Guess everyone makes mistakes

By | October 29, 2004 | Programming

3

Gmail accounts ‘wide open to exploit’ through XSS (presumably in the form of an email).

Chris has a good explaination on XSS Self Defence.

While on the subject; was glancing at a PHP book called “PHP 4 Programming for Advanced Web Developers” – you thankfully won’t find in the bookstores (electronic only for a limited online bookstore). Here’s a quote;

You can validate the form data by using client-side scripting languages, such as JavaScript or VBScript, [...], or send the form data to a verification script.

That suggests client side validation is good enough (and makes me want to scream). Think there needs to a place to report misinformation as well as application security holes.

Learn Responsive Web Design

Join Learnable $29 Includes all SitePoint books

Harry Fuecks

More Posts

{ 3 comments }

Chris Shiflett October 30, 2004 at 3:48 am

Thanks for the link, Harry. There’s also a plain HTML version available on my Web site that some people might prefer:

http://shiflett.org/articles/foiling-cross-site-attacks

Do you have any details about the vulnerability? I know the original announcement was purposely vague, but I presume things have been fixed by now.

Someone recently sent me a description of a supposed Gmail vulnerability, wanting me to determine whether their findings were valid. I was able to access their account, which was more than they had expected. However, the attack required me to access a URL that should only really be known by the user, and I never had a chance to look into it more. I think details about this recent attack might give me some more perspective about what Google is doing on the server side.

jon October 29, 2004 at 8:31 pm

Amen to that Ren.

https://bugzilla.mozilla.org/show_bug.cgi?id=178993

Ren October 29, 2004 at 8:20 pm

Just wish there was mose support for HttpOnly cookies. (Both in non IE browsers, and PHP)

http://msdn.microsoft.com/workshop/author/dhtml/httponly_cookies.asp

Comments on this entry are closed.