An interesting blog post by Google's Online Security Team, ntroducing Automatic Context-Aware Escaping (Auto-Escape for short), a functionality the team added to two Google-developed general purpose template systems to better protect against Cross-Site Scripting (XSS).
An interesting paper by p3lo concerning the new XSS vectors, javascript malware obfuscation
, url cache poisoning, packing, frame jacking techniques etc..
(IN)SECURE Magazine Issue 17, includes Russ's article about open redirect vulnerabilities. Covers them in detail by providing info on real-world examples, prevention solutions and the relation with PCI-DSS standards.
In this tutorial paper, Gerasimos describes in full detail how to perform an XSS filter invasion and run his JavaScript key logger in order to steal user names, passwords and user credentials.
