE7 patch round, they fixed the UXSS image issue[1] I talked about in early 2007. The attack was pretty easy to perform. Here is how it works, in case you didn't know about it. First, you create an image. If you have Photoshop which is the quickest way, you can set a watermark inside the image as meta data. Inside the copyright field you can enter whatever you like. HTML, Javascripts, Iframes that fetch Trojans. To Firefox and Opera users, the image will >> Kompletan tekst: 0x000000 07-03-2008 12:03 NoScript’s Anti-XSS Filters Partially Ported to IE8  I’m happy to learn that IE8 is going to implement a less ambitious version of a feature which NoScript users have enjoyed for more than one year now. The announcement posts seem not to notice the resemblances of “XSS Filter” with NoScript’s Anti-XSS Protection, the most striking being their non-blocking approach: loading the target page in a “neutralized” form and emitting a warning as an info-bar, which doesn’t require interaction and therefore doesn’t necess >> It's great to see some positive reaction to the potential of our XSS Filter. Now we just need to deliver! In this blog post I’ll try to shed some light on our design philosophy. To understand how we have arrived at our current filtering approach, it is useful to look back to the XSS Filter’s very beginnings. Version 1.0 of the XSS Filter prototype, originally released within Microsoft back in 2002, provided users with the following (ugly!) prompt: Clearly this >>Kompletan tekst: Microsoft 07-07-2008 5:04 Opera Arioso! So, my dear Firefox and Explorer fanboys :) I have something special today for Opera users only. I'm pretty excited by Opera's Userscripts that allow you to write Javascript files that are far richer than greasemonkey Userscripts -which is also supported by Opera- I've written a security plugin for Opera last night, that attempts to mitigate various Javascript attack vectors. But, one problem for writing a security plugin is that we usually need to process a script before it gets ren >>Kompletan tekst: 0x000000 07-03-2008 12:03 NoScript’s Anti-XSS Filters Partially Ported to IE8 I’m happy to learn that IE8 is going to implement a less ambitious version of a feature which NoScript users have enjoyed for more than one year now. The announcement posts seem not to notice the resemblances of “XSS Filter” with NoScript’s Anti-XSS Protection, the most striking being their non-blocking approach: loading the target page in a “neutralized” form and emitting a warning as an info-bar, which doesn’t require interaction and therefore doesn’t necess >> It's great to see some positive reaction to the potential of our XSS Filter. Now we just need to deliver! In this blog post I’ll try to shed some light on our design philosophy. To understand how we have arrived at our current filtering approach, it is useful to look back to the XSS Filter’s very beginnings. Version 1.0 of the XSS Filter prototype, originally released within Microsoft back in 2002, provided users with the following (ugly!) prompt: Clearly this >>Kompletan tekst: Microsoft
|
|
