Guess everyone makes mistakes

Tweet

Gmail accounts ‘wide open to exploit’ through XSS (presumably in the form of an email).

Chris has a good explaination on XSS Self Defence.

While on the subject; was glancing at a PHP book called “PHP 4 Programming for Advanced Web Developers” – you thankfully won’t find in the bookstores (electronic only for a limited online bookstore). Here’s a quote;

You can validate the form data by using client-side scripting languages, such as JavaScript or VBScript, [...], or send the form data to a verification script.

That suggests client side validation is good enough (and makes me want to scream). Think there needs to a place to report misinformation as well as application security holes.

Free book: Jump Start HTML5 Basics

Grab a free copy of one our latest ebooks! Packed with hints and tips on HTML5's most powerful new features.

  • Ren

    Just wish there was mose support for HttpOnly cookies. (Both in non IE browsers, and PHP)

    http://msdn.microsoft.com/workshop/author/dhtml/httponly_cookies.asp

  • jon
  • Chris Shiflett

    Thanks for the link, Harry. There’s also a plain HTML version available on my Web site that some people might prefer:

    http://shiflett.org/articles/foiling-cross-site-attacks

    Do you have any details about the vulnerability? I know the original announcement was purposely vague, but I presume things have been fixed by now.

    Someone recently sent me a description of a supposed Gmail vulnerability, wanting me to determine whether their findings were valid. I was able to access their account, which was more than they had expected. However, the attack required me to access a URL that should only really be known by the user, and I never had a chance to look into it more. I think details about this recent attack might give me some more perspective about what Google is doing on the server side.