tag:blogger.com,1999:blog-13756280.post7285819284430172444..comments2024-02-08T03:44:23.780-08:00Comments on Jeremiah Grossman: Its not the size that counts, its how you use itJeremiah Grossmanhttp://www.blogger.com/profile/05017778127841311186noreply@blogger.comBlogger9125tag:blogger.com,1999:blog-13756280.post-17316789320065586492007-11-30T14:51:00.000-08:002007-11-30T14:51:00.000-08:00For me personally? You can't be serious.For me personally? You can't be serious.Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-89513777296339446152007-11-30T13:42:00.000-08:002007-11-30T13:42:00.000-08:00Jeremiah GrossmanI may have a job opportunity for ...Jeremiah Grossman<BR/>I may have a job opportunity for you based in NYC for a company in Europe/Paris seeking to launch in USA market. You seem capable.<BR/><BR/>Please contact me 646-307-8909 NYC<BR/>my email lap@accessnyc.com<BR/>Thank you,<BR/>LouAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-13934017338187860622007-11-29T15:00:00.000-08:002007-11-29T15:00:00.000-08:00It would have to include URL-encoded version as we...It would have to include URL-encoded version as well. And what about javascript: or onsomething="...", etc.<BR/><BR/>But there doesn't even have to be redirect involved! You can hide exploit URL using frameset/iframe or simulate click/form submit with Javascript*.<BR/><BR/><BR/><BR/>*) It's hard to get masses to switch from browser known for being swiss cheese, so expecting any noticeable number of people to use NoScript is just madness. It's nice and all, but if you plan anything internet-wide you should pretend it doesn't exist.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-85284661676504208392007-11-29T07:50:00.000-08:002007-11-29T07:50:00.000-08:00@giorgio, of course I know what NoScript is, I hav...@giorgio, of course I know what NoScript is, I have it installed. However to expand on what Jordan said, some amount of NoScript functionality should also come by default in the web browser. Because if it does not, users are left unprotected, which is why I called for a browser feature.<BR/><BR/>@jordan, it would most likely leave a certain amount of vectors open. That I'm cool with as long as it takes out a lot of the existing ones without severely impacting the user experience. That part will have to be tested.<BR/><BR/>@dan. Your exactly right, its a lot like that, my point though is... what choice do we have? Something or nothing?Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-66619815262176163282007-11-29T07:43:00.000-08:002007-11-29T07:43:00.000-08:00Isn't "trying to remove hostile characters from a ...Isn't "trying to remove hostile characters from a string" one of our industry's classic persistent problems?<BR/><BR/>I still remember Hotmail's problems with trying to block the string "[script]" from being sent in an email, and how it took them forever plus a day to finally get it right.<BR/><BR/>(Oh, the irony! Blogger doesn't let me put <> tags around the "script" word above.)<BR/><BR/>Oh, as for tinyurl.com, you can set it up to always show you a preview of the URL you're heading to.Dan Weberhttps://www.blogger.com/profile/06626675217693199470noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-79420206437488479942007-11-29T06:11:00.000-08:002007-11-29T06:11:00.000-08:00The browser vendors could also offer an option to ...The browser vendors could also offer an option to prompt on HTTP redirect, or prompt on HTTP redirect just for certain sites.Tylerhttps://www.blogger.com/profile/03278535699466229371noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-69936434101683177212007-11-29T05:39:00.000-08:002007-11-29T05:39:00.000-08:00Seconded -- noscript rocks.That said, trying to do...Seconded -- noscript rocks.<BR/><BR/>That said, trying to do universal xss protection on redirects is hard, right? DOM injection requires no html, nor do attacks based on vulns like those introduced by using unsanitized PHP_SELF in urls. I suppose simply stripping < > would help some, but in the end it leaves too many vectors open, and might impact legitimate sites too.Jordanhttps://www.blogger.com/profile/08341608982649448622noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-36218609754707212162007-11-29T00:09:00.000-08:002007-11-29T00:09:00.000-08:00Jeremiah, you really don't know NoScript?!It does ...Jeremiah, you really don't know <A HREF="http://noscript.net/" REL="nofollow">NoScript</A>?!<BR/><BR/>It does exactly what you suggested (sanitizing cross-site requests, redirects included) and <A HREF="http://noscript.net/features#xss" REL="nofollow">much more</A>...<BR/><BR/>CheersAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-19433499545519369832007-11-28T23:10:00.000-08:002007-11-28T23:10:00.000-08:00Well, there are some very cool services, such as.....Well, there are some very cool services, such as..<BR/><BR/>www.x.se since you can have..<BR/><BR/>//x.se/3ew<BR/><BR/>:)<BR/><BR/>anyway, Mario Heiderich has h4k.in :P<BR/><BR/>Greetz!!Anonymoushttps://www.blogger.com/profile/12601594427575096471noreply@blogger.com