Browse by Tags - HP Application Security Center Community
United States-English
Home - Tab - Selected
» Blogs - Tab
» Forums - Tab

Browse by Tags


HP Application Security Center Community » All Tags » JavaScript (RSS)

» Ajax Security Book is published with strong buzz and reviews

Our Ajax Security book from Addison Wesley has been published! By now I'm sure everyone is tried of me talking about the book and its merits, so let's see what some of experts in the web security space are saying about it: Andrew van der Stock The Executive Director of OWASP reviewed a draft...
Posted to The HP Security Laboratory (Weblog) by Billy on 12-20-2007

» JavaScript strings immutable in Rhino???

Update: Hmmm. I think I'm looking at the wrong thing. This needs more testing/tracing to see exactly whats going on. Just a quick update from yesterday's post . It appears that Mozilla Rhino (a JavaScript interpreter written in Java) uses Java's String object to represent JavaScript strings...
Posted to The HP Security Laboratory (Weblog) by Billy on 11-28-2007

» [snarfs coffee]... wait, What are you doing?

While reading through an article about Firefox 3 on Security Focus today I snarfed my drink when I read the following passage: The group also rewrote the Password Manager in JavaScript from C++ to eliminate memory errors, Schroepfer said. Digging a little deeper I find an article talking about how OS...
Posted to The HP Security Laboratory (Weblog) by Billy on 11-27-2007

» Praise for Ajax Security Book

Bryan and I got to see the cover of our book Ajax Security before it went to the printers today. It included what is known in the industry as a praise quote , where someone who is famous in a certain space reads the manuscript and provides a quote for the book. Byran and I received the following quote...
Posted to The HP Security Laboratory (Weblog) by Billy on 10-31-2007

» Ajax Security Acceptance

Its time again for AjaxWorld , the largest Ajax conference in the US. Bryan and I are thrilled. AjaxWorld offered us back -to- back sessions so we can do a 90+ minute workshop on how to break into Ajax applications. We will not only hit the major themes like increased attack surface, code transparency...
Posted to The HP Security Laboratory (Weblog) by Billy on 08-30-2007

» Speaking at Shmoo

I’m really excited to be speaking at Shmoocon again and especially excited about my presentation this Saturday at 1pm. Javascript Malware for a Gray Goo Tomorrow focuses on the increased scope of damage caused by Cross-Site Scripting (XSS) vulnerabilities in the last year. The Web 2.0 revolution...
Posted to The HP Security Laboratory (Weblog) by Billy on 03-22-2007

» Re: Universal XSS

Not to sound like copout,but this really isn’t something products like WI can detect/prevent. The problem is there is a bug in a client-side program, Acrobat Reader. If someone opens a PDF by clicking on a malicious link, Acrobat does something bad. We cannot stop Acrobat from doing something bad...
Posted to What's on your mind? (Forum) by Billy on 01-03-2007

» Re: Ajax Testing Question

EW, One of our engineers, Bryan Sullivan, recently wrote an article about teaching your QA department about how to test Ajax applications properly for security defects. It's a good read: http://www.devcity.net/Articles/273/1/article.aspx Enjoy! Billy Hoffman -- Lead Researcher, SPI Labs SPI Dynamics...
Posted to What's on your mind? (Forum) by Billy on 11-13-2006

» Re: Determining if a browser or a script is calling your Ajax functions

Mark, Thats an interesting plan, but I see a few sticky points. While you don't explicitly say it, you need to make sure the browser only adds that header to requests that are not made by JavaScript. The reason Ajax requests look like regular requests is because the browser actually makes both of...
Posted to What's on your mind? (Forum) by Billy on 11-13-2006

» Ajax Testing Question

I have read and heard a lot of information about the new dangers related to Ajax enabled sites. I am really interested in methods being used by the "pros" to test ajax heavy sites. Request modifications must happen the same way as traditional web app testing ocurrs. Catch the request in a proxy...
Posted to What's on your mind? (Forum) by edw on 10-18-2006
Page 1 of 1 (10 items)
Information disclosed in this community becomes public. Exercise caution when deciding to disclose your personal information. HP reserves the right, but is not obligated to, edit or remove your comment if it contains personally identifiable information or other content HP deems unacceptable.  Opinions expressed are your personal opinions or those of the original authors, and not of HP. Please see HP's web Terms of Use for more details.