mime sniffing
One of the many fortuitous events that made Chrome what it is was getting a bunch of rock star interns. Adam has written a bunch of papers on browser security and has a new paper up on XSSes related to mime sniffing: Secure Content Sniffing for Web Browsers or How to Stop Papers from Reviewing Themselves. The subtitle refers to the fact that the paper submission site that this paper was submitted to was itself vulnerable to one of these attacks.
Due to their orthogonality to "traditional" XSS, these sorts of attacks still affect sites that are otherwise pretty good in terms of input handling. I recall, when I first read about these attacks, I was able to make a proof of concept XSS against LiveJournal. When I showed the attack to
brad, it amusingly turned out that had already written code to defend against the problem but hadn't yet flipped the switch, so he fixed it within a few minutes. But as the paper illustrates, many other sites (like Wikipedia*) are vulnerable.
* Update: having read more now, I see Wikipedia uses the same defense LJ does; it's just the default configuration of Mediawiki that is vulnerable.
Due to their orthogonality to "traditional" XSS, these sorts of attacks still affect sites that are otherwise pretty good in terms of input handling. I recall, when I first read about these attacks, I was able to make a proof of concept XSS against LiveJournal. When I showed the attack to
brad, it amusingly turned out that had already written code to defend against the problem but hadn't yet flipped the switch, so he fixed it within a few minutes. But as the paper illustrates, many other sites (like Wikipedia*) are vulnerable.* Update: having read more now, I see Wikipedia uses the same defense LJ does; it's just the default configuration of Mediawiki that is vulnerable.