http://www.tetraboy.com/ TetraBlog - Five nines of awesome. en Serendipity 1.1.2 - http://www.s9y.org/ Wed, 10 Mar 2010 13:30:41 GMT http://www.tetraboy.com/templates/default/img/s9y_banner_small.png http://www.tetraboy.com/ 100 21 http://www.tetraboy.com/archives/5-Twitter-Clickjacking-Attack.html#c913 http://www.tetraboy.com/archives/5-Twitter-Clickjacking-Attack.html#comments http://www.tetraboy.com/wfwcomment.php?cid=5 nospam@example.com (Jeff Jones) As a followup, twitter has since changed tactics from frame busting to blanking the page if it's detected to be running in frames. It looks like the new fix would be harder to override in JS, though there are possible ways around it via hanging javascript or timing attacks, but it's much better than the frame busting. This clickjacking still works on browsers without javascript!<br /> <br /> I would still prefer a server-side method such as "site-specific captcha" for lack of a better term. This would only need to be used in cases of a pre-populated form without valid tokens. Standard tweets and replies could be excepted from it. Fri, 13 Feb 2009 13:48:31 -0600 http://www.tetraboy.com/archives/5-guid.html#c913 http://www.tetraboy.com/archives/4-7-things-you-didnt-know,-or-want-to-know,-about-me..html#c847 http://www.tetraboy.com/archives/4-7-things-you-didnt-know,-or-want-to-know,-about-me..html#comments http://www.tetraboy.com/wfwcomment.php?cid=4 nospam@example.com (Tetraboy) I did include "popular" name for a bit of CYA.. I believe I found out about it back around 2001-2002. So while there may have been a name for it, it really wasn't as widely known as it is today. Sun, 04 Jan 2009 12:15:17 -0600 http://www.tetraboy.com/archives/4-guid.html#c847 http://www.tetraboy.com/archives/4-7-things-you-didnt-know,-or-want-to-know,-about-me..html#c846 http://www.tetraboy.com/archives/4-7-things-you-didnt-know,-or-want-to-know,-about-me..html#comments http://www.tetraboy.com/wfwcomment.php?cid=4 nospam@example.com (Chris Shiflett) CSRF was being talked about over 7 years ago:<br /> <br /> http://www.tux.org/~peterw/csrf.txt<br /> <br /> It was talked about in php|architect over 5 years ago:<br /> <br /> http://shiflett.org/articles/foiling-cross-site-attacks<br /> <br /> Are you sure you discovered it before it had a name? Sun, 04 Jan 2009 11:22:30 -0600 http://www.tetraboy.com/archives/4-guid.html#c846 http://www.tetraboy.com/archives/3-Arrays-are-Objects-are-Functions-are-Objects.html#c845 http://www.tetraboy.com/archives/3-Arrays-are-Objects-are-Functions-are-Objects.html#comments http://www.tetraboy.com/wfwcomment.php?cid=3 nospam@example.com (Tetraboy) Thanks Remi. That post was over a year old. I meant to write a followup saying how I did eventually figure out Javascript, but I never got around to it. Sat, 03 Jan 2009 20:27:59 -0600 http://www.tetraboy.com/archives/3-guid.html#c845 http://www.tetraboy.com/archives/3-Arrays-are-Objects-are-Functions-are-Objects.html#c843 http://www.tetraboy.com/archives/3-Arrays-are-Objects-are-Functions-are-Objects.html#comments http://www.tetraboy.com/wfwcomment.php?cid=3 nospam@example.com (Remi Woler) Arrays are <strong>not</strong> objects in javascript. You have simple types, arrays, and objects. The fact that you can access object variables the way you access arrays in PHP doesn't mean it's suddenly an array. For a very clear description on Arrays and JSON (Objects), you might want to check out [url="http://www.hunlock.com/blogs/Mastering_Javascript_Arrays"]hunlock.com[/url]. This site has taught me the differences, and how to work with them, and I still use it every now and then as a quick reference. (Hint: keywords "mastering javascript [arrays|json] brings this site as #1 result in google) Sat, 03 Jan 2009 16:28:55 -0600 http://www.tetraboy.com/archives/3-guid.html#c843