The title might be confusing, let's see if we can clear it up. I saw an article the other day that was giving a comparison between encoding, encryption and hashing. There was a statement made that basically said: Encoding has no security purpose. I thought this was interesting because when training on security topics we mention encoding for specific use cases. For example, when we discuss Cross-Site Scripting, the answer is output encoding. I want to clarify that I agree with the statement … [Read more...] about Is encoding really encoding if it is escaping?
It was recently identified, and Amazon was quick (2 days) to fix it, that one of their sites was vulnerable to cross-site scripting. Cross-site scripting is a vulnerability that allows an attacker to control the output in the user's browser. A more detailed look into cross-site scripting can be found on the OWASP site. Take-Aways QA could have found this Understand your input validation routines Check to make sure the proper output encoding is in place in every location user supplied … [Read more...] about Amazon XSS: Thoughts and Takeaways