Simon Willison’s Weblog

A rev=“canonical” HTTP Header. Chris Shiflett proposes optionally exposing rev=canonical information in an HTTP header, thus allowing sites to discover shorter URLs using just a HEAD request and removing the need to parse HTML. The pingback specification also uses this shortcut.

# 12th April 2009, 12:33 pm / chris-shiflett, head, headers, http, pingback, revcanonical

Twitter Don’t Click Exploit. Someone ran a successful ClickJacking exploit against Twitter users, using a transparent iframe holding the Twitter homepage with a status message fed in by a query string parameter. Thiss will definitely help raise awareness of ClickJacking! Twitter has now added framebusting JavaScript to prevent the exploit.

# 12th February 2009, 7:56 pm / chris-shiflett, clickjacking, framebusting, javascript, security, twitter

End of Life for PHP 4. Apparently 8/8/8 marks the end of the line for PHP 4—no new releases, no support, not even security patches.

# 8th August 2008, 11:32 pm / chris-shiflett, php, php4

CSRF Redirector. Smart tool for testing CSRF vulnerabilities, by Chris Shiflett.

# 18th July 2007, 7:45 am / chris-shiflett, csrf, security

Chris Shiflett: My Amazon Anniversary. Chris Shiflett discloses an unfixed CSRF vulnerability in Amazon’s 1-Click feature that lets an attacker add items to your shopping basket—after reporting the vulnerability to Amazon a year ago!

# 16th March 2007, 10:16 am / amazon, chris-shiflett, csrf, security

Chris Shiflett: Google XSS Example (via) UTF-7 is a nasty vector for XSS.

# 24th December 2005, 5:21 pm / chris-shiflett, google, security, xss