Comments on: Cross Context Scripting with Sage http://www.gnucitizen.org/blog/cross-context-scripting-with-sage/ Information Security Think Tank Fri, 21 Nov 2008 21:31:50 +0000 http://wordpress.org/?v=2.6.3 By: GNUCITIZEN » Firebug Goes Evil http://www.gnucitizen.org/blog/cross-context-scripting-with-sage/#comment-12721 GNUCITIZEN » Firebug Goes Evil Wed, 04 Apr 2007 19:12:43 +0000 http://www.gnucitizen.org/blog/cross-context-scripting-with-sage#comment-12721 [...] Unfortunately, Firebug suffers from rather simple but quite dangerous vulnerability. I have discussed the issues that browsers like Firefox, Opera, IE and Safary face these days on this web site. In general, these browsers try their best to prevent common vulnerabilities from crippling into their source code. However, that’s not the case with browser extensions. Very often, browser extension authors do not consider the security aspects of their work that much. Because of this, vulnerabilities occur. Believe me or not, the next wave of browser attacks will target exactly that. [...] [...] Unfortunately, Firebug suffers from rather simple but quite dangerous vulnerability. I have discussed the issues that browsers like Firefox, Opera, IE and Safary face these days on this web site. In general, these browsers try their best to prevent common vulnerabilities from crippling into their source code. However, that’s not the case with browser extensions. Very often, browser extension authors do not consider the security aspects of their work that much. Because of this, vulnerabilities occur. Believe me or not, the next wave of browser attacks will target exactly that. [...]

]]> By: Peter Andrews http://www.gnucitizen.org/blog/cross-context-scripting-with-sage/#comment-175 Peter Andrews Tue, 03 Oct 2006 06:13:53 +0000 http://www.gnucitizen.org/blog/cross-context-scripting-with-sage#comment-175 This issue has now been addressed with the release of Sage 1.3.7 http://mozdev.org/bugs/show_bug.cgi?id=15101 Thanks for your concern. This issue has now been addressed with the release of Sage 1.3.7

http://mozdev.org/bugs/show_bug.cgi?id=15101

Thanks for your concern.

]]> By: A Thornton http://www.gnucitizen.org/blog/cross-context-scripting-with-sage/#comment-72 A Thornton Fri, 15 Sep 2006 10:05:23 +0000 http://www.gnucitizen.org/blog/cross-context-scripting-with-sage#comment-72 Look at how long this bug has been open - probably not a good sign: http://mozdev.org/bugs/show_bug.cgi?id=13744 Look at how long this bug has been open - probably not a good sign:

http://mozdev.org/bugs/show_bug.cgi?id=13744

]]> By: firefox extensions » Blog Archive » Cross-site scripting attacks via Sage Firefox Extension. http://www.gnucitizen.org/blog/cross-context-scripting-with-sage/#comment-68 firefox extensions » Blog Archive » Cross-site scripting attacks via Sage Firefox Extension. Tue, 12 Sep 2006 21:06:14 +0000 http://www.gnucitizen.org/blog/cross-context-scripting-with-sage#comment-68 [...] Theres a proof of concept feed demo at this URL. [...] [...] Theres a proof of concept feed demo at this URL. [...]

]]> By: pdp http://www.gnucitizen.org/blog/cross-context-scripting-with-sage/#comment-65 pdp Mon, 11 Sep 2006 15:15:42 +0000 http://www.gnucitizen.org/blog/cross-context-scripting-with-sage#comment-65 Thanks Robert, the slides are quite good Thanks Robert, the slides are quite good

]]> By: robert http://www.gnucitizen.org/blog/cross-context-scripting-with-sage/#comment-64 robert Mon, 11 Sep 2006 12:57:38 +0000 http://www.gnucitizen.org/blog/cross-context-scripting-with-sage#comment-64 Hello I am the author of the whitepaper, and blackhat presentation of which you speak. The slides to my talk can be found below. RSS Slideshow http://www.cgisecurity.com/papers/RSS-Security.ppt RSS Security Repository http://www.cgisecurity.com/rss/ Hello I am the author of the whitepaper, and blackhat presentation of which you speak. The slides to my talk can be found below.

RSS Slideshow
http://www.cgisecurity.com/papers/RSS-Security.ppt

RSS Security Repository
http://www.cgisecurity.com/rss/

]]> By: pdp http://www.gnucitizen.org/blog/cross-context-scripting-with-sage/#comment-57 pdp Sat, 09 Sep 2006 06:13:39 +0000 http://www.gnucitizen.org/blog/cross-context-scripting-with-sage#comment-57 Although the original feed works in my browser, using the send method the way you are suggesting is more accurate so I fixed the feed. Thanks for that. Although the original feed works in my browser, using the send method the way you are suggesting is more accurate so I fixed the feed. Thanks for that.

]]> By: Operation n » Blog Archive » Cross Context Scripting with Sage http://www.gnucitizen.org/blog/cross-context-scripting-with-sage/#comment-56 Operation n » Blog Archive » Cross Context Scripting with Sage Sat, 09 Sep 2006 05:52:49 +0000 http://www.gnucitizen.org/blog/cross-context-scripting-with-sage#comment-56 [...] See GNUCITIZEN more proof of concept example. [...] [...] See GNUCITIZEN more proof of concept example. [...]

]]> By: Jürgen R. Plasser http://www.gnucitizen.org/blog/cross-context-scripting-with-sage/#comment-55 Jürgen R. Plasser Fri, 08 Sep 2006 21:23:04 +0000 http://www.gnucitizen.org/blog/cross-context-scripting-with-sage#comment-55 The feed did not work for me, so I looked closer and saw that request.send() throughs exceptions (which try catches). I simply added null as parameter to send: request.send(null). Then it worked. The feed did not work for me, so I looked closer and saw that request.send() throughs exceptions (which try catches). I simply added null as parameter to send: request.send(null). Then it worked.

]]>