IEs 4 Linux - Internet Explorers for Linux
Now this is mega-cool. an Easy script to download and install IE on a Linux box...
This definately removes one of my few remaining reasons to ever boot into a windows VM.
Google Cross-site Request Forgery
Cross Site Request Forgery is one of those vulnerability classes that can be a bit tricky to explain, so it's always nice to find a decent live example. This one's pretty harmless, just changes your google languange preferences, but I reckon that we'll see a real growth in this kind of problem over the next couple of years as "the bad guys"(tm) keep looking for innovative new ways to attack web apps.
In_place_edit_for with validation and sanitization
I've started having a look at my little rails app. I'm writing with a security persons hat on and one of the problems I've run into is that you can't by default use the h() function with an in place edit control. So this link has a solution for that...
One quirk seemed to be when I put in the XSS code </span><script>alert("xss")</script><span> using in_place_edit it escapes it ok, but then each time I click into the field and then click ok it re-escapces the contents, giving an ever expanding field...
still main thing is it gets rid of the xss problem (well from a security point of view anyway)
<a title="How to paginate, sort and search a table with Ajax and Rails
Banking Trojan Captures User's Screen in Video Clip
A good write-up and video of malware designed to capture information from users using virtual keyboards.
It's just another indication that banks and other E-Commerce sites will need to come up with something more robust if they really want to make phishing impractical for attackers...
Personally I'd be interested to try a combination of RSA SecureID and Intrusion detection/prevention.
It works like this. the SecureID forces an attacker to do an in-line attack 'cause they've only got a less than 60 second window to use the credentials successfully, and this should increase the visibility of the traffic patterns. For example if you've got 10 users who've always come from different UK based IP addresses in the past, and suddenly they're all coming from the same non-UK based ip address, then that could be a good time to block the session.
It would be difficult to tune, but I think once you'd baselined users it would be possible to build up a reasonable enough pattern to allow for some form of anomoly detection.
sorttable: Make all your tables sortable
This looks like an interesting enhancement for rails. Unfortunately it doesn't seem to play too friendly with my AJAX updated table. It works when I first load the page, but then if I refresh the div with the table in it the sortability vanishes...
10 Minutes REST
Decent explicable presentation on the REST architecture for web application development. From what I've seen so far, the URI style fits in well with the way Rails apps work by default, which is nice..
RadRails: A free and open source Ruby on Rails IDE
Looks like a new version of my rails IDE of choice is out.
I'm not usually a great fan of IDE's for development, but I must admit that I'm liking working in radrails quite a lot.
There's several fetures which I like, the subversion integration is cool (I only discovered this by mistake, but still...) and having the generators in the IDE is also very handy. Another small, but useful feature is the server support where it'll recognise that you've got multiple apps in your workspace and start them on separate ports...
SIFT - Information Security Services
This tool takes an interesting approach to helping with web services security reviews. It looks for methods which may serve up sensitive information but which are not published into the WSDL...
