Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Web security and beyond...
My blog has moved...
My blog has moved to randomdross.blogspot.com. Please update your RSS readers, etc.
Date: 08/04/2014
Hyperlink Spoofing and the Modern Web
Over the past six months or so I’ve been looking at hyperlink spoofing threats as a bit of a...
Date: 04/26/2012
Creating XSS
I’ve seen MS10-002 pop up a few times in discussion recently. This is a reference to the...
Date: 04/25/2012
XSS Filter Tech: Later is Better?
Arcane design decisions can have subtle but important effects on the characteristics of a security...
Date: 12/20/2011
Enforcing Standards Mode with X-FRAME-OPTIONS
Reduced attack surface in Standards Mode is a good step forward for XSS-Focused Attack Surface...
Date: 06/30/2011
Fuzzing for Design Bugs?
Have you ever heard someone ask “Do we need to fuzz this?” This question comes up quite...
Date: 09/03/2010
Happy 10th birthday Cross-Site Scripting!
On the 16th of January, 2000, the following names were suggested and bounced around among a small...
Date: 12/15/2009
Current Thoughts on DNS Rebinding
RSnake and Dan Kaminsky have been talking about session fixation via DNS Rebinding. As you may...
Date: 11/17/2009
Thoughts on Legacy Character Sets
One of the things I have taken from the IE XSS Filter project is a healthy fear of legacy character...
Date: 11/03/2009
Good Bug
Credit goes to Alex "Kuza55" Kouzemtchenko for identifying a weakness in the XSS Filter OBJECT tag...
Date: 05/28/2009
The MSHTML (Trident) Host Security FAQ
I've posted a two-part FAQ addressing security considerations for apps that host MSHTML. Check it...
Date: 04/06/2009
New webappsec tools
Chris Weber's Watcher:...
Date: 03/25/2009
IE8 is here!
www.microsoft.com/ie What are you waiting for? Go get it!
Date: 03/19/2009
XSS Filter Improvements in IE8 RC1
I've just posted detail up on the SVRD Blog about some improvements and bug fixes to the XSS Filter...
Date: 01/30/2009
Video Roundup (Martin Johns and more!)
Recently I got Martin Johns connected with Helen Wang's group in Microsoft Research. Check out...
Date: 01/14/2009
ABE
Giorgio Maone's new ABE project looks pretty cool. Exposing the loose and often unnecessary...
Date: 12/20/2008
XSSDS
Björn Engelmann, Joachim Posegga, and LocalRodeo developer Martin Johns have authored an excellent...
Date: 09/30/2008
IE8 Beta 2
If you haven’t already seen, Internet Explorer 8 Beta 2 is out – go get it! Now is a good time to...
Date: 08/29/2008
IE 8 XSS Filter Architecture / Implementation revealed + some other news
I've just posted some detail on the Internet Explorer 8 XSS Filter Architecture / Implementation...
Date: 08/19/2008
IE8 XSS Filter design philosophy in-depth
It's great to see some positive reaction to the potential of our XSS Filter. Now we just need to...
Date: 07/04/2008
IE8 goes on the offensive against XSS!
IE has announced the new XSS Filter feature which will debut in IE8 Beta 2! Stay tuned to my blog in...
Date: 07/02/2008
Lead my team!
My team (SWI React) is hiring for a lead position. Details: Job Title: Lead Software Development...
Date: 05/17/2008
XSS-Focused Attack Surface Reduction
All web browsers expose what have been referred to as XSS “attack vectors” – various techniques that...
Date: 03/10/2008
The Kill-Bit FAQ - Part 1 of 3 posted to SVRD blog
Check out my ActiveX Kill-Bit FAQ which is now being posted to the SVRD blog. There are three parts,...
Date: 02/06/2008
Security Vulnerability Research & Defense blog
My team now has a blog! blogs.technet.com/swi/ I'll be contributing to the team blog in the...
Date: 12/27/2007
MashupOS
The standard IFRAME-based isolation technique for web apps is starting to show its age. We need...
Date: 09/12/2007
An innovative new defense against cross-domain vulnerabilities
Cross-domain (or “Universal XSS”) vulnerabilities have long plagued modern script-enabled web...
Date: 08/22/2007
Pinning / Rebinding / Quick-Swap DNS Links
A group at Stanford has been researching these issues and recently published Protecting Browsers...
Date: 08/03/2007
Notes on DNS Pinning
Christian Matthies has an excellent writeup on DNS Pinning (with diagrams!) If you're tuned into web...
Date: 07/09/2007
Inspect Your Gadget
Michael Howard and I have written up some guidance on how to develop secure Vista Sidebar Gadgets:...
Date: 06/26/2007
De-obfuscation using a standalone Javascript interpreter
Mark Wodrich forwarded me this Websense blog post describing how to use a standalone Javascript...
Date: 12/08/2006
eval() and document.write(), meet Execute and ExecuteGlobal
Be on the lookout for these two VBScript statements that can be used to achieve the same effect as...
Date: 11/16/2006
Recursive Obfuscation
Thanks to Jonathan Ness for pointing me to an example of a new obfuscation technique that attempts...
Date: 10/05/2006
High-bit ASCII obfuscation
Here’s another new obfuscation technique I’ve seen in use on malicious web sites recently. Check out...
Date: 10/01/2006
Code length dependent obfuscation
Wow, it’s been a long time! Hopefully I can find more time to blog over the next couple of months.In...
Date: 09/28/2006
Analyzing Browser Based Vulnerability Exploitation Incidents
I've written up a paper that describes some useful tools/techniques for deconstructing web based...
Date: 06/13/2005
Hello!
Hi! I'm David Ross and this is my work blog. As an engineer on the Microsoft Secure Windows...
Date: 06/11/2005