EVE Search - New Dev Blog: New Forum Security Blog

Check My IP Information

All Channels

EVE Information Portal

New Dev Blog: New Forum Security Blog - Cookie Derp

» Click here to find additional results for this topic using Google

Monitor this thread via RSS [?]


Author	Thread Statistics \| Show CCP posts - 43 post(s)
Lubomir Penev Dark Nexxus S I L E N T.	Posted - 2011.04.11 23:24:00 - [1] The best part about that dev blog : it's true, or at least we can't prove it false because the proofs are now offline and it won't come back online before getting the proper pen test and audit it should have had in the first place.
Lubomir Penev Dark Nexxus S I L E N T.	Posted - 2011.04.11 23:52:00 - [2] Originally by: CCP Sreegs Originally by: Lubomir Penev The best part about that dev blog : it's true, or at least we can't prove it false because the proofs are now offline and it won't come back online before getting the proper pen test and audit it should have had in the first place. The blog never said there wasn't an audit. The blog also said you couldn't insert script. I wasn't even critical, just commenting on the fact we got no choice but believe you as the particular forum version will never see the light of day again. As for the audit that's the worrying part, if there was one, how could it miss two very classical OWASP top 10 vulns (this is actually generous, they are OWASP top 3 vulns)... It's not like the forum had so many entry points for possible XSS injection that exhaustive testing was impossible or even hard. Nobody used ground breaking stuff to break the new toy open, it was one guy with an hour to spare and an XSS cheat sheet (the injection part). So yes, as someone that was in the field pretty recently, I wonder how the forums passed a security audit if there was one. But yes, I know sometime the obvious escape the prying eyes of seasoned professionals, happens to everyone, even happened to me. But the sheer amount of uncaught stuff looks odd to me.
Lubomir Penev Dark Nexxus S I L E N T.	Posted - 2011.04.12 21:03:00 - [3] Originally by: Kepakh Originally by: Kristina Vanszar Standard HTML element, which is showing you ANOTHER website See: iFrame The script wouldn't be on the Forum, it would be hosted by another website, and therefore executed. but it would look like it is on the forums. Whatever you inject into a frame still needs to be processed at CCP web server and CCP Sreegs clearly said that no script will pass nor there is any evidence anyone has achieved that. You're embarrassing yourself. Is it so hard if you don't know what an iframe is (which in itself mean you have no right to pipe up on web security) to look it up?
Lubomir Penev Dark Nexxus S I L E N T.	Posted - 2011.04.12 21:20:00 - [4] Originally by: Ranger 1 I would say the time frame for a re-launch should be determined by when the bugs are fixed and tested properly, not based on an arbitrary length of "time to heal from this traumatic (dramatic?) experience". The word you were looking for was "hilarious".

COPYRIGHT NOTICE
EVE Online, the EVE logo, EVE and all associated logos and designs are the intellectual property of CCP hf. All artwork, screenshots, characters, vehicles, storylines, world facts or other recognizable features of the intellectual property relating to these trademarks are likewise the intellectual property of CCP hf. EVE Online and the EVE logo are the registered trademarks of CCP hf. All rights are reserved worldwide. All other trademarks are the property of their respective owners. CCP hf. has granted permission to EVE-Search.com to use EVE Online and all associated logos and designs for promotional and information purposes on its website but does not endorse, and is not in any way affiliated with, EVE-Search.com. CCP is in no way responsible for the content on or functioning of this website, nor can it be liable for any damage arising from the use of this website.