• Cross-site request forgery is dead (but browser support is needed): scotthelme.co.uk/csrf-is-dead/
• Normal accidents: in extremely complex systems the accidents are unavoidable wikipedia via Troy Hunt
• Putting the relational database model in perspective: there were (and still are) other database models
• The known and unknown unknowns: Donald Rumsfeld’s famous quote used in the context of the ratio of the browser window (a known unknown) and the yet un-discovered security vulnerabilities out-there (an unknown unknown)
• SAML (Security Assertion Markup Language) – the triangle of user, service provider and identity provider: what it is, how it works and why it’s important
• Smashing Magazine is moving to static HTML, advanced JavaScript APIs, progressive web app with a service worker in the background and blazingly fast performance — served from CDN via HTTP/2: next.smashingmagazine.com

Two notes about session hijacking methods:

Difference between stored and reflected XSS attack

Stored or persistent XSS attack – relies on user input stored on the server. Best example – a comment in a news site.
Reflected or non-persistent XSS attack – relies on user input sent in the HTTP query parameters. Best example – site search, showing the keyword after search
Play the XSS game: xss-game.appspot.com

Session fixation

In a nutshell, session fixation means that the attacker obtains a legitimate session ID from the server and then it makes the victim browser to use it. See example.
The counter-measures are quite simple:
– do not accept setting a session id via URL/POST parameters
– change session id after user login
– just use HTTPS and secure cookies, it’s 2017 and HTTPS adoption reached the tipping point

Back in 2011, when I started this blog, I had a list of things I wanted to talk about. I recently reviewed this list and I noticed that one of my questions back then was about the restriction of content: after reaching a certain number of free articles, some websites ask to pay before continuing. This system is named metered paywall and one example of website using this mechanism is NYTimes.com.

I was curious about the technical implementation of this system and I did a little research (fun Saturday evening project 🙂 ). After reaching the maximum number of free articles, I tried to see how easy it is to continue reading.
First, with the stateless design of HTTP in mind, I tried clearing the browser storage:

No success, so moving on.
Second, I noticed that I could bypass the metered paywall by opening articles in incognito windows.
Third, I also noticed that disabling JavaScript in a normal browser window also turned off the paywall:

This only means one thing: that the NYTimes metered paywall is client-side only, meaning that it can be overridden by disabling JavaScript. I was expecting a server side implementation, but it looks like the client-side was enough for NYTimes.
With this in mind, it took me only a few minutes to find the JS file implementing the metered paywall and adding it in AdBlock Plus. I will not disclose it here; the plan is to get in touch with NYTimes to confirm this is the intended behavior. I’ll update this post if I have more news.

PS: Yes, I do have a NYTimes subscription 🙂