Search the Community
Showing results for tags 'policy'.
-
The same origin policy is an important concept in the web application information security domain. In this policy, a web browser allows scripts contained in a first web page ‘A’ to access data/resources in a second web page ‘B’, however, only if both web pages have the same origin. An origin is defined as a combination of URI scheme, hostname, and port number. This policy prevents a malicious script on one page from obtaining access to sensitive data on another web page through that page’s DOM (document object model). Let’s consider one example in a physical world scenario. Imagine a school wh
-
SOP Bypassing in Safari To help you understand better, http://httpsecure.org and file://httpsecure are both treated as a different origin. The Safari browser (IOS and MAC) version 6.0.2 does not enforce the same origin policy when you need to access a local resource. When an attached HTML file tries to open using the file scheme, the JavaScript code contained within can bypass the SOP and start two –way communications with different origins. Consider the following page: <html> <body> <h1> I'm a local file loaded using the file:// scheme </h1> <script> xhr = new X
-
Document Title: =============== Ebay Inc Xcom #7 - (Policy) Persistent Vulnerability References (Source): ==================== http://www.vulnerability-lab.com/get_content.php?id=1228 Release Date: ============= 2015-03-25 Vulnerability Laboratory ID (VL-ID): ==================================== 1228 Common Vulnerability Scoring System: ==================================== 4 Product & Service Introduction: =============================== eBay Inc. is an American multinational internet consumer-to-consumer corporation, headquartered in San Jose, California. It was founded by Pierr
-
- domain=.ebay.com;
- injected
-
(and 3 more)
Tagged with:
-
The same origin policy is an important concept in the web application information security domain. In this policy, a web browser allows scripts contained in a first web page ‘A’ to access data/resources in a second web page ‘B’, however, only if both web pages have the same origin. An origin is defined as a combination of URI scheme, hostname, and port number. This policy prevents a malicious script on one page from obtaining access to sensitive data on another web page through that page’s DOM (document object model). Let’s consider one example in a physical world scenario. Imagine a school wh
-
US Used Zero-Day Exploits Before It Had Policies for Them
Aerosol posted a topic in Stiri securitate
AROUND THE SAME time the US and Israel were already developing and unleashing Stuxnet on computers in Iran, using five zero-day exploits to get the digital weapon onto machines there, the government realized it needed a policy for how it should handle zero-day vulnerabilities, according to a new document obtained by the Electronic Frontier Foundation. The document, found among a handful of heavily redacted pages released after the civil liberties group sued the Office of the Director of National Intelligence to obtain them, sheds light on the backstory behind the development of the government’-
- government
- policy
-
(and 3 more)
Tagged with:
-
Google’s unwavering vulnerability disclosure deadlines are the latest chapter in a decades-long debate about how to best inform affected users that there’s a security problem with their software. Since the start of the year, Google’s 90-day clock has most notably ticked down to zero on a trio of flaws in Microsoft products and two others in Apple’s OS X. And upon doing so, Google’s researchers shared with the world technical details and proof of concept code for each vulnerability. Proponents of Google’s policy will argue that 90 days is plenty of time for a vendor to address a “responsibly” d
-
- deadline
- disclosure
-
(and 3 more)
Tagged with:
-
CSP Is Awesome Content Security Policy Header Generator What is Content-Security-Policy? A mechanism web applications can use to mitigate a broad class of content injection vulnerabilities, such as cross-site scripting (XSS) Oh, and it’s awesome. So why the different headers? Since the spec is still a draft. Firefox is using X-Content-Security-Policy and Webkit (Chrome, Safari) are using X-WebKit-CSP. Once the spec is locked down they’ll move to a canonical header. What does it look like? Here are some examples borrowed directly from the Working Draft 1.0 document Example 1: A server wishes