Cross-Site Scripting vulnerability with JavaScript and JQuery

Think you’ve protected your site against Cross-Site scripting attacks by escaping all the content that you’ve rendered? Thought about your javascript? Here’s a neat bug that got us today. This example is contrived to show a point. <!DOCTYPE html> <html> <head> <meta charset="utf-8"> <title>XSS Example</title> <script src="http://ajax.googleapis.com/ajax/libs/jquery/1.6.4/jquery.min.js"></script> <script> $(function() { $('#users').each(function() { var select = $(this); var option = select.children('option').first(); select.after(option.text()); select.hide(); }); }); </script> </head> <body> <form method="post"> <p> <select id="users" name="users"> <option value="bad">&lt;script&gt;alert(&#x27;xss&#x27;);&lt;/script&gt;</option> </select> </p> </form> </body> </html> See the problem?...

Testing anti-patterns for developers

I've been saving this rant for a while now: 1. Test everything at the front-end, in exquisite detail - every project sponsor understands what tooltip 0 really means. Also a great idea if you like long-running and fragile tests that require deployments, browsers, testing frameworks and the kitchen sink. Testing at different layers, and perhaps even without a browser or (in java) a servlet container is for the weak. 2. Perform a database cleanup before and after every test, whether it needs to be done or not....

JPasskeep and Command-Q on Mac

I've released a new version of my long-running password keeper application: JPasskeep. This new release is now able to handle a Command-Q keystroke on the Mac, giving a user (i.e. me) an chance to save any updated entries. No more mousing around to close a window. The actual mechanism to do this was to reflectively call Apple's EAWT application classes to allow me to register the correct event listener. Hmm, run anywhere with java GUI apps....

Asynchronous HTML and HTTP

This post is to remind me that the next time that I am asked to consider using AJAX on a project to actually have a more careful think about the project's design and user interaction requirements. If I take the time to look at what I really need to retrieve dynamically then will AHAH do a better job more simply than AJAX & DOM manipulation? Will it make my application easier to test?...

JPasskeep Update

Just finished a new version of my long-running password keeper application. You can download the cross-platform version, the mac dmg image, and the source code. New changes include the ability to export entries to an encrypted HTML page (see my previous post on javascript cryptography) and bundling the cross-platform version as a single JAR file using one-jar. As usual this version does not rely on javax.crypto APIs to function so it should work wherever a JDK5 compatible VM can run....

Javascript Cryptography on the iPhone

How can I store my list of passwords on an iPhone or iPod Touch? This is the question that I attempted to solve as I geeked out over the weekend. I know I can buy an application like 1Password and sync between a laptop and an iPhone but I already have a pretty good password manager (since I wrote the one I use years ago). After a bit of research I came up with a few possibilities: create an iPhone app to sync with my password manager, create an encrypted bookmarklet (this is the way 1Password used to export passwords to the iPhone), or create a html page which will alter its own structure after I enter a password....