| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 08 Nov 2008 18:21:13 +0200 From: Amit Klein <aksecurity@...il.com> To: fcorella@...cor.com Cc: websecurity@...appsec.org, bugtraq@...urityfocus.com Subject: Re: [WEB SECURITY] countermeasure against attacks through HTML shared files There's a very short reference from May 2007 to the concept of using different hostnames to protect against XSS: See Brian Eaton's post to WebSecurity mailing list, May 18th, 2007, titled "Re: [WEB SECURITY] How to avoid XSS into PDF Files, using java". http://www.webappsec.org/lists/websecurity/archive/2007-05/msg00087.html fcorella@...cor.com wrote: > Hello, > > I wanted to announce a Pomcor white paper that > looks at attacks through HTML shared files in Web > applications and proposes a countermeasure. These > are essentially XSS attacks, but the usual > defenses against XSS are typically not available, > because shared files cannot be sanitized. > > The paper is available at: > > http://www.pomcor.com/whitepapers/file_sharing_security.pdf > > I have not been able to find much prior work. > What I've found is discussed in Section 2 of the > paper. If I've missed something, please let me > know. > > Thanks, > > Francisco Corella > > > > > ---------------------------------------------------------------------------- > Join us on IRC: irc.freenode.net #webappsec > > Have a question? Search The Web Security Mailing List Archives: > http://www.webappsec.org/lists/websecurity/archive/ > > Subscribe via RSS: > http://www.webappsec.org/rss/websecurity.rss [RSS Feed] > > Join WASC on LinkedIn > http://www.linkedin.com/e/gis/83336/4B20E4374DBA > > >
Powered by blists - more mailing lists