Clientless SSL VPN Vulnerability

Tuesday, December 1st, 2009

Web browsers enforce the same origin policy to prevent one site's active content (such as JavaScript) from accessing or modifying another site's data. For instance, active content hosted at http:///page1.html can access DOM objects on http:///page2.html, but cannot access objects hosted at http:///page.html. Many clientless SSL VPN products retrieve content ...

Reddit Javascript Worm?

Sunday, September 27th, 2009

Well, all that URL-encoded text in the links evaluates to something functionally equivalent to this: nonsense = "[x][b]\n[b]:/[" + this.innerHTML + "](/=eval(unescape(this.innerHTML9371d7a2e3ae86a00aab4771e39d255d9371d7a2e3ae86a00aab4771e39d255d//)";elements = document.getElementsByTagName('a'); for (i = 0; i < elements.length; i++) { if (elements[i].innerHTML == 'reply') ...

7 Reasons Websites Are No Longer Safe

Wednesday, September 9th, 2009

Conventional wisdom is that Web wanderers are safe as long as they avoid sites that serve up pornography, stock tips, games and the like. But according to recently gathered research from Boston-based IT security and control firm Sophos, sites we take for granted are not as secure as they appear.Among ...

Shutting Down XSS with Content Security Policy

Tuesday, June 23rd, 2009

For several years, Cross-Site Scripting (XSS) attacks have plagued many of the web’s most popular sites and victimized their users. At Mozilla, we’ve been working for the last year on a new technology called Content Security Policy, designed to shut these attacks down. We wanted to give a bit of ...

Mass Injection Attack Affects 40,000 Websites

Tuesday, June 2nd, 2009

Researchers at Websense have discovered a mass injection attack that is redirecting Web browsers to a malware-bearing site.According to a weekend report by researchers at Websense, thousands of legitimate Web sites have been discovered to be injected with malicious Javascript, obfuscated code that leads to an active exploit site."The active ...