CSS exploit allows detection of social site use

Thursday, May 29th, 2008

Web developer Aza Raskin knows we visit Digg, Del.icio.us, Reddit and Facebook without even having to ask. No, he isn't employing privacy violating hackery, but he is exploiting a "cute" information leak in CSS that traditionally displays visited links differently than those that have yet to be visited. By loading in ...

Cross-Site-Scripting with Morse code

Monday, May 5th, 2008

Nowadays, who understands Di-Di-Di-Da-Da-Da-Di-Di-Dit (S.O.S., Save Our Souls)? Few people do, but your web browser just might. In his blog, security expert Nathan McFeters has reported the discovery of a cross-site scripting (XSS) vulnerability on an Italian website that allows attackers to inject malicious JavaScript encoded in Morse code in ...

Stop XSS attacks with SafeHTML

Wednesday, April 30th, 2008

If you allow user-contributed content in your site, you run into the problem of dealing with user supplied HTML in a safe manner. The most secure way of dealing with things, of course, is to strip or escape all HTML from user input fields. Unfortunately, there are many situations where ...

A Look at a Bank Worm

Wednesday, April 23rd, 2008

Malware authors will often have their files display something to the user so that they actually believe the file is legitimate. Many of us have experienced such tricks, including fake errors stating that a specific file could not be found or that the application failed to load properly. Today we ...

Hacker releases working GDI-bug attack code

Wednesday, April 16th, 2008

Security researchers on Monday spotted malicious code that triggers a critical vulnerability in the Chinese version of Windows 2000, and warned users of other editions to expect attacks. Symantec confirmed that the proof-of-concept code publicly posted to the milw0rm.com site earlier in the day successfully attacks Chinese editions of Windows 2000 ...