Verzeichnis
hackademix.netGiorgio Maone's answers to the Web, the Universe, and Everything
Last week a couple of interesting and novel Clickjacking techniques have been published:
Cross-domain content extraction via framed view-source
Double-clickjacking (or, as I prefer to call it, Rapid fire cross-site interaction)
Both involve a tiny amount of social engineering (#2 requires JavaScript, too), but as you can see they are totally feasible.
Needless to say, recent NoScript versions neutralize [...]
Looks like the following quote is acceptable content under current Mozilla Planet’s policy, and a rather pertinent answer to this now extremely popular post:
"The irony of religion is that because of its power to divert man to destructive courses, the world could actually come to an end. The plain fact is, religion must die for [...]
Universal XSS 0day in Adobe Flash controlled users’ Web accounts:
As useful as sandboxes are in restricting potentially buggy code to a small part of the operating system, they do nothing to minimize the damage that can be done by attacks that exploit universal XSS flaws, researchers said.
I was already preaching this four years ago: the [...]
A certain greenish guy is pissed off (as usual) because of this (business as usual).
@securityhulkHULK
HULK HAVE DREAM, THAT SOME DAY POPULAR PDF READERS WILL BE WRITTEN IN LANGUAGE THAT KNOW HOW BIG ARRAYS ARE. IT POSSIBLY INDIGESTION THO.
Bro, you may want to try pdf.js…
Just please, if some comic book of yours comes out garbled and [...]
I’m pleased to announce the availability of NoScript 3.0a8 for mobile devices. Tested on Firefox for Android, it should work on Maemo too.
This is the first feature-complete mobile version of NoScript. In other words, it provides all the major security features of its desktop counterpart which make sense on a mobile device:
Easy per-site active content [...]
Since their introduction, NoScript’s Script Surrogates (or "Surrogate Scripts") have grown both in reliability and flexibility. NoScript 2.1.3 introduced two new types of surrogates ("Before script" and "After script"), so it’s a good time to recap.
Script Surrogates replace a blocked script or complements existing scripts which would not work as expected because of NoScript.
A Script [...]
Today I’ve been notified by Patrick Green, the Chair of the Dragon Research Group Advisory Council, about NoScript having been chosen as the recipient of their Security Innovation Grant.
This is a great honor and a spur to keep making the Web a safer place. I feel the urge to thank the committee for recognizing NoScript [...]
According to Mark Finkle, who comments Daniel Glazman’s reply to Wladimir Palant (and the discussions goes back many hops yet)
[…] there are two classes of binary XPCOM components:
XPCOM wrappers around 3rd-party binary libraries: We use this model for exposing external binary functionality into JavaScript so add-ons and applications can access the libraries. Using js-ctypes should [...]
NoScript 3.0a3 for Firefox Mobile is out, bringing three of the major "classic" NoScript features to your Android smartphones:
Easy per-site active content permissions management.
The first and most powerful anti-XSS (cross-site scripting) filter available in a web browser.
ClearClick, the one and only effective client-side protection against Clickjackings available on the client side.
Still some road ahead for [...]
Am I alone in fearing that lust for shrinking down the browser will get us in more troubles like this (or just make plain old-school phishing more effective)?
