No Starch Press: $49.95

If you are a security engineer, a researcher, a hacker or just someone who keeps your ear to the ground when it comes to computer security, chances are you have seen the name Michal Zalewski. He has been responsible for an abundance of tools, research, proof of concepts and helpful insight to many over the years. He recently released a book called "The Tangled Web - A Guide To Securing Modern Web Applications".

Normally, when I read books about securing web applications, I find many parallels where authors will give an initial lay of the land, dictating what technologies they will address, what programming languages they will encompass and a decent amount of detail on vulnerabilities that exist along with some remediation tactics. Such books are invaluable for people in this line of work, but there is a bigger picture that needs to be addressed and it includes quite a bit of secret knowledge rarely divulged in the security community. You hear it in passing conversation over beers with colleagues or discover it through random tests on your own. But rarely are the oddities documented anywhere in a thorough manner.

Before we go any further, let us take a step back in time. Well over a decade ago, the web was still in its infancy and an amusing vulnerability known as the phf exploit surfaced. It was nothing more than a simple input validation bug that resulted in arbitrary code execution. The average hacker enjoyed this (and many more bugs like it) during this golden age. At the time, developers of web applications had a hard enough time getting their code to work and rarely took security implications into account. Years later, cross site scripting was discovered and there was much debate about whether or not a cross site scripting vulnerability was that important. After all, it was an issue that restricted itself to the web ecosystem and did not give us a shell on the server. Rhetoric on mailing lists mocked such findings and we (Packet Storm) received many emails saying that by archiving these issues we were degrading the quality of the site. But as the web evolved, people starting banking online, their credit records were online and before you knew it, people were checking their social network updates on their phone every five minutes. All of a sudden, something as small as a cross site scripting vulnerability mattered greatly.

To make the situation worse, many programs were developed to support web-related technologies. In the corporate world, being first to market or putting out a new feature in a timely fashion trumphs security. Backwards compatibility that feeds poor design became a must for any of the larger browser vendors. The "browser wars" began and everyone had different ideas on how to solve different issues. To say web-related technologies brought many levels of complexity to the modern computing experience is a great understatement. Browser-side programming languages, such as JavaScript, became a playground for hackers. Understanding the Document Object Model (DOM) and the implications of poorly coded applications became one of those lunch discussions that could cause you to put your face into your mashed potatoes. Enter "The Tangled Web".

This book puts some very complicated nuances in plain (enough) english. It starts out with Zalewski giving a brief synopsis of the security industry and the web. Breakdowns of the basics are provided and it is written in a way that is inviting for anyone to read. It goes on to cover a wide array of topics inclusive to the operation of browsers, the protocols involved, the various types of documents handled and the languages supported. Armed with this knowledge, the reader is enabled to tackle the next section detailing browser security features. As the author puts it, it covers "everything from the well-known but often misunderstood same-origin policy to the obscure and proprietary zone settings of Internet Explorer". Browsers, it ends up, have a ridiculous amount of odd dynamics for even the simplest acts. The last section wraps things up with upcoming security features and various browser mechanisms to note.

I found it a credit to the diversity of the book that technical discussion could also trail off to give historical notes on poor industry behavior. When it noted DNS hijacking by various providers it reminded me of the very distinct and constantly apparent disconnect between business and knowledge of technology. When noting how non-HTTP servers were being leveraged to commit cross site scripting attacks, Zalewski also made it a point to note how the Internet Explorer releases only have a handful of prohibited ports but all other browsers have dozens that they block. The delicate balance of understanding alongside context is vital when using information from this book and applying it to design.

Every page offers some bit of interesting knowledge that dives deep. It takes the time to note the odd behaviors small mistakes can cause and also points out where flawed security implementations exist. This book touches on the old and the new and many things other security books have overlooked. Another nice addition is that it provides security engineering cheatsheets at the end of each chapter. To be thorough, it explains both the initiatives set out by RFCs while it also documents different paths various browser vendors have taken in tackling tricky security issues. Google's Chrome, Mozilla's Firefox, Microsoft's Internet Explorer, Apple's Safari and Opera are compared and contrasted greatly throughout this book.

In my opinion, the web has become a layer cake over the years. New shiny technologies and add-ons have been thrown into the user experience and with each of them comes a new set of security implications. One-off findings are constantly discovered and documented (and at Packet Storm we try to archive every one of them), but this is the first time I have seen a comprehensive guide that focuses on everything from cross-domain content inclusion to content-sniffing. It is the sort of book that should be required reading for every web developer.

 -Todd

This registry code allows any terminal client access to a Terminal Server. It bypasses the Microsoft "Terminal Server License" and allows the client to create a session on the server without a CAL (Client Access License) or MS Open License. It works on WinNT, Win2000, Win2003 server and Win2008 server.

Humans are causing irreversible damage to the planet from burning fossil fuels, the biggest ever study of the available science concluded in a report designed to spur the fight against climate change.

The U.S. expects to earn $5 billion to $6 billion from a federal loan program, bolstering President Barack Obama’s decision to back low-carbon technologies.

GDF Suez SA plans to double renewable power production capacity in Europe over the next decade as the utility shifts its focus away from developing more historic natural gas and nuclear energy sources in the region.

India said cheaper credit along with foreign investment will help the world’s third-largest polluter fund an ambitious renewable energy program that would build green power plants faster than China.

President Barack Obama ordered the federal government to reduce greenhouse gas emissions by 40 percent from 2008 levels over the next 10 years by shifting to renewable energy sources such as solar power.

Technology is catching up with Thomas Edison’s electricity industry, eating away at the utility business model that hasn’t changed much in a century.

Clean energy investment rose by 9 percent in the first quarter from a year earlier on surging demand for rooftop solar panels from the U.S. to Japan.

Meeting the world’s energy supply needs by 2035 will require $40 trillion of investment, as demand grows and production and processing facilities have to be replaced, the International Energy Agency said.

Humans are causing irreversible damage to the planet from burning fossil fuels, the biggest ever study of the available science concluded in a report designed to spur the fight against climate change.

GDF Suez SA plans to double renewable power production capacity in Europe over the next decade as the utility shifts its focus away from developing more historic natural gas and nuclear energy sources in the region.

India said cheaper credit along with foreign investment will help the world’s third-largest polluter fund an ambitious renewable energy program that would build green power plants faster than China.

President Barack Obama ordered the federal government to reduce greenhouse gas emissions by 40 percent from 2008 levels over the next 10 years by shifting to renewable energy sources such as solar power.

The International Committee of the Red Cross said Friday a Sudanese member of its staff was killed by a stray bullet in the restive Darfur region.

The provincial government in Pakistan's Sindh province is planning a literacy program to reach women and girls in remote areas via cell phones.

For some time now it has been recognised that direct discrimination occurs not only if someone is treated less favourably because of their own protected characteristics, but also if they are treated less favourably because of somebody else’s p...

Libyan rebels have heavily attacked an airport in the capital Tripoli, killing six civilians and inflicting damage in and around the facility. Several civilians were also injured in the attack on Mitiga International Airport on Saturday, the country’s internationally-recognized government said. The Libyan Interior Ministry said at least 80 rockets were fired in the attack,...

The local federation has now banned the Rayon boss after he allegedly incited hatred and violence while he protested fines ......

Introduction The long-awaited regulations on the Administration of Commercial Franchise Operations (the 'New Regulations') were promulgated by the State Council of the PRC on 6 February 2007, and will take effect on 1 May 2007. They apply equally t...

A woman was concerned about the lack of physical distancing among fellow shoppers after a fire alarm went off at an Auckland Pak'nSave supermarket.The woman, who did not want to be named, said while staff and security did advise...

UN-backed Government of National Accord accused the Libyan Arab Armed Forces of shelling in residential areas of Tripoli

"If the information with the kids' location is uploaded to the internet, a pedophile with some cyber knowledge may invade the system and stalk them," cyber expert Einat Meron said.

The United States has ramped up its military operations in waters close to China this year as the risk of confrontation between the two nations continues to grow.So far this year, aircraft from the US armed forces have conducted 39 flights over the South China Sea, East China Sea, Yellow Sea and the Taiwan Strait – more than three times the number carried out in the equivalent period of 2019.Two of the flights passed closed to Hong Kong, a rare move that indicated their proximity to mainland…

I well understand why so many murder stories are set on cruise ships.

The looming eviction and relocation of 150 elderly residents at a decades-old care home in Hong Kong amid the coronavirus pandemic has left many fearful of infection risks, as a resident prepares to launch a last-minute legal battle against the government to stop a demolition plan within a month.Situated in the suburbs of the northern border town of Sheung Shui, Dills Corner Garden has housed 16 elderly care homes since 1997 and is much beloved by many residents for its tranquil life, quality…

Environmental and charitable groups call on Sandinista government to respond to hunger and drought

Feb. 29 approaches, with advocates pushing hard for long-shot changes

Later, Iqra turned to Instagram and showered love and wishes to mom on Mother’s Day

RAWALPINDI: Punjab Information Minister Fayyaz-ul-Hassan Chohan Saturday said that Information Department would give Rs100,000 to media worker affected by COVID-19 while in case of an unfortunate...

[[ This is a content summary only. Visit my website for full links, other content, and more! ]]

ISLAMABAD: Senior vice president of the main opposition Pakistan Muslim League-Nawaz (PML-N) Shahid Khaqan Abbasi has urged the commission of inquiry on the sugar scam to include Prime Minister Imran Khan and the then finance minister Asad Umar in the investigation to find out the truth.

Talking to reporters after appearing before the commission with another senior party leader and former minister Khurram Dastagir Khan here on Saturday, Mr Abbasi said he had told the commission there would be no worth of its report if it did not summon the prime minister and Mr Umar, the then chairman of the Economic Coordination Committee (ECC) that had allowed export of sugar despite knowing it was not available in stock.

“We do not talk politics. We have presented facts before the commission. If the prime minister and the [former] ECC chairman are not called [for interrogation] there will be no worth of the commission’s report,” said Mr Abbasi, who had served as prime minister after disqualification of Nawaz Sharif in July 2017 as a result of the Supreme Court’s verdict in Al-Azizia corruption case.

Mr Abbasi had himself written a letter to the commission and offered his services to it by sharing his experiences in probing the sugar scam. He had stated that he would inform the commission how sugar scandals developed in the light of his experience as a former chief executive of the country.

Mr Abbasi held the prime minister directly responsible for over Rs100 billion sugar scam, saying the inquiry commission should ask him the reason for allowing sugar export despite the fact that the commodity was not available in surplus in the country and for not taking any step to prevent increase in its price. He said the export continued for 16 months with 45 per cent increase in the sugar price in the country, but the government took no notice of it.

The former prime minister alleged that the sugar mill owners earned Rs30 per kilogram extra due to this decision of the government. He said the increase in sugar price proved the decisions of the cabinet and the ECC to export sugar were wrong.

“There can be three factors behind this wrong decision. Either the prime minister is incompetent or corrupt or he is both. The facts prove he is incompetent as well as corrupt and the people of Pakistan are paying the price for it,” he said.

Mr Abbasi said he had told the inquiry commission it would not be able to understand the issue until it would not summon the members of the cabinet and the ECC.

“Is it not a matter of conflict of interests?” he asked, alleging those who made billions through the sugar scam were part of the federal cabinet.

Mr Abbasi said it was a clear, open and shut case as facts showed sugar was exported against the advice of the relevant authorities and continued to be exported for 16 months while prices rose. He said not only that, the government also imposed a special tax on sugar import to ensure the rise in price and exploitation of the people.

Replying to a question, the former prime minister said when the PML-N had left the government in 2018, the sugar price was Rs54 per kg. He said the PML-N had also given huge subsidy of over Rs20bn and even allowed the export, but at the same time it kept check on its price and brought the price down.

Responding to another query, he said they had not given anything in writing or any document, but they were ready to do so, if asked. However, he said, the minutes of the meetings of the cabinet and the ECC would be sufficient as evidence.

The federal cabinet in its meeting on April 28 had allowed three more weeks to the Sugar Forensic Commission (SFC) to compile its report on last year’s food crisis after the expiry of the April 25 deadline given for the task.

The commission headed by Federal Investigation Agency (FIA) Director General Wajid Zia had reportedly made a formal request to the federal government to grant it more time citing multiple reasons, including the situation created by coronavirus.

The commission had been constituted by the government in the first week of April following the release of two separate inquiry reports of the FIA on the issue of artificial shortage of sugar and wheat in the country and sudden increase in their prices last year.

The inquiry report on sugar had revealed names of many bigwigs, including Jahangir Tareen, former secretary general of the ruling Pakistan Tehreek-i-Insaf and a close confidant of Prime Minister Imran Khan, who had allegedly obtained benefit during the crisis.

The report had showed in the past few years sugar production was historically more than the local requirement and said therefore it was imperative to include this aspect related to export of sugar, including any subsidy given, its impact on local sugar prices and eventually major beneficiaries of such export subsidies, if any. The inquiry committee had found the sugar export was not justified as sugarcane production was expected to be low in harvesting season 2018-19 and with the export of sugar in Jan 2019, the prices of sugar sharply increased.

After the release of the report, the opposition had demanded that the PM take stern action against those who had been declared responsible for the crisis by the FIA committee.

PM Khan had vowed to take action, but said he would do so after receiving the forensic audit report from the commission he had constituted on the recommendation of the ‘initial’ reports. The commission comprises officials from a number of agencies and departments, including Intelligence Bureau and the Federal Board of Revenue.

Published in Dawn, May 10th, 2020

Foreign Office spokesperson Aisha Farooqui on Sunday said that Pakistan rejects the "baseless and inaccurate" allegations by Harish Salve, India's legal counsel in the Kulbushan Jadhav case.

In an online lecture on May 3, Salve, who had represented India in the case at the International Court of Justice (ICJ), alleged that Pakistan refused to respond to Indian queries about how it would carry out the ICJ's judgement and review and reconsider Jadav's case.

"We have written four to five letters to Pakistan [...] but they just keep on denying. I think we have reached a point where we have to now decide whether we want to go back to ICJ for consequential directions because Pakistan has not moved ahead," Tribune India quoted Salve as saying.

He also alleged that Pakistan granted consular access to Jadhav "too late" and refused to share details of the case with India.

The Foreign Office, while refuting the allegations, said that Pakistan has "fully complied" with the international court's judgement. "Pakistan has granted India consular access to commander Jadhav and is processing measures for effective review and reconsideration as per the guidelines provided by ICJ in its judgment," a statement from the FO read.

The Foreign Office also said that Salve's statements were "regrettable and a misrepresentation of facts", adding that Pakistan followed "all its international obligations".

Read: Timeline: How the Kulbhushan Jadhav saga unfolded

The ICJ in its verdict in July 2019 had ruled that Jadhav be allowed consular access immediately and asked Pakistan to ensure "effective review and reconsideration of his conviction and sentences".

The ICJ had, however, rejected all other remedies sought by India, which included the annulment of the military court decision convicting Jadhav, restricting Pakistan from executing the sentence, securing Jadhav's release and ordering his return to India.

Arrest of Indian spy

Jadhav — a serving commander of the Indian Navy associated with Indian spy agency Research and Analysis Wing — was arrested on March 3, 2016, from Balochistan on allegations of espionage and terrorism.

Read: Transcript of RAW agent Kulbhushan’s confessional statement

In his subsequent trial at a military court, Jadhav had confessed to his involvement in terrorist plots.

The spy was subsequently sentenced to death in 2017. However, India insisted that Jadhav was not a spy and said he was kidnapped from Iran.

On April 10, 2017, Army Chief Gen Qamar Bajwa had endorsed the death penalty for Jadhav. In June 2017, the Indian spy had filed a mercy petition against the death penalty, in which he again confessed to his involvement in terrorist activities.

However, before Pakistani authorities could make a final decision, the ICJ, after being approached by India, had ordered a stay in his execution through an interim order.