Programming
Article

Guess everyone makes mistakes

By Harry Fuecks

Gmail accounts ‘wide open to exploit’ through XSS (presumably in the form of an email).

Chris has a good explaination on XSS Self Defence.

While on the subject; was glancing at a PHP book called “PHP 4 Programming for Advanced Web Developers” – you thankfully won’t find in the bookstores (electronic only for a limited online bookstore). Here’s a quote;

You can validate the form data by using client-side scripting languages, such as JavaScript or VBScript, […], or send the form data to a verification script.

That suggests client side validation is good enough (and makes me want to scream). Think there needs to a place to report misinformation as well as application security holes.

  • Ren

    Just wish there was mose support for HttpOnly cookies. (Both in non IE browsers, and PHP)

    http://msdn.microsoft.com/workshop/author/dhtml/httponly_cookies.asp

  • jon
  • Chris Shiflett

    Thanks for the link, Harry. There’s also a plain HTML version available on my Web site that some people might prefer:

    http://shiflett.org/articles/foiling-cross-site-attacks

    Do you have any details about the vulnerability? I know the original announcement was purposely vague, but I presume things have been fixed by now.

    Someone recently sent me a description of a supposed Gmail vulnerability, wanting me to determine whether their findings were valid. I was able to access their account, which was more than they had expected. However, the attack required me to access a URL that should only really be known by the user, and I never had a chance to look into it more. I think details about this recent attack might give me some more perspective about what Google is doing on the server side.

Recommended
Sponsors
Because We Like You
Free Ebooks!

Grab SitePoint's top 10 web dev and design ebooks, completely free!

Get the latest in Front-end, once a week, for free.