same origin policy

ZDNet Resources

• sort by:
• Relevance
• Date
• Popularity

Defeating the Same Origin Policy part 1

Defeating the Same Origin Policy part 1ouh... That made my head hurt.Excellent post. I wasn't sure wither to laugh or scream. Worrisome, I will say that.And while this subject is, in fact, no laughing matter, the way you made it look so easy made me laugh anyway. ...

Tags: Same Origin Policy, attack, applet, JavaScript

Discussion threads 2008-03-14

Defeating the Same Origin Policy part 1

The Same Origin Policy is one of the guiding principles that seek to protect our browsing experience. The Same Origin Policy was originally released with Netscape Navigator 2.0 and has been incorporated in one form or another in every major browser since. The concept has additionally been extended...

Tags: Concept, Attacker, Java, Victim, Applet, Attack, Same Origin Policy, Nathan McFeters

Blog posts 2008-03-14

Additional Resources

Now the fun starts on health reform

Tyranny wrapped up in compassionand you're a willing advocate. News flash for you. You won't get to be one of the rulers. Your life will wind up sucking just as badly as everyone else under the new system.A move to Canada is looking better and better every day. nt:-(Health Care...

Tags: Vertical industries, Benefits, HEALTHCARE, health care, province, federal government, insurance

Discussion threads 2009-10-02

Microsoft and their Photoshop diversity policy

Wow!Looking forward to hearing the PR claw back for this one. This is just in-excusable, regardless of local politics. It's not even well done!World's shortest neckCould have lifted the head a bit higher.Also, not necessarily any sinister motive. When budgets are enormous, you pay for focus groups to determine...

Tags: Public relations, Marketing research, iGeneration, Photoshop diversity policy, Microsoft Corp., diversity policy, Adobe PhotoShop

Discussion threads 2009-08-25

Tailoring Web technology to a bespoke dress shirt business

It's not easy to mix up the monotony of putting on a shirt and a tie every day for work, but what if the shirt was made-to-order, with details of your own choosing? Fashion startup ShirtsMyWay allows you to spruce up your tired work uniform and customize...

Tags: Web Technology, Web, Women, Denmark, Gender And Diversity, AJAX, Human Resources, Internet, Software/Web Development, Web Development, Web 2.0, Andrew Nusca

Blog posts 2009-07-02

Apple Safari jumbo patch: 50+ vulnerabilities fixed

Apple has shipped a whopper of a Safari browser update to fix more than 50 vulnerabilities, some rated extremely critical. The latest fixes, available in the new Safari 4.0, corrects a wide range of code execution and denial-of-service vulnerabilities and even comes with a fix for the...

Tags: Apple Safari, Vulnerability, Apple Inc., Web Site, Web Site Development, Web Technology, Security, Internet, Ryan Naraine

Blog posts 2009-06-08

Internet Explorer + Google Chrome = security problem

Security problems surrounding protocol handling and Web browsers have surfaced again -- this time with Google Chrome and Microsoft's Internet Explorer. According to an advisory from the Google Chrome team, there's an error in handling URLs with the a chromehtml: protocol that could allow an attacker...

Tags: Google Inc., Microsoft Internet Explorer, Google Chrome, Web Browsers, Security, Internet, Ryan Naraine

Blog posts 2009-04-27

Mozilla plugs Firefox code execution holes

Mozilla today shipped Firefox 3.0.7 with fixes for at least eight security flaws, some rated critical. The most serious of the vulnerabilities could be exploited by attackers to run code and install software, requiring no user interaction beyond normal browsing, Mozilla warned in...

Tags: Mozilla Firefox, Vulnerability, Web Browser, Mozilla Corp., Web Browsers, Security, Internet, Ryan Naraine

Blog posts 2009-03-04

Mozilla plugs 7 security holes in Firefox

Mozilla's flagship Firefox 3 browser has undergone another security makeover to fix at least 7 documented security vulnerabilities that expose users to malicious hacker attacks. The Firefox 3.0.6 upgrade patches at least two critical Firefox flaws that may lead to arbitrary code execution attacks and another "high...

Tags: Mozilla Firefox, Attacker, Vulnerability, JavaScript, Severity, Web Browser, Mozilla Corp., Firefox 2 Release, Web Browsers, Security, Internet, Ryan Naraine

Blog posts 2009-02-04

Firefox security makeover: 11 vulnerabilities, 4 critical

 Mozilla has released a new version of its flagship Firefox browser to fix a total of 11 vulnerabilities that expose users to code execution, information stealing or denial-of-service attacks. Four of the 11 flaws covered with the new Firefox 3.0.4 are rated "critical" because of the risk...

Tags: Mozilla Firefox, Vulnerability, JavaScript, Web Browser, Mozilla Corp., Web Browsers, Security, Internet, Ryan Naraine

Blog posts 2008-11-12

Opera sings the security blues

Guest editorial by Aviv Raff If you ask any Opera fanboy, he will tell you that Opera is the most secured browser. Well frankly, it really is a good and secure browser, implementing many restrictions that other browsers simply ignore. For example, while...

Tags: Internet, Opera Software ASA, Resource, Ryan Naraine, Security, Vulnerability, Web Browser, Web Browsers

Blog posts 2008-10-30

Black Hat Las Vegas Day 2

Again, sorry for the late updates.  Vegas is the kind of place that demands a lot of a person.  Too many parties make it difficult to find time to blog on the conference.  Pictures of the even are a bit sparse, due to consistently forgetting to bring my camera, but...

Tags: black hat, microsoft corp., applet, image, vegas, nathan mcfeters

Blog posts 2008-08-09

Black Hat Sneak Preview

Rob McMillan from IDG interviewed John Heasman and I today about the presentation we will be delivering with Rob Carter at Black Hat Vegas next week. The article has a good teaser about one of the more interesting of the many attacks we will cover, namely what we've coined...

Tags: Black Hat, Java Applet, Web Application, Web Browser, Applet, Attack, GIFAR, Java, Programming Languages, Security, Software Development, Software/Web Development, Nathan McFeters

Blog posts 2008-08-01

2008 Pwnie Award nominees announced

Well, after getting 134 nominations, and spending countless hours pulling out nominees, the judges for the 2008 Pwnie Awards have announced the final nominees to be voted on.  From the site: The final list of nominees for the nine Pwnie Award categories is ...

Tags: Attack, Flaw, Lifelock, Nathan McFeters, Nominee, Security, Vulnerability, XSS, XSS Flaw

Blog posts 2008-07-21

Sun releases JRE Version 6 Update 7, 90% of desktops currently at risk*

* The 90% of desktops currently at risk comes from numbers presented at the Java One Keynote in 2008.  If you aren't patched, get the Java control panel up and get updated, or go to Sun's site to download the update, cause this one's big. Yesterday Sun...

Tags: Desktop, Sun Microsystems Inc., JRE, Programming Languages, Java, Software Development, Software/Web Development, Nathan McFeters

Blog posts 2008-07-11

Multiple Facebook vulnerabilities reported on Full-Disclosure

Jouko Pynnonen posted a message to the Full-Disclosure mailing list today, citing multiple "script injection" vulnerabilities within Facebook.  I'm not sure if this is a surprise to anybody out there, it's certainly not to me, as numerous web applications have major problems with Cross-site Scripting vulnerabilities, but I think this...

Tags: Facebook, Vulnerability, XSS, JavaScript, Microsoft Internet Explorer, Web Browser, Sandbox, JS, Canvas Page, Web Browsers, Internet, Nathan McFeters

Blog posts 2008-07-02

Microsoft CardSpace killed before it really began?

According to Neowin, computing students at the University of Bochum, Germany, have worked out how to retrieve vital security tokens from Microsoft's CardSpace framework. CardSpace is highly tipped to be the successor to Windows Live ID Passport and making passwords a relic of the Cold War, using self-signed or certificate...

Tags: DNS, Microsoft Windows CardSpace, Security Token, Microsoft Corp., Domain Names, Digital Security, Security, Networking, Internet, Zack Whittaker

Blog posts 2008-05-31

Taking ownership of content

Billy Rios covered a very interesting flaw in Google's code.google.com site on his blog today.  The issue involves taking ownership of content of a third party by an application and relates to research that Rios and I originally presented at DEFCON 15 last year. Before...

Tags: Domain, Applet, JVM, Billy Rios, Class File, CODE, Java, Programming Languages, Software Development, Software/Web Development, Nathan McFeters

Blog posts 2008-04-04

News to know: Microsoft, Apple update techniques; Ubuntu; Hacking Java; XP SP3

Notable headlines: Ed Bott: What Microsoft can teach Apple about software updates Compare and contrast gallery right. Adrian Kingsley-Hughes: Ubuntu 8.04 "Hardy Heron" beta - making life easier for Windows users Nate McFeters: Defeating the Same Origin Policy part 2 ...

Tags: Tom Foremski, Technique, Ubuntu, Google Inc., Hacking, Social Media, Apple Inc., Microsoft Corp., Microsoft Windows Vista SP1, Microsoft Windows Vista (Longhorn), Microsoft Windows XP, Service-Oriented Architecture (SOA), Operating Systems, Microsoft Windows, Software, Web Services, Enterprise Software, Larry Dignan

Blog posts 2008-03-25

Defeating the Same Origin Policy part 2

In my first post in this series, I discussed the Same Origin Policy and how it protects us from some very serious attacks, the dangers of domain name based trust, and how to attack implementations of the Same Origin Policy within the Java Virtual Machine JVM.  In order to demonstrate...

Tags: Permission, Applet, Attack, Programming Languages, Java, Security, Software Development, Software/Web Development, Nathan McFeters

Blog posts 2008-03-24