XSS: Flash and Rails

XSS: Flash and Rails
A couple of good articles on XSS and security came out at the same time. One talks about XSS in Flash, and the other on Rails: XSS Vulnerabilities in Common Shockwave Flash Files Rich Cannings has written an article explaining the issue of XSS wrt Flash: Critical vulnerabilities exist in a large number of widely used web […]

A couple of good articles on XSS and security came out at the same time. One talks about XSS in Flash, and the other on Rails:

XSS Vulnerabilities in Common Shockwave Flash Files

Rich Cannings has written an article explaining the issue of XSS wrt Flash:

Critical vulnerabilities exist in a large number of widely used web authoring tools that automatically generate Shockwave Flash (SWF) files, such as Adobe (r) Dreamweaver (r), Adobe Acrobat (r) Connect ™ (formerly Macromedia Breeze), InfoSoft FusionCharts, and Techsmith Camtasia. The flaws render websites that host these generated SWF files vulnerable to Cross-Site Scripting (XSS).

This problem is not limited to authoring tools. Autodemo, a popular service provider, used a vulnerable controller SWF in many of their projects.

Simple Google hacking queries reveal that hundreds of thousands of SWFs are vulnerable on the Internet, and a considerable percentage of major Internet sites are affected. We are only reporting XSS vulnerabilities that have been fixed by the vendors.

He talks through tools that cause the issue, and then solutions on how to keep yourself safe.

Is your Rails site XSS safe?

Stu Halloway of Relevance has written about SafeErb and how he got it working on a Rails 2.0 application. He kept notes as he went through the experience, allowing us to learn from his acts.

What is SafeErb?

Safe ERB lets you make sure that the string written by “<%= %>” in your rhtml template is escaped correctly. If you try to show the attributes in the ActiveRecord instance read from the database or the parameters received from the request without escaping them using “h” method, an exception will be raised. This will significantly reduce the possibility of putting cross-site scripting vulnerability into your web application.

The check is done using “tainted?” method in Object class which is a standard feature provided by Ruby - the string is “tainted” when it is read from IO. When ERB::Util#h method is called, this plugin “untaints” the string, and when “<%= %>” is called in your rhtml template, it raises an exception if the string you are trying to show is tainted.

NewsGator Makes Client Apps Free
NewsGator Makes Client Apps Free: NetNewsWire 3.1, FeedDemon 2.6, and NewsGator Go! for Windows Mobile 2.0. and NewsGator Inbox 3.0 are now free to download and use. FeedDemon is a desktop news aggregator that I helped beta test and I have used off and on and Bradbury is a tremendous developer. If you were looking […]

NewsGator Makes Client Apps Free: NetNewsWire 3.1, FeedDemon 2.6, and NewsGator Go! for Windows Mobile 2.0. and NewsGator Inbox 3.0 are now free to download and use. FeedDemon is a desktop news aggregator that I helped beta test and I have used off and on and Bradbury is a tremendous developer. If you were looking for a powerful desktop aggregator that is easy to use, FeedDemon might be the ticket.

Simplicity: PHP Ajax Framework using Ext
John Le Drew has been working on a PHP framework for a few years, and has now packaged it as Simplicity: The Simplicity PHP Application Framework is an advanced, scalable and extensible PHP application framework to aid developers in creating high traffic, high availability Web 2.0 online applications. Integrating a solid MVC framework with some of […]

John Le Drew has been working on a PHP framework for a few years, and has now packaged it as Simplicity:

The Simplicity PHP Application Framework is an advanced, scalable and extensible PHP application framework to aid developers in creating high traffic, high availability Web 2.0 online applications. Integrating a solid MVC framework with some of the best Open Source projects around Simplicity aims to assist developers with any amount of experience in taking their applications to a new level.

You can get to the code on the launchpad for the framework.

One important piece is the Ajax admin console, developed in Ext that allows a developer will be able to configure all aspects of their application via the Ajax interface, this includes database modeling and the creation of stub controllers, and even the addition of predefined actions to speed up development.

HTML Purifier 3.0
HTML Purifier 3.0 has been released. What is HTML Purifier? HTML Purifier is a standards-compliant HTML filter library written in PHP. HTML Purifier will not only remove all malicious code (better known as XSS) with a thoroughly audited, secure yet permissive whitelist, it will also make sure your documents are standards compliant, something only achievable with a […]

HTML Purifier 3.0 has been released.

What is HTML Purifier?

HTML Purifier is a standards-compliant HTML filter library written in PHP. HTML Purifier will not only remove all malicious code (better known as XSS) with a thoroughly audited, secure yet permissive whitelist, it will also make sure your documents are standards compliant, something only achievable with a comprehensive knowledge of W3C’s specifications.

What’s new in 3.0?

Release 3.0.0 is the first release of 2008 and also HTML Purifier’s first
PHP 5 only release.
The 2.1 series will still
be supported for bug and security fixes,
but will not get new features. This release a number of
improvements in CSS handling, including the filter
HTMLPurifier_Filter_ExtractStyleBlocks which integrates
HTML Purifier with
CSSTidy for cleaning style sheets
(see the source code file for more information on usage), contains
experimental support for
proprietary CSS properties with %CSS.Proprietary, case-insensitive
CSS properties, and more lenient hexadecimal color codes. Also, all code
has been upgraded to full PHP 5 and is
E_STRICT clean for all versions of PHP 5 (including the
5.0 series, which previously had parse-time errors).

You can run a live demo to see it at work.

AjaxSwing 2.0: AJAX front end for Swing applications
WebCream has been renamed and a new version launched as AjaxSwing 2.0, a framework that “does all server communication via asynchronous JavaScript and uses partial page updates to reflect changes in the browser.” New Features AJAX functionality for component rendering and asynchronous communication with the server Asynchronous submit of client-side events and operations Partial page updates only to changed […]

WebCream has been renamed and a new version launched as AjaxSwing 2.0, a framework that “does all server communication via asynchronous JavaScript and uses partial page updates to reflect changes in the browser.”

New Features

AJAX functionality for component rendering and asynchronous communication with the server
Asynchronous submit of client-side events and operations
Partial page updates only to changed components
Dramatic speed improvements in rendering and request processing
Row context menus in JTable (see TableSupport)
Custom node icons and context menus in JTree (see TreeSupport)
Improved scripts on UNIX platforms
Allow environment variables and directories of JARS in agent.classPath
Drop shadows are added to windows

Fancy writing your apps in Swing? If so, check out the demos, and download away.

This entry was posted on Monday, January 14th, 2008 at 11:00 pm and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

You must be logged in to post a comment.

M	T	W	T	F	S	S
« Apr
		1	2	3	4	5
6	7	8	9	10	11	12
13	14	15	16	17	18	19
20	21	22	23	24	25	26
27	28	29	30	31

Blog Surfer

XSS: Flash and Rails

Leave a Reply

Recent Posts

Recent Comments

Archives

Meta