This is a wonderful post from Matasano Security about the implication of Google Native Client. This post explains in detail on the difference between the Google Native Client (NaCl) and ActiveX.
Read it at Matasano Security.
May 26, 2009
May 21, 2009
Anatomy of a Cross-site Request Forgery Attack
So far, this is the best article to articulate our well-beloved Cross-site Request Forgery (CSRF) attack.
A Cross-site request forgery attack, also known as CSRF or XSRF (pronounced sea-surf) is the less well known, but equally dangerous, cousin of the Cross Site Scripting (XSS) attack. With XSRF, you make use of victim's browser to perform a transaction (GET or POST) on your behalf to the vulnerable site that pre-authenticated earlier.
In this article, it gives an example where how XSRF works in a POST situation, and provide a few suggestions for mitigation:
A Cross-site request forgery attack, also known as CSRF or XSRF (pronounced sea-surf) is the less well known, but equally dangerous, cousin of the Cross Site Scripting (XSS) attack. With XSRF, you make use of victim's browser to perform a transaction (GET or POST) on your behalf to the vulnerable site that pre-authenticated earlier.
In this article, it gives an example where how XSRF works in a POST situation, and provide a few suggestions for mitigation:
- Validate on Referer (not 100% recommended).
- Implement of "canary" in the form (typically a hidden input) that the attacker couldn’t know or compute.
- Implement ViewStateUserKey to makes ViewState more tamper-resistant.
- Remember that "POST-only" isn't aprotection for XSRF.
May 6, 2009
May 5, 2009
BSOD Survival Guide
Tags:
BSOD
Security Breach on Twitter
Twitter has now confirmed that there was unauthorised access to its administration interface. The French blog Korben has published screen-shots which show details of the accounts belonging to Ashton Kutcher, Lily Allen, Britney Spears and Barack Obama.
See more detail at Twitter blog and here.
Subscribe to:
Posts (Atom)