School: Did you really name your son Robert'); Drop Table Students;--?
Mom: Oh. Yes. Little Bobby Tables we call him
School: Well, we've lost this year's student records. I hope your happy.
Mom: and I hope you've learned to sanitize your database inputs.

HAHAHA! Sweet.

To be fair, you shouldn't sanitize user input, you should validate it.

update 10/11/07: Someone posted this to the webappsec mailing list.

And you thought O'Hare was a bad name...

When you give a chef a recipe, you have certain assumptions. Sure there might not be resources to fully bake the cake, but you assume that their oven and mixer are working.

How can you ever hope to cook a cake successfully when your oven isn't even working?

[sigh]...

If only I were talking about cake. At least with under-cooked cake you can eat the batter.

Compare and contrast.

One of these things is not like the other. One is a uniform women were required to wear by a company to be employed. The other is a college student who is a little trampy, as really we all are from time to time :-)

I really don't think Southwest has a well tanned and well toned leg to stand on here.

Silly airlines with their silly rules.

We're reaching the final stage!.

Now we get to AjaxWorld West 2007 and there are 5 presentations about security and all of them look great. Brian Chess from Fortify, Joe Stagner from Microsoft, Byran and I from SPI/HP, Danny Allen from Watchfire/IBM, and Pothiraj Selvaraj from CGE. I am absolutely floored by the turn out. And its not just more security speakers at Ajax conferences. There are other indications thats people are accepting Ajax Security. We are seeing a number of books on Ajax Security come out. Ajax frameworks are starting implement security features natively. In some cases framework developers are reaching out directly to the web security companies that seem to get it. For example SPI has been to Redmond multiple times this year working with the ASP.NET and Atlas teams. We see security vendors and consultants who were in denial about Ajax have toned down the rhetoric. Now vendors from the scanner and source code analysis spaces are joining SPI on stage this year on AjaxWorld. We've gone from a 20 something with long hair talking about Ajax security to CTOs and CEOs, and VPs spreading the message. And that is extremely satisfying.

I suppose if anything, AjaxWorld 2007 is a nice breath of fresh air. A cause SPI has been championing for nearly 2 years now is becoming more mainstream and finding acceptance in the Security and Development communities. I welcome my friendly competitors to the party, even if they were a little late and got lost along the way. :-) Because at the end of the day, more smart people working on tough problems helps everyone.

Ajax Security Acceptance: The Last Stage

A new technique shows resizing of images while keeping the important features of the image undistorted, also allows you to protect or remove part of the image with anything removed being automagically and seamlessly filled in.

[drools]

YouTube - Image Resizing by Seam Carving

I got a chance to met Ben Livshits after my web worm talk at BH where we had a discussion about these detection techniques (and why McCabe complexity diagrams are too coarse). I'm finally getting around to reading his paper.

Spectator: Detection and containment of JavaScript worms

Spike Jonze rocks. As does this song.

Wax's California Music Video

Update: Jeff feels my pain.

Here is how HTTP authentication is supposed to work:

In HTTP authentication, the browser uses a dialog box to get the user's credentials. It looks something like this.

A (perceived) downside to HTTP authentication is that web designers cannot control this dialog. Some people find this ugly nad its messes with website design and layout. As a result, many websites use what is called FORMs authentication, where the website collects a user's credentials in an HTML form, and submits them to the user.

Unfortunately, Memestreams does an RFC-violating combination of the two. It responds to resources that require login with a 401, but without specifying the WWW-Authenticate header to tell the browser how to send the credentials back.

What should happen is this:

Client                          Server
            -------------->
        GET /recommend/ HTTP/1.1

Client                          Server
            <--------------
        HTTP/1.1 302 Redirect
        Location: /login/?returnURL=/recommend/

Client                          Server
            -------------->
        GET /login/?returnURL=/recommend/ HTTP/1.1

Client                          Server
            <--------------
        HTTP/1.1 200 Ok

[user files in username/password]

Client                          Server
            -------------->
        POST /login/?returnURL=/recommend/ HTTP/1.1
        [post data with username and password]

Client                          Server
            <--------------
        HTTP/1.1 302 Redirect
        Location: /recommend/
        Set-Cookie: [set valid session cookie]

Client                          Server
            -------------->
        GET /recommend/ HTTP/1.1

Client                          Server
            <--------------
        HTTP/1.1 200 Ok

Saw this today on Ars. Not sure how great it would be as an office chair (at least if you attempt to use it with a desk). But as a gamer/laptop chair, looks fairly cool.

TreyChair.com - Multifunction task chairs for your desk, floor, home, or office.

var c=2;

var x=2;


switch(x) {

    case 1:
        alert("In 1");
        break;
    case c:
        alert("In 2");
        break;

    default:
        alert("default");
}

//displays 2!

In JavaScript you can define case blocks with expressions. ... wow... I mean... just wow.