I did not say that the whitelist should automatically include every signed executable, but that the job of the whitelist (identifying the process...
So your argument is just that "whitelisting is impossible". My logic is unattackable, if you accept the premise of this whole thread: if you're...
You're ignoring the condition I prepended to my statement: "if if you really have full control on the list of programs which are allowed to run"....
If by "having a whitelist" you mean that your system's setup allows only the programs "known to be good" in that whitelist to run, there's no...
Right. Wrong. No browser "has it" yet. Only NoScript provides very effective anti-XSS protection. It's so effective that IE8 will "borrow"...
Re: [Split Topic] XSS sample using ZA link They fixed it when this topic has been linked by NoScript's author in a slashdot post, and this PoC...
Work-around: NoScript.
Have you got "block JavaScript" on pcworld.com among Proxomitron filters? This may be the most likely reason why Proxomitron prevents the page...
Short explanation: cache(s). Long explanation: this specific web page is heavily cached on more than one level (web site's...
Could you try to forcibly bypass caches with Shift+F5 (don't just clean your cache, you may need to invalidate also intermediate caches)? After...
What links? The ZoneAlarm hole and the first PC World one have been fixed (the former after one month at least of exposed vulnerability, the...
Of course it cannot, you're right. Sandboxing works around your browser: it controls the interaction of the browser with your local filesystem,...
That's not the point. The vast majority of websites are vulnerable. Whatever the attacker decides to do with your browser on the vulnerable...
Edited above, thanks... strange, I copied & pasted the code from the "Manage attachment" section, exactly as I've done now ???
In page loading, seemingly. Are you sure you've got JavaScript enabled? Maybe you're seeing cache? This is what I get on Opera 9.21: [ATTACH]
Because Opera is SLOW ;D The "trick" is set to be done after page finishes to load completely (including images and other objects), and your...
Yes, really. If you're picky, "interact with MySpace impersonating the victim", AKA "session riding". Anyone browsing MySpace with JavaScript...
This article is still very interesting and full with common sense... ::) Don't get me wrong, PC World's guys are proving to be smart and...
PC World's arguments are deeper than they seem, after all... [EDIT]: Looks like the smart guys at PC World have fixed it. But it won't last...
/me giggles ;D This is the part I love most: Normally... ::) Latest blog entry by Robert Hansen AKA RSnake (quoted by the PC World's...
To avoid what, exactly?
You got the point :thumb: On the the site you're directed to, that we were assuming is trusted. To maximize the chances, a malicious web page...
Sorry, I did not specify (I wrongly assumed my iframe sample was clear enough): provided that at least one "trusted" site exists which has...
You should, because I've just shown you how to silently exploit any JavaScript related browser vulnerability (isn't that the original topic, after...
Rich, I'm not sure, what do you mean here? Do you mean that reputable sites are immune from XSS vulnerabilities? Or that smart people do not...
Separate names with a comma.
