I recently discovered this page, which describes Mozilla’s solution for prevention of XSS (Cross-Site Scripting) available as a Firefox Extension.  Here’s the HTTP response from my site:

hank@tardis:~$ wget -S http://www.ralree.com
--2009-06-30 09:52:13--  http://www.ralree.com/
Resolving www.ralree.com... 74.54.115.108
Connecting to www.ralree.com|74.54.115.108|:80... connected.
HTTP request sent, awaiting response...
 HTTP/1.1 200 OK
 Date: Tue, 30 Jun 2009 13:49:54 GMT
 Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a Phusion_Passenger/2.1.3
   mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
 X-Powered-By: PHP/5.2.8
 X-Pingback: http://www.ralree.com/newblog/xmlrpc.php
 Last-Modified: Tue, 30 Jun 2009 13:49:21 GMT
 X-Content-Security-Policy: allow self; img-src *; object-src *.ralree.com
  *.ralree.info; script-src *.ralree.com *.ralree.info pagead2.googlesyndication.com
  friendfeed.com; style-src *.ralree.com *.ralree.info
 Content-Length: 57457
 Keep-Alive: timeout=5, max=100
 Connection: Keep-Alive
 Content-Type: text/html; charset=UTF-8

As you can see, my content security policy is sent as an HTTP header on all HTTP responses from my site.  I basically stole an example from this page.  I’ve attached it in the .htaccess file in my site’s root, before everything else in there, like so:

<IfModule mod_headers.c>
Header set X-Content-Security-Policy "allow self; img-src *; object-src *.ralree.com *.ralree.info; script-src *.ralree.com *.ralree.info pagead2.googlesyndication.com friendfeed.com; style-src *.ralree.com *.ralree.info"
</IfModule>

I highly recommend everyone with commenting activated on their blog enable this, since XSS is a serious pain.  This seems to work very well on Site5, where mod_headers was simply enabled out of the box.

Uncategorized firefox, hacking, http, scripts, security, site5, vulnerability, xss

So, at the PWN2OWN contest, a MacBook Air was hacked in under 2 minutes. A Vista machine was also hacked a little later, but the Ubuntu machine stood strong despite various attempts. Just goes to show that Macs are definitely not as invincible as many people keep saying they are…

Uncategorized apple, hacking, macbook, operating systems, osx, software, ubuntu

So, I got this heating pad at the store a while back to use as a hedgehog heating pad. I found out that the 2-hour auto-off timer was hardcoded into the circuit, and they didn’t even bother to put a switch on the casing to disable it. Typical overprotection of the consumer – this wouldn’t exist if our country was a bit less litigious…

Read more…

Uncategorized electronics, hacking, modification

So, last month sometime, BrainSlayer got DD-WRT working on version 8 of the WRT54G. Now this was great news to me when I read it since I’ve been wanting to get rid of the crappy LinkSys management from the beginning. Some of the procedure worked, and some of it didn’t for me.

Do not try this if you don’t know exactly what you’re getting into.

Read more…

Uncategorized ddwrt, firmware, guide, hacking, hardware, howto, linux, tutorial, ubuntu, wireless

Well, it’s official:

Wordpress is a joke!!

Mephisto Wins!

Uncategorized blog, hacking, security, wordpress

So, I was stumbling and I came across this:

I must say that it’s really funny. Shows how lame Microsoft really is.

Uncategorized france, hacking, microsoft