Net, 131
HTML injections in, 42
on .Net Framework, 131
in SQL, 7
for user-supplied data, 49
for XSS, 50
Escaping, 8, 50, 120
Esser, Stefan, 31, 227
eval() (JavaScript), 84
_EVENTVALIDATION field, 129
Excel (Microsoft), 198
Executables, 204
expires (cookie), 27
Exposures:
in SAJAX, 185??“186
in Web 2.0 migration, 191??“193
Extensible Stylesheet Language Transformations
(XSLT), 116
External entities (XML), 13
eXternal entity injection attacks (see XXE injection
attacks)
ExternalInterface (Flash), 30, 43, 224
?–? F
Financial systems, 46
FireFox:
NoScript plug-in, 141
ports in, 97
WebDeveloper Add-On, 160, 163??“164
Flare, 228??“229
Index 251
Flash applications, 224??“242
client-side, 229
and cookies, 43
cross-domain, 73
cross-domain actions in, 224
DNS rebinding, 237??“241
GET method in, 224
hacking tools for, 227??“241
HTML injection attacks in, 232
for HTML injections, 43??“44
images in, 232, 233
JavaScript vs., 43
and MIME types, 31, 43
open security policies of, 225
securing, 236??“237
security policy reflection attacks on, 225??“226
security policy stored attacks on, 226??“227
tools for, 227??“241
XSF in, 234??“235
XSS in, 229??“234, 236
Flash security model, 30??“31, 224??“227
Form control properties, 126??“127
Fuzzing, 214
?–? G
GET method, 81
in Flash, 224
and XHR, 104
(See also HTTP GET)
Get/Set convention, 199
getURL():
Cross-Site Scripting with, 230??“231
in Flash, 224
GIF images:
file comments for, 227
insecure policies on, 31
Google, and web site traffic, 141
Google Web Toolkit (GWT), 154, 181??“183
and custom serialization, 152
installation, 181??“182
and Java applications, 190
and JSON, 183
unintended method exposure, 182??“183
Grossman, Jeremiah, 84, 95, 97
GWT (see Google Web Toolkit)
?–? H
Hardenedphp.
Pages:
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437