Preventing cross-site scripting attacks
Originally posted in my old blog at My Opera Cross-site scripting attacks, also known as XSS attacks, are a type of vulnerability found in some web sites. For example, if your blog comment box allows...
View ArticleSandboxing Rhino in Java
I’ve been working on a Java app which needed Rhino for scripting. The app would need to run untrusted JavaScript code from 3rd parties, so I had to find a way to block access to all Java methods,...
View ArticleHow to get free publicity by screwing up your friendly URL algorithm
Today I’ll share a fun story with you. Would you like to get free publicity? Go ahead and make a poor friendly URL implementation, like the Finnish Broadcasting Corporation, or YLE – the national...
View ArticleDid you think your site validated input properly? Think again!
You’ve written a PHP based web app, and you’ve made sure it doesn’t cause errors if the user submits unexpected values via any URLs or forms. But there’s something you quite likely forgot to test: What...
View ArticlePassword policies generally suck
The other day I was talking with someone about passwords. They had a policy that you are not allowed to use your old passwords again, and that got me thinking: Is this actually improving or reducing...
View ArticleLibrary author: Don’t provide an exploitable interface
SQL injection is a pretty big deal. Its cousin shell injection is also a common issue, demonstrated quite well by a recent post to the PHP reddit. Although some suspect it was a troll, I heard echos...
View ArticlePreventing cross-site scripting attacks
Originally posted in my old blog at My Opera Cross-site scripting attacks, also known as XSS attacks, are a type of vulnerability found in some web sites. For example, if your blog comment box allows...
View ArticleSandboxing Rhino in Java
I’ve been working on a Java app which needed Rhino for scripting. The app would need to run untrusted JavaScript code from 3rd parties, so I had to find a way to block access to all Java methods,...
View ArticleHow to get free publicity by screwing up your friendly URL algorithm
Today I’ll share a fun story with you. Would you like to get free publicity? Go ahead and make a poor friendly URL implementation, like the Finnish Broadcasting Corporation, or YLE – the national...
View ArticleDid you think your site validated input properly? Think again!
You’ve written a PHP based web app, and you’ve made sure it doesn’t cause errors if the user submits unexpected values via any URLs or forms. But there’s something you quite likely forgot to test: What...
View ArticlePassword policies generally suck
The other day I was talking with someone about passwords. They had a policy that you are not allowed to use your old passwords again, and that got me thinking: Is this actually improving or reducing...
View ArticleLibrary author: Don’t provide an exploitable interface
SQL injection is a pretty big deal. Its cousin shell injection is also a common issue, demonstrated quite well by a recent post to the PHP reddit. Although some suspect it was a troll, I heard echos...
View Article
