|
|
| (48 intermediate revisions by 5 users not shown) |
| Line 1: |
Line 1: |
| − | ; '''Oct 15 - [http://link RSnake says IE7 sucks less for XSS]'''
| + | <IfLanguage Is="en"> |
| − | : Everybody revamp your blacklists (wish you'd done a whitelist now?) - "IE7.0 appears to be quite an improvement in overall security though. I’m glad the JavaScript directive has been relegated to IFRAMEs and HREFs rather than being possible anywhere a location was - thereby definitely reducing the attack surface for the newest browser from Microsoft"
| + | This news feed is moderated by OWASP and will feature high-quality posts focused on application security that advance the field, provide useful insight, or are useful educational resources. |
| | + | </IfLanguage> |
| | + | <IfLanguage Is="es"> |
| | + | Estas noticias son moderadas por OWASP y mostrarán publicaciónes de alta calidad enfocadas en seguridad de aplicaciones de avanzada, proveen razonamiento profundo o son recursos educativos útiles. |
| | + | </IfLanguage> |
| | | | |
| − | ; '''Oct 15 - [http://www.csoonline.com.au/index.php/id;116770232;fp;16;fpid;0 AppSec like global warming...]'''
| + | <owaspfeed/> |
| − | : You can never be exactly sure what's going on, but something is definitely up. "The biggest single classes of vulnerabilities in 2006 so far, according to ISS, would allow [[cross-site scripting]] (14.5 percent), [[SQL injection]] (10.9 percent); [[buffer overflows]] (10.8 percent) and Web directory [[path traversal]] (3 percent).
| |
| − | | |
| − | ; '''Oct 6 - [http://www.wired.com/news/technology/security/0,71902-0.html Ajax is FUD-tastic]'''
| |
| − | : News flash: it is possible to write an insecure Ajax application, especially if you don't understand the technology. But that's no different from any programming environment. We need [[OWASP AJAX Security Project|guidelines]] and more research, not more FUD.
| |
| − | | |
| − | ; '''Oct 3 - [http://jeremiahgrossman.blogspot.com/2006/09/csrf-sleeping-giant.html CSRF, the sleeping giant]'''
| |
| − | : "Cross-Site Request Forgery (aka CSRF or XSRF) is a dangerous vulnerability present in just about every website. An issue so pervasion and fundamental to the way the Web is designed to function we've had a difficult time even reporting it as a "vulnerability". Which is also a main reason why CSRF does not appear on the Web Security Threat Classification or the OWASP Top 10. Times are changing and it’s only a matter of time before CSRF hacks its way into the mainstream consciousness." (Ed: We're revising the Top 10 for 2007 - feel free to come join us!)
| |
| − | | |
| − | ; '''Oct 3 - [http://shiflett.org/archive/267 crossdomain.xml witch hunt]'''
| |
| − | : crossdomain.xml allows Flash-based CSRF attacks. Chris Shiflett demonstrates how to report such problems and work with the site owners to fix a potentially damaging loophole. "After disclosing the security vulnerability in Flickr (a result of its crossdomain.xml policy), a number of other major web sites have been identified as being vulnerable to the same exploit - using cross-domain Ajax requests for CSRF. Among these new discoveries are YouTube, Adobe, and MusicBrainz."
| |
| − | | |
| − | ; [[Application Security News|Older news...]]
| |
This news feed is moderated by OWASP and will feature high-quality posts focused on application security that advance the field, provide useful insight, or are useful educational resources.
