Poor, or non existent, password policies are leaving too many people open to attack. In fact, there are many companies and websites who continue to require weak and insecure passwords. Yes, they require them.
I know that my bank does this. So does American Express and ING Direct. Try to enter a password with special 
characters. They wont let you. Try to enter a password more than 8 characters. They don’t allow it. It is frightening, to say the least. My financial data – my money – is only secured by a combination of letters and numbers up to 8 characters long.
My typical password is at least 10 characters long and is always a combination of lower case, upper case, numbers, and at least 2 special characters. I have been forced in many cases to use a much simpler password.
Combine that with the fact that most people use easily guessable passwords, such as their Read more…
Bryan Migliorisi Passwords Passwords, web application security
In the previous post, Bryan showed you how to prevent a JSON payload to be rendered across domains by simply adding a string of text at the beginning of the payload that either 1) invalidates it (script tags are only allowed to pull in valid JavaScript before they do anything) or 2) creates an infinite loop so the rest of your script never executes.
More issues
While this is a good way to effectively protect an attacker from pulling information they’re not supposed to access, what about pushing information or executing commands via POST / *GET? In this case it doesn’t really matter if the attacker can access the HTTP response or not – the attackers request has already executed and the response (success or failure) is relatively unimportant. Any potential damage has already been done. Read more…
Mauvis Ledford Web Security JavaScript, web application security
When writing a web application, many times developers will focus more on features and usability than anything else Security is often an afterthought. Usually, security is only a concern once a vulnerability has been not only discovered, but exploited. As developers, designers and software architects, we must ensure that the security of our application is rock solid straight from conception. This is often easier said than done. Read more…
Bryan Migliorisi Web Security introduction, web application security