- When posting a message, explicitly state the expected origin as the second argument to postMessage rather than * in order to prevent sending the message to an unknown origin after a redirect or some other means of the target window’s origin changing.
- The receiving page should always:
- Check the origin attribute of the sender to verify the data is originating from the expected location.
- Perform input validation on the data attribute of the event to ensure that it’s in the desired format.
Preventing WS-Attacks
WS-Attacks.org is not a new web service standard by the OASIS Group or W3C; instead it presents the flaws of today’s web service standards and implementations in regard to web service security! WS-Attacks.org aims at delivering the most comprehensive enumeration of all known web service attacks.
SQL Firewall Extension for PostgreSQL
sql_firewall is a PostgreSQL extension which is intended to protect
database from SQL injections or unexpected queries.sql_firewall module learns queries which can be executed, and
prevents/warns on executing queries which are not found in the learned
firewall rule.How it works
————sql_firewall can take one of four modes specified in
sql_firewall.firewall parameter: “learning”, “enforcing”,
“permissive” and “disabled”.
Net of Insecurity: A flaw in the design
“It’s not that we didn’t think about security,” Clark recalled. “We knew that there were untrustworthy people out there, and we thought we could exclude them.”
.. When they thought about security, they foresaw the need to protect the network against potential intruders or military threats, but they didn’t anticipate that the Internet’s own users would someday use the network to attack one another.
“We didn’t focus on how you could wreck this system intentionally,” said Vinton G. Cerf, a dapper, ebullient Google vice president who in the 1970s and ’80s designed key building blocks of the Internet. “You could argue with hindsight that we should have, but getting this thing to work at all was non-trivial.”
.. Computers in that era were huge, costly behemoths that could fill a room and needed to serve multiple users at the same time. But logging on to them often required keeping expensive telephone lines open continuously even though there were long periods of silence between individual transmissions.
Davies began proposing in the mid-1960s that it would be better to slice data into pieces that could be sent back and forth almost continuously, allowing several users to share the same telephone line while gaining access to a remote computer.
.. As the ARPANET developed in its first years, soon connecting computers in 15 locations across the country, the key barriers were neither technological nor AT&T’s lack of interest. It simply wasn’t clear what the network’s practical purpose was. There was only so much file sharing that needed to be done, and accessing computers remotely in that era was cumbersome.
.. Debate remains, however, about whether widespread use of encryption was feasible in the early days of the Internet. The heavy computing demands, some experts say, could have made TCP/IP too difficult to implement, leading to some other protocol — and some network other than the Internet — becoming dominant.
“I don’t think the Internet would have succeeded as it did if they had the [encryption] requirements from the beginning,” Johns Hopkins cryptologist Matthew Green said. “I think they made the right call.”