Three Entry Points for Cross-Site Scripting

Cross-site scripting (XSS) can be more of an annoyance than a serious threat in some instances. However, there are circumstances where XSS is used for malicious purposes, where hackers may easily exploit your information and wreak havoc. This can be especially dangerous to your sensitive data if your website contains vulnerabilities that welcome exploits.

According to a report by Symantec, 84 percent of the security vulnerabilities documented by this security expert were attributed to XSS committed on websites in 2007. It has been concluded that at least 68 percent of existing websites for that year were vulnerable to XSS attacks.

It is good practice for developers and testers to be fully aware of the possibility that every one of your data entry points could be targeted for an XSS attack. Web applications are at high risk for malicious actions committed through the:

• Hijacking of user accounts
• Access to sensitive data and ability to modify that data
• Bypassing of controls for access
• Presentation of fraudulent content

The Most Common Entry Point

Session cookies are the most common way that XSS is used to exploit user information. A session cookie is used to store the user’s identity while logged into a website. If another site is opened while logged into the first website and XSS is present, the second website could hijack the session cookie from the first. The hijacker would be able to use the session cookie in their browser, in addition to using the information to impersonate the user on the initial website. Depending upon the nature of the first website that the session cookie has been hijacked from, the results could be very damaging.

Examples include:

• If the user is logged into a banking website, the hacker could use the session cookie to impersonate the user and conduct transactions that will remove cash from the user’s bank account.
• Banking information can be accessed from shopping sites and allow the hacker to make purchases with that information.

Additional XSS Entry Points for Web Applications

Forms. Web forms such as login forms, if improperly coded can be vulnerable to XSS. If the hacker takes advantage of this vulnerability and injects a script into the login form, the script will send them the user’s password—allowing hackers access to the user’s account where changes or purchases could be made.

Examples include:

• If a login form is compromised for a shopping website, a hacker could then impersonate the user and make purchases using whatever pre-stored means of payment are entered into the account.
• With so many users neglecting to follow the best practices with password security, the hacker could potentially access many different websites just by assuming that the credentials for each are the same.

URLs. If a hacker sends an email to a user with what appears to be a legitimate URL, could infact be a malicious script that is embedded within the URL. Once the user has been lured to the legitimate site, they log in and the script sends the session cookie to the hacker.

Examples include:

• An attack such as this can also be attributed to postings on social networking websites. The hacker could post a message with XSS code hidden within it. An unsuspecting user clicks on the URL and their information is sent to the hacker who can then steal their credentials and make changes to their account.
• The hacker could impersonate the user and post messages on social network websites that are malicious in nature, possibly resulting in the user being banned from the website

Best Ways to Avoid XSS Attacks

By identifying vulnerabilities for XSS attacks on your websites, you are taking the first step toward preventing and mitigating the problems that could result. Developers can reduce their risk of XSS attacks by adopting the following practices:

• Validating output by sanitizing data HTML encoding to eliminate malicious characters.
• Avoiding inserting user-controlled data in script code and reducing the amount of allowed HTML.
• Using server-side validation to detect request containing malicious exploits.

XSS is more common than many users realize, with vulnerabilities discovered even across major brands. Developers using sound XSS practices and thoroughly testing for vulnerabilities save end users from the potentially devastating effects of an attack via XSS.


Fergal Glynn is the Director of Product Marketing at Veracode, an award-winning application security company specializing in secure software supply chain and other security breaches with effective risk assessment tools like secure software supply chain toolkit.

Know more about OS X Mavericks -1

Apple took advantage of the opening Keynote WWDC 2013 being held in San Francisco to introduce OS X Mavericks, the successor of Mountain Lion. This new named after a famous surfing spot in California does not change as the iOS system 7 on mobile devices, but it brings some significant new features. OS X 10.8 was clearly aimed at novices with its new iOS inherited, the system tried to ease the transition from iPhone to Mac for those who knew nothing about traditional computing. LaunchPad presented as applications on an iPhone or iPad, the applications themselves were digging in the mobile system interfaces and Apple simplified the transition from one system to another with better iCloud integration. OS X Mavericks tries to seduce rather more advanced users, those who already know how to use a computer in general, especially a Mac and want to go further. Requested by many users, the tabs are appearing in the Finder. The file manager for OS X can open several files in the same window by creating tabs. The operation is the same as in a browser, shortcuts as: creating a tab with ⌘ T, in a farm with ⌘ W (must now make ⌘ ⇧ W to close the window, unless of course you did no open tab).


You can also open a folder in a new tab using the secondary click: a new item appears in the Finder's contextual menu. As always in a browser, you can double-click a folder while holding down ⌘ supported and the file is displayed in a new tab. The Finder OS X 10.9 also features all the functions of management tabs ⇥ ctrl ctrl ⇧ ⇥ display the next and previous tabs, you can drag a tab out of the current window to create a new window, move tabs within the window or windows merge all with a single tab. Secondary click on the dedicated area displays unsurprisingly other options to close all other tabs except the current one.


Another new Finder Version 10.9, these are the keywords. It is not so much a new function, as a new interface for something that has long existed in OS X, but was rarely used. Until then, Apple talked about labels, OS X Mavericks employs him the English word 'Tags'. The principle is the same: you can assign to each folder or file a keyword and a color option and the system then gives you several options to find all the elements associated with the same keyword. By default, OS X creates Mavericks seven tags for all colors. They are also just named according to the color, but nothing prevents you from changing the names and colors of the keywords in the Finder preferences. Thereafter, you can attach a tag to a file or folder using the context menu, to the new icon in the Finder toolbar (below) or by dragging and dropping the element in the sidebar. Through the icon, you can also create a new tag.


The Finder sidebar already contained fast access to some records, the machines on the network and local volumes, it gets the tags. You can drag items on a tag to associate with him, they said, but this presentation can also display all the items associated with a particular keyword. The research will support these tags, but this feature does not seem active in the first OS X beta Mavericks. What works however, is the integration of tags directly in dialogs applications. Example here in a text editor that does a field "tags" between the file name and its position in the storage volume. This field is used both to select an existing tag to create a new one. Last point can be noted, the management area dedicated to iCloud in each software also integrates keywords and has an additional button at the bottom to add. As throughout the Finder, the color is more discreet, it no longer appears as a point. Incidentally, the views put now lists the column names forward, others are grayed out.

7 Most Useful Web Browser Functions for Web and Graphic Designers

Both web designers and graphic designers rely on browsers not only to find and source information, files and ideas, but to test their designs in real-world settings to ensure maximum functionality for users. Usability is one of the most essential aspects of web design—after all, if users have a difficult time navigating or loading a site, they’re likely to bounce. Fortunately, today’s browsers offer some advanced features useful for both web and graphics professionals.

1. Drag-and-Drop Search

You know what you’re looking for when you browse the web, or you at least have a general idea. Spending extra time to open a new search tab and type in what you’re looking for isn’t an efficient use of your resources. That’s why browsers with drag-and-drop search functionality are ideal for graphic designers. Find something you want to know more about on one site, and simply drag and drop links, words and even photos to relevant titles to find what you’re looking for without wasting a second.

2. Torrent Capabilities

When you’re searching for a source file online, such as an open-source software application, you don’t have a lot of time to downloading files. Browsers with built-in torrent capabilities make downloading photos, videos, and other files a breeze. With a built-in torrent, you can manage your downloads from directly within your browser—no need to utilize a separate download application.

3. Speedy Downloading

A built-in torrent is great, but not ideal if it’s not any faster than standard downloading practices. Don’t waste your precious time waiting for endless downloads. Choose a browser with accelerated download speeds so you can stay on task instead of frustratingly tapping your fingers on the mouse while you wait.

4. Easy Media-Grabbing Capabilities

Web designers are often grabbing media from the ‘net. Embedding videos from other sources is pretty commonplace in today’s rich media Internet environment, both on standard websites among social media. Designers are tasked with sourcing media, re-vamping it when necessary and appropriate, reformatting it for compatibility and embedding those files online. The whole process can take quite a bit of time. Browsers with media-grabbing capabilities make the job of designers much simpler, enabling them to pull media files from the web with a simple click.

5. Seamless Sharing Functionality

While social sharing isn’t necessarily a core component of a web or graphic designer’s job, these professionals like to interact with their social networks just as much as anyone. In the course of a day’s work, you might come across dozens of articles you find interesting and want to read later—or just something you feel is worthy of a share. Instead of letting distraction take you from the task at hand, a browser with built-in social sharing features lets you share the content you find most intriguing without taking you into full distraction mode.

6. Easy Bookmarking

Bookmarking is a pretty commonplace browser function, but some are more usable than others with streamlined organization capabilities. Graphic and web designers rely on a variety of resources online, including blogs with coding shortcuts, tutorials and other information that helps you create the best results for your clients or your employer. Browsers with functional, easy-to-use and easy-to-navigate bookmarking functions make the task of organizing all those favorite resources much simpler.

7. Maximum Browsing Security

As a web or graphic designer, you likely have access to pertinent data about your clients. Whether that means top-secret branding initiatives or financial payment data, you don’t want any of that information to leak into the wrong hands. That’s why a top-notch browser with maximum security is critical—not just for you, but for your clients and your reputation.

Web and graphic designers love technology. Modern web browsers provide advanced functionality that benefits tech-savvy career professionals. Browser functions serve to both streamline job functions and to satisfy the tech lover’s lifestyle demands.


Kathleen Martins is a tech writer for various businesses including TorchBrowser; you can download torrent files with TorchBrowser.com.

MacBook Air 2013 which is best with core i5 or i7?

With MacBook Air 2013, Apple offers an optional Intel Core i7 dual-core processor at 1.7 GHz with Turbo Boost up to 3.3 GHz. This option is charged € 150. Meanwhile, Macworld published tests to determine the impact of the processor on the autonomy of the ultraportable Apple. Compared to the standard model - Core i5 1.3 GHz - the difference is almost zero during the test video playback. MacBook Air is the standard 8 hours and 18 minutes while the Core i7 equipped stops working after 8 hours and 7 minutes.

With the tool of self-seeking PeaceKeeper much the processor test, the gap is much larger: 5 hours 45 minutes for the standard model against four hours and 35 minutes for the model with Core i7. A score may seem disappointing, but this configuration is still an hour more than any 13" laptop released last year. Regarding performance, the gap is larger than the range in 2012. With house system Macworld performance, the MacBook Air Core i7 2013 1.7 GHz scored 204, against 166 for the Core i5 MacBook Air (2012 and 2013). The MacBook Air Core i7 2012 had a score of 187. The difference is significant. Note that it is also more powerful than the Retina MacBook Pro 13 "revived in the early days of the year.


This difference is explained by the fact that the processor is more powerful, but also that the frequency difference is greater between the Core i7 and Core i5. If we are to believe the battery of tests conducted, the difference is mostly felt when testing with Aperture, VMware and CineBench. At first glance, the choice is pretty simple. If the list of applications that you use frequently, you have none of CPU intensive, so take your sights on the Core i5 to make the most of the autonomy of Apple's ultra-portable. If, against, you occasionally need power, the Core i7 is more than ever an option to consider.

Google Loon: Internet Access via Balloons

After his Hi-tech glasses, Google has unveiled a new experimental project for the less ambitious and unconventional Loon. Via balloons filled with helium and sent into the stratosphere, it is to provide internet access to people who cannot even enjoy it. A first experiment is already launched in New Zealand. There are more than a year now, Google X a research laboratory "secret" of the web giant, emerged from the shadows by revealing the Google Glass. This time, he returns to the front of the stage with Loon, a crazy project that seems straight out of a science fiction novel. Indeed, it is to provide access to the Internet via balloons in the sky. 2/3 of the population does not have access to the Internet and therefore Google tried for a fast and effective solution

The Mountain View company is part of a simple fact about the Internet: "Two thirds of the world's population, however, still do not have access to a fast connection and cheap, and there is still much to be done in this area. It indeed takes with many natural obstacles (jungles, islands, mountains, etc...) and financially. In majority of countries in the southern hemisphere, the cost of an Internet connection today still exceeds the equivalent of a monthly income“. Based on this inventory, the web giant unveiled a solution for home, in theory, to provide Web access to the largest number for a cost that should be mastered and increase the number of users on its services? The chosen solution is to send the balloons in the stratosphere at about 20 km altitude, twice as high as commercial flights. The problem is they cannot remain in geostationary position (the orbit is 35,768 miles) as satellites for example, so they derive the liking of the winds. However, thanks to solar and wind energy, it is possible to adjust the height of the ball and take advantage of a favorable wind to the best position. Obviously, they are in communication with each other to create a mesh over our heads and spread over a wide area Internet, the whole being connected to a server. This however raises the question of managing a full fleet of balloons which should include many components. On one hand, the web giant sweeps this issue claiming to have already "developed algorithms and complex computer systems" without further details.

A first experimental phase was launched in the region of Canterbury in New Zealand. It brings together 50 testers equipped with special receivers and about thirty balloons. The web giant is now seeking countries on the same latitude as the country to expand their experience. Balloons communicate and sprinkle the area with access to internet. Of course, no price or availability date was mentioned for marketing Loon and rates side, Google only says he hopes to provide "access to the Internet at speeds comparable or superior to those networks of current 3G "remains to be seen whether it is 3G base (384 kb / s in urban mode) or 3G + up to 42 Mb / s, the difference is huge. Finally, note that Google+ and dedicated web pages have been implemented. Finally, here are two videos presenting Loon.