Comments on: From the Office of "Real World Software Security" http://securitybuddha.com/2008/01/10/from-the-office-of-real-world-software-security/ Security Enlightenment - Mark Curphey Thu, 08 Jan 2009 17:00:14 +0000 http://wordpress.org/?v=MU hourly 1 By: Oulaaa...Non, le XSS (Cross Site Scripting) n'est PAS une fonctionnalité ! , CoqBlog http://securitybuddha.com/2008/01/10/from-the-office-of-real-world-software-security/#comment-11864 Oulaaa...Non, le XSS (Cross Site Scripting) n'est PAS une fonctionnalité ! , CoqBlog Sun, 02 Mar 2008 17:37:13 +0000 http://securitybuddha.wordpress.com/2008/01/10/from-the-office-of-real-world-software-security/#comment-11864 [...] du post de Mark Curphey : "  When a customer development team was recently asked to use the AntiXSS library, validate [...] [...] du post de Mark Curphey : “  When a customer development team was recently asked to use the AntiXSS library, validate [...]

]]> By: Cry or Smile? You Decide… | Secure Software Engineering Blog http://securitybuddha.com/2008/01/10/from-the-office-of-real-world-software-security/#comment-11849 Cry or Smile? You Decide… | Secure Software Engineering Blog Tue, 26 Feb 2008 20:15:46 +0000 http://securitybuddha.wordpress.com/2008/01/10/from-the-office-of-real-world-software-security/#comment-11849 [...] Wednesday Mark Curphey emailed me about a conversation his team had with a customer. I see he has now blogged about the conversation. Here’s an excerpt. When a customers [sic, you need to learn some [...] [...] Wednesday Mark Curphey emailed me about a conversation his team had with a customer. I see he has now blogged about the conversation. Here’s an excerpt. When a customers [sic, you need to learn some [...]

]]> By: Cry or Smile? You Decide… | Secure Software Engineering Journal http://securitybuddha.com/2008/01/10/from-the-office-of-real-world-software-security/#comment-11839 Cry or Smile? You Decide… | Secure Software Engineering Journal Sat, 23 Feb 2008 22:12:11 +0000 http://securitybuddha.wordpress.com/2008/01/10/from-the-office-of-real-world-software-security/#comment-11839 [...] Wednesday Mark Curphey emailed me about a conversation his team had with a customer. I see he has now blogged about the conversation. Here’s an excerpt. When a customers [sic, you need to learn some [...] [...] Wednesday Mark Curphey emailed me about a conversation his team had with a customer. I see he has now blogged about the conversation. Here’s an excerpt. When a customers [sic, you need to learn some [...]

]]> By: Cry or Smile? You Decide… | Secure Software Engineering http://securitybuddha.com/2008/01/10/from-the-office-of-real-world-software-security/#comment-11825 Cry or Smile? You Decide… | Secure Software Engineering Fri, 22 Feb 2008 11:17:34 +0000 http://securitybuddha.wordpress.com/2008/01/10/from-the-office-of-real-world-software-security/#comment-11825 [...] Wednesday Mark Curphey emailed me about a conversation his team had with a customer. I see he has now blogged about the conversation. Here’s an excerpt. When a customers [sic, you need to learn some [...] [...] Wednesday Mark Curphey emailed me about a conversation his team had with a customer. I see he has now blogged about the conversation. Here’s an excerpt. When a customers [sic, you need to learn some [...]

]]> By: Real-word CSRF hack | Mike Andrews http://securitybuddha.com/2008/01/10/from-the-office-of-real-world-software-security/#comment-11651 Real-word CSRF hack | Mike Andrews Sat, 19 Jan 2008 06:45:22 +0000 http://securitybuddha.wordpress.com/2008/01/10/from-the-office-of-real-world-software-security/#comment-11651 [...] nearly as much as it should.  With all the other "low hanging fruit", and with examples of cluelessness like this, we’ll probably see more stories of domain/email/bank accounts/stock trades being [...] [...] nearly as much as it should.  With all the other "low hanging fruit", and with examples of cluelessness like this, we’ll probably see more stories of domain/email/bank accounts/stock trades being [...]

]]> By: Doug Woodall http://securitybuddha.com/2008/01/10/from-the-office-of-real-world-software-security/#comment-11524 Doug Woodall Wed, 16 Jan 2008 00:48:59 +0000 http://securitybuddha.wordpress.com/2008/01/10/from-the-office-of-real-world-software-security/#comment-11524 Is this the same as no accountability. Dont fix it till we get in trouble? Sad. Is this the same as no accountability. Dont fix it till we get in trouble?
Sad.

]]> By: Liquidmatrix Security Digest » Security Briefing: January 15th http://securitybuddha.com/2008/01/10/from-the-office-of-real-world-software-security/#comment-11495 Liquidmatrix Security Digest » Security Briefing: January 15th Tue, 15 Jan 2008 13:07:10 +0000 http://securitybuddha.wordpress.com/2008/01/10/from-the-office-of-real-world-software-security/#comment-11495 [...] From the Office of “Real World Software Security” [...] [...] From the Office of “Real World Software Security” [...]

]]> By: Franchu’s lair » Seguridad web, esa gran asignatura pendiente http://securitybuddha.com/2008/01/10/from-the-office-of-real-world-software-security/#comment-11363 Franchu’s lair » Seguridad web, esa gran asignatura pendiente Sun, 13 Jan 2008 09:02:53 +0000 http://securitybuddha.wordpress.com/2008/01/10/from-the-office-of-real-world-software-security/#comment-11363 [...] lo que me ha llevado a escribir este post, es la entrada From the Office of “Real World Software Security” en la que tras recomendarle a un cliente utilizar una librería antiXSS el cliente [...] [...] lo que me ha llevado a escribir este post, es la entrada From the Office of “Real World Software Security” en la que tras recomendarle a un cliente utilizar una librería antiXSS el cliente [...]

]]> By: dre http://securitybuddha.com/2008/01/10/from-the-office-of-real-world-software-security/#comment-11338 dre Sat, 12 Jan 2008 21:09:25 +0000 http://securitybuddha.wordpress.com/2008/01/10/from-the-office-of-real-world-software-security/#comment-11338 @ Alun Jones: Well, not really. Stored-XSS and HTML Injection are the same thing. Reflected-XSS is more like a few things, some of which include: parameter/form-based/cookie tampering in the HTTP header to include a script that will execute code on the client-side, while no code is executed or injected on the server-side. Reflected-XSS also includes script code inside binaries or in other places (e.g. Flash/QuickTime/media files, or images, or cache files) besides just HTTP header injections. DOM-based XSS is XSS on the client-side DOM (Javascript injected Javascript)! I do think we're going to need to start redefining XSS. Many XSS tools today only look for Javascript. But there are also other languages, including VBScript, Applescript, Actionscript, Silverlight (and other RIA frameworks) -- and most evil of all -- HTML, XHTML, CSS, XML, etc. @ Alun Jones:

Well, not really. Stored-XSS and HTML Injection are the same thing. Reflected-XSS is more like a few things, some of which include: parameter/form-based/cookie tampering in the HTTP header to include a script that will execute code on the client-side, while no code is executed or injected on the server-side. Reflected-XSS also includes script code inside binaries or in other places (e.g. Flash/QuickTime/media files, or images, or cache files) besides just HTTP header injections. DOM-based XSS is XSS on the client-side DOM (Javascript injected Javascript)!

I do think we’re going to need to start redefining XSS. Many XSS tools today only look for Javascript. But there are also other languages, including VBScript, Applescript, Actionscript, Silverlight (and other RIA frameworks) — and most evil of all — HTML, XHTML, CSS, XML, etc.

]]> By: mcurphey http://securitybuddha.com/2008/01/10/from-the-office-of-real-world-software-security/#comment-11293 mcurphey Sat, 12 Jan 2008 08:51:33 +0000 http://securitybuddha.wordpress.com/2008/01/10/from-the-office-of-real-world-software-security/#comment-11293 I am just a native Englishman. Grammar fixed guvnor. I am just a native Englishman. Grammar fixed guvnor.

]]>