Archive for March, 2008

Oops! I accidentally hit the Back button and canceled my attack!

Wednesday, March 19th, 2008

Danny Alan’s demo of Ajax XSS attacks and exploits had to be one of the best talks I went to at Ajax World 2008. Aside from wowing the audience with a demonstration of the power and ease of Cross-Site Request Forgery attacks, he also uttered the most hilarious soundbite of the conference:

Oops! I accidentally hit the Back button and canceled my attack!

In all serious, the CSRF attack toolkit put together by Danny and his colleagues was impressively unsettling.

(more…)

Notes from Ajax World 2008, day 2

Wednesday, March 19th, 2008

Overall the emphasis was on XSS attacks and (the problem of) JavaScript security, proposing a “safe subset” of JavaScript; supported by the “adsafe” option in JSLint. A policy of “cooperation under mutual suspicion.” Other memes included “advertising is a mashup.”

The title of this slide was Vats: Communicating Computational Containment. Crockford said that “vats” are the solution to what he calls “the turducken problem.” That is, there is no way to reliably detect the various perfectly permissible variations of JavaScript-inside-HTML-encodeded-as-a-URL.

Hybrid Cab on Mulberry Street

Monday, March 3rd, 2008


Hybrid cab, originally uploaded by Noah Sussman.

This is the first hybrid cab I have seen in the city. I think it was a Nissan but I’m bad with make-and-models.