Search / 51 posts tagged cross-site

Two Princeton University academics have found a type of coding flaw on several prominent Web sites that could jeopardize personal data and in one alarming case, drain a bank account.The type of flaw, called cross-site request forgery (CSRF), allows an attacker to perform actions on a Web site on

If you've read this blog, or those of my peers, you're likely quite familiar with cross-site scripting, and the problems associated with open redirect vulnerabilities. A vulnerability you may be less familiar with is cross-site framing, which largely couples the best of both above-mentioned vulnerabilities.

1) Joomla! Multiple Remote Vulnerabilities and Weaknesses Joomla! is susceptible to multiple remote vulnerabilities which are exploitable via a browser. Remote attackers can leverage these issues to conduct phishing attacks, redirect victims to attacker-controlled sites, and send unsolicited spam.

Thanks to Jeff Atwood for posting about the benefits of the HttpOnly flag on cookies. Support for HttpOnly cookies has now been added to Python 2.6’s Cookie module, and Paste’s WSGIResponse. Pylons applications can now use the HttpOnly flag to protect cookies, significantly raising the bar against XSS attacks on users of those applications.

On Devollo.com the first part of a series looking at something every PHP developer (or any other for that matter) should include in their application - data filtering. read more

I did mention this earlier in the week when I was talking about Twitter being used as a malware distribution platform, there also seems to be an auto follow vulnerability that spammers would love. Do you remember Myspace and samy with 900,000 friends?

Talking about web application security lately is making me nuts. It's been about what, 12 years since we security folks started preaching about "firewalls", right? That took at least 5 years before anyone started taking firewalls with any serious thought - and now it's just a matter of need when building a network.

Description : A vulnerability has been reported in Sun Java System Portal Server, which can be exploited by malicious people to conduct cross-site scripting attacks.

In my previous post, What is a SQL Injection Attack, I gave a brief overview of SQL injection and Cross-Site Scripting (XSS), primarily with regard to websites. In the example given, we saw that an attack could take the form of a ‘hacked’ URL which contained either a literal SQL statement, or a hexadecimal string that could be interpreted by an insecure SQL database server.

Over the past few weeks, subversive elements in the international arena have decided that attacking websites is a fun thing to do! The online world has become the new battle ground between nations vying to de-stabilise rivals.