Friday, March 6, 2009

FOWA Dublin Notes: Web application security horror stories - by Simon Willison


Simon started his both entertaining and informative presentation by talking about the probably most commonly known Web Security threat: Cross Site Scripting (XSS).

An XSS attack is possible when others can inject JavaScript into your page (e.g. via forms or URLs). The attacker is then able to perform virtually any action on the attacked site, just as if they were you.

Myspace Worm

The MySpace Worm was a result of an error in the sanitization of user-provided HTML. The injected code caused the visitor to add a friend request to the attacker and put the attacker's code on the victim's page as well. That way, the attacker had more than a million friend requests after 20 hours, finally bringing MySpace down.

Google UTF-7 hole

A missing character encoding header in Google's redirect pages allowed the users to inject a string into the page which caused Internet Explorer to interpret it as UTF-7 content and execute included JavaScript.

Don't trust CSS

CSS is not executable, is it? Well, you can include active components into CSS by using HTC in Internet Explorer or XBL in Mozilla. Also a position: absolute hack allowed an attacker to steal 30,000 MySpace accounts.

SQL injection

You never ever glue user-provided strings together with your SQL queries. Instead, use parameterized queries or an ORM. This is much safer and also easier to maintain.

A nice variation is to use SQL injection to create a mass XSS: You can insert JavaScript into a database which will then be potentially displayed on every page of the attacked website.


Cross Site Research Forgery is probably one of the most wide-spread vulnerabilities as a lot of developers are not aware of it or don't care about it. If you haven't taken any action to prevent CSRF your site is most likely vulnerable to it. Popular examples are the Digg-exploit (a self-digging page) and the Gmail filter hack.

Just using POST requests for your forms doesn't help. Instead, you have to use hard to guess transaction tokens which the server checks for every action. This, of course, can be useless if your site has an XSS vulnerability as the attacker can then steal your token.


Clickjacking is tricking the user into clicking on a certain link or button. This can be done for example by showing a button which to user wants to click on (e.g. in a game) with an Iframe that has the CSS opacity: 0.0. That way, the Iframe will actually receive the click although it's not visible to the user. The Twitter Don't Click This hack was an example for a Clickjacking attack.

You can prevent this attack by using JavaScript to check whether your page runs in an Iframe. Unfortunately there is no standard way to prevent this when the user has JavaScript turned off, what makes this attack quite dangerous.

Insecure admin accounts hack

The recent Twitter hack was actually caused by a dictionary attack on a popular user's password. The password was "happiness", the user was a Twitter employee with admin access. So you should make sure that admin accounts get an extra protection like limiting the access to users on your local network only.


  1. We’ve lined a few of} of one of the best sports activities betting websites on our list, including Bovada and MyBookie. Bovada is our #1 online sports activities betting website overall, 카지노사이트 thanks to an excellent number of props and 1000's of betting markets. The finest online gambling websites are fully loaded with great video games and betting options and so they supply probably the most beneficiant bonuses.

  2. If the payout channel had crammed up, the payout turned extra beneficiant; if almost empty, the payout turned less so . Digital technology has resulted in variations within the unique slot machine concept. As the player is essentially taking part in} a video game, producers can supply extra interactive parts, such as advanced bonus rounds and extra various video graphics. Buffalo Blitz 로스트아크 certainly one of the|is amongst the|is probably considered one of the} 200-and-more Slot machines ready for you at, the industry-leading web site with variety of the} finest free and real cash casino video games in existence. The RTP says it all - this real cash slot machine features the best Return to Player of all the video games on this record and this alone must be a cause for you to can} pick it. Da Vinci's Vault is out there in freeplay and for real cash at variety of the} finest on-line casinos on the web, together with 888Casino - my go-to place once I need to play Slots.