Gmail accounts ‘wide open to exploit’ through XSS (presumably in the form of an email).
Chris has a good explaination on XSS Self Defence.
While on the subject; was glancing at a PHP book called “PHP 4 Programming for Advanced Web Developers” – you thankfully won’t find in the bookstores (electronic only for a limited online bookstore). Here’s a quote;
You can validate the form data by using client-side scripting languages, such as JavaScript or VBScript, [...], or send the form data to a verification script.
That suggests client side validation is good enough (and makes me want to scream). Think there needs to a place to report misinformation as well as application security holes.
Just wish there was mose support for HttpOnly cookies. (Both in non IE browsers, and PHP)
http://msdn.microsoft.com/workshop/author/dhtml/httponly_cookies.asp
October 29th, 2004 at 8:20 pm
Amen to that Ren.
https://bugzilla.mozilla.org/show_bug.cgi?id=178993
October 29th, 2004 at 8:31 pm
Thanks for the link, Harry. There’s also a plain HTML version available on my Web site that some people might prefer:
http://shiflett.org/articles/foiling-cross-site-attacks
Do you have any details about the vulnerability? I know the original announcement was purposely vague, but I presume things have been fixed by now.
Someone recently sent me a description of a supposed Gmail vulnerability, wanting me to determine whether their findings were valid. I was able to access their account, which was more than they had expected. However, the attack required me to access a URL that should only really be known by the user, and I never had a chance to look into it more. I think details about this recent attack might give me some more perspective about what Google is doing on the server side.
October 30th, 2004 at 3:48 am