Web Application Security

A few people asked for slides and links from the security talk from The Ajax Experience last week:

SlideShare

| View | Upload your own

General Links:

OWASP: Open Web App Security Project
Security Resources from the OpenAjax Alliance Wiki
Mozilla on Same-Origin Policy

XSS:

Introductions from: Wikipedia and Apache
Cheat Sheet: Long list of XSS vectors from RSnake
Explanation of DOM Based XSS
Explanation of Samy is my Hero worm
Fairly old FAQ at CGI Security
List of XSS holes in popular web applications

CSRF:

Introduction from: Wikipedia and here
Article by Chris Shiflett and CSRF Redirector test tool
CSRF FAQ at CGI Security
Array constructor overriding
A solution: SameRefererOnly
Protecting a JSON or JavaScript Service

Blogs:

Posted by Joe Walker 29 Oct 2007

Comments

Comments have been turned off on old posts

Incompleteness

The blog is about general web development. (Atom feed)

MozBlog contains Mozilla stuff - i.e stuff for planet (Atom feed).

See also the Archives

If it's a choice between
incomplete or wrong,
side with Gödel.

About

I'm Joe Walker. I work for Mozilla making developer tools better i.e. creating tomorrow's Firebug.

See also joewalker on Github and @joewalker on Twitter, and 103130341946168853745 on Google+.

Projects

GCLI is a web developers command-line that's being used in Firefox Developer Tools, and alongside Ace
DOM Template is an experimental DOM template engine with some nice features like asynchronous layout
CSS Doctor is an experiment into how we can improve the CSS telemetry in a browser
DWR is a Java library that enables Java on the server and JavaScript in a browser to interact and call each other as simply as possible

Recent Posts

Latest Tweets

Status updating...

Follow @joewalker