I would like to create a widget so that my visitors can display it on their blog/website. I would like to use jquery and jsonp to develop this widget. I know how to avoid conflicts between jQuery and other libraries (like prototype). But what will happen if jquery is already installed on my visitors' websites and if their version is d...
Say we have a form where the user types in various info. We validate the info, and find that something is wrong. A field is missing, invalid email, et cetera. When displaying the form to the user again I of course don't want him to have to type in everything again so I want to populate the input fields. Is it safe to do this without san...
I've recently found this blog entry on a tool that writes XSS attacks directly to the database. It looks like a terribly good way to scan an application for weaknesses in my applications. I've tried to run it on Mono, since my development platform is Linux. Unfortunately it crashes with a System.ArgumentNullException deep inside Microso...
I've been assigned a project for a website where users will be allowed to upload video's (using a YouTube API) but more importantly (for me) they will also be allowed to submit video embed codes (from numerous video sites, YouTube, Vimeo, etc. etc.). Having no experience with allowing users to embed video: How can I best protect against...
I'm looking for a complete list of security guidelines for programming and deploying PHP web sites and applications on an Apache (Linux) server. Basically, a "security check list" to run through before finishing a project. I.e., Cross Site Scripting Cross Site Request Forgery Sanitize form data that goes into database Disable register ...
I've often wondered -- why use a whitelist as opposed to a blacklist when sanitizing HTML input? How many sneaky HTML tricks are there to open XSS vulnerabilities? Obviously script tags and frames are not allowed, and a whitelist would be used on the fields in HTML elements, but why disallow most of everything? ...
Hi everybody here, I want to use mootools and SqueezBox class to handle a request to a RESTful service. I don't want to use any server-side script. I am using AJAX. I send a request to the following url using GET method. http://www.idevcenter.com/api/v1/links/links-upcoming.json but I receive a 404 error. Is it because cross-site scripti...
Hey folks Maybe this isn't really feasible. But basically, I've been developing a snippet-sharing website and I would like it to have a 'live demo area'. For example, you're browsing some snippets and click the Demo button. A new window pops up which executes the web code. I understand there are a gazillion security risks involved in...
I was reading about CORS (https://developer.mozilla.org/en/HTTP_access_control) and I think the implementation is both simple and effective. However, unless I'm missing something, I think there's a big part missing from the spec. As I understand, it's the foreign site that decides, based on the origin of the request (and optionally incl...
Hello, If you've used Google Wave or iGoogle you have probably seen that you can insert widgets that are made by third parties without approval. My question is: How does prevent the widge from performing XSS or steak cookies? Are the widgets loaded in an <iframe>? If yes, then what prevents them from redirecting you to another page? Th...
By default the form post CSRF protection in Rails creates an authenticity token for a user that only changes when the user's session changes. One of our customers did a security audit of our site and flagged that as an issue. The auditor's statement was that if we also had a XSS vulnerability that an attacker could grab another user's a...
In the notes for Step 1 in the "How To: Prevent Cross-Site Scripting in ASP.NET" it is stated that you should "not rely on ASP.NET request validation. Treat it as an extra precautionary measure in addition to your own input validation." Why isn't it enough? ...
Hi, After doing a long search on stackoverflow i didn't find any one talked about this even if it's a big choice, the Question is what's the best in order to prevent both of XSS and SQL injection, Escaping the data then store it in the DB or Store it as it is and escape when output it? Note: it is better if you give some examples of pra...
Im basically working on an image analyser that downloads images from another server. I have no control over the server but I only want to scan images not html pages. would something like this work? new URLRequest('http://otherserver.com/someimage.jpg'); Or would I have to use a PHP script to act as a proxy for my script and have the ...
I am writing a FireFox add-on that displays webpages from my server as control and info panels. These panels were written and work in regular URLs, but when I try to access them through a custom protocol (so it's like about:, just myplugin:settings) every XMLHttpRequest returns blank as if I was doing XSS stuff. I know the data's getti...
I'm developer moving from C# to Java. Heard about new ASP net feature. <%: %>. It renders object with html encoding. Only these impolementing IHtmlString interface are not encoded (to prevent double encoding). See more in http://weblogs.asp.net/scottgu/archive/2010/04/06/new-lt-gt-syntax-for-html-encoding-output-in-asp-net-4-and-asp-net...
Cited from http://xss-proxy.sourceforge.net/Advanced_XSS_Control.txt: As many here probably know, current XSS attacks typically come in two flavors: 1 - Attacker uploads tags to a public bulliten board, blog, or other site that has an XSS vulnerability and that lots of other users will visit. Attacker normally harvests si...
Hello, I am trying to use the flXHR javascript library for making cross-domain calls. I got stuck at the begining. As they say in the docs, I copied the /deploy directory's content to a /scripts directory. All the dependencies are supposed to be included in the flXHR download. This is my html, which returns several errors: ...
I'd like to enforce a requirement that client script inside a page (which in turn is loaded inside an iframe of another page) will only run when the parent page is on the same top-level domain as the framed page (although it may be on another hostname in that domain). Is this do-able? I assume that the easy solution of looking at top...
I have javascript code that's loaded by 3rd parties. The javascript keeps track of a number of metrics, and when a user exits the page I'd like to send the metrics back to my server. Due to XSS checks in some browsers, like IE, I cannot do a simple jquery.ajax() call. Instead, I'm appending an image src to the page with jquery. Here's t...