Welcome to Michaels Blog

All posts tagged with label XSS

Blog of latest news, updates, and stories for developers

TODO: Internet Explorer 8

I will collect some of my thoughts about the current beta 2 of Internet Explorer 8 [1] I have noticed during IE8 community roundtable [2] last week:

Posted by Michael Schwarz on Monday, September 1, 2008

Maybe Socket Bug in Policy Code in Silverlight 2 beta 1

In my last post [1] I wrote about how you can use sockets in Silverlight 2 beta 1 [1]. Well, when publishing my application to a Internet domain the code didn't work. I always get a socket exception: error code 10013, access denied. I have put an example online at http://frankfurt.schwarz-interactive.de:4510/test.aspx [2].

Posted by Michael Schwarz on Saturday, March 8, 2008

Trackbacks, Who Is Linking You and where you should pay attention

Today I opened the turkish version of Google [1] and did a search for something I cannot remember. The thing was that I didn't hit enter, instead I clicked on the button Google'da Ara. What I noticed then was that the ' was not correct url encoded. Hm, nothing you have to care about. But after clicking on a link to a blog from the search results I found the same wrong url encoded url in the who is linking me section. While reading the page I had the idea to do some more testing with the apostrophe (or a quote).

Posted by Michael Schwarz on Wednesday, April 11, 2007

JSON Hijacking and How Ajax.NET Professional (AjaxPro) Avoids these Attacks

There are a couple of web sites reporting about security issues that hackers can use to invoke AJAX methods or use the JSON output to get data from other web applications. Specificallly, these attacks use HTTP GET requests invoked via an HTML <script src=""> include element to circumvent the "same origin policy" enforced by browsers (which limits JavaScript objects like XmlHttpRequest to only calling URLs on the same domain that the page was loaded from), and then look for ways to exploit the JSON payload content. The use of HTTP POST is only working if you are in the same domain, which does not mean this is not a dangerous security issue if used in web sites where different users can access data (i.e. spaces.live.com, blogger.com,...); there it is very easy to run HTTP POST with XmlHttpRequest object in the same domain (see Google XSS bug [1]).

Posted by Michael Schwarz on Saturday, April 7, 2007

How to surf the Internet more safely

In the past you may have heared about more and more security bugs on well-known web sites you use maybe more often a day. Below there are some tips you should have in mind when browsing:

Posted by Michael Schwarz on Tuesday, January 16, 2007

How do I hack a web site?

On next Tuesday I will talk at the .NET User Group in Munich / Germany [1] about following topics:

Posted by Michael Schwarz on Wednesday, January 10, 2007

Pending Members - Google Groups XSS Bug [Part 1]

During the weekend I found an script error on the Google pending members web page. Because I was using the new Google groups beta interface I didn't looked on it. But today the script error still occurs and I noticed the same error on the older version, too. I had a look inside the generated html output and found that there was a script tag that was not closed, ah, it was a membership request message.

Posted by Michael Schwarz on Monday, December 4, 2006