Last week's (May, 6th 2002) Security Adviser article in InfoWorld was near and (not so) dear to my heart and hopefully yours.

Mandy Andress goes over many of the points we have discussed here at the Monastary, and some new points, but also brings it home with some very public examples (eg. eBay, Cybercash, VeriSign).

She also directly mention sites like here (sites for coders) where preventing CSS attacks, becomes a game of balance between your user's freedom and thier security. Hat's off to the developers here for working on that balance.

There are some other interesting links in her article

  • cross_site_scripting.archive.html - This page details sites who are open to CSS attacks *including AOL, and Real.com* this page is run by SkyLined a self professed h4x0r
  • community.whitehatsec.com - Who has just released thier Linux-based WhiteHat Arsenal 1.05 test suite for profiling your site against CSS attacks

    • Hopefully this article shows to all that this problem is not going away. So if you developing a website and take user input to be displayed. You should read this.



    grep
    Unix - where you can throw the manual on the keyboard and get a command

    In reply to OT: Cross-site Scripting - Articles and Tools by grep

    Title:
    Use:  <p> text here (a paragraph) </p>
    and:  <code> code here </code>
    to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.