Library author: Don’t provide an exploitable interface

Tags:

SQL injection is a pretty big deal. Its cousin shell injection is also a common issue, demonstrated quite well by a recent post to the PHP reddit. Although some suspect it was a troll, I heard echos from a variety of people who had seen pretty much exactly the same vulnerability in production. This got me thinking: People writing libraries …

Password policies generally suck

Tags:

The other day I was talking with someone about passwords. They had a policy that you are not allowed to use your old passwords again, and that got me thinking: Is this actually improving or reducing password safety? Especially bringing this topic to spotlight today is a recent password leak from a popular finnish online game, Älypää. Their site was …

How to get free publicity by screwing up your friendly URL algorithm

Tags:

Today I’ll share a fun story with you. Would you like to get free publicity? Go ahead and make a poor friendly URL implementation, like the Finnish Broadcasting Corporation, or YLE – the national broadcasting company of Finland – did. YLE had a very naive friendly URL algorithm on their web site. As you may guess, people found out about …

Sandboxing Rhino in Java

Tags:

I’ve been working on a Java app which needed Rhino for scripting. The app would need to run untrusted JavaScript code from 3rd parties, so I had to find a way to block access to all Java methods, except the ones I wanted. This would not be a problem if there was an easy way to disable LiveConnect – the …

Preventing cross-site scripting attacks

Tags:

Originally posted in my old blog at My Opera Cross-site scripting attacks, also known as XSS attacks, are a type of vulnerability found in some web sites. For example, if your blog comment box allows users to write JavaScript snippets that aren't escaped in any way by the server and are ran, it's most likely vulnerable to an XSS attack. …