aboutsummaryrefslogtreecommitdiffstats
path: root/guides/source/security.md
diff options
context:
space:
mode:
authorSergio <shernade@gmail.com>2013-09-16 01:09:56 +0200
committerSergio <shernade@gmail.com>2013-09-16 01:09:56 +0200
commitf91ea5101725e87d28e6045795ae52d2394a2c60 (patch)
tree7be8cca1dcefbc0b4450764d147182c6aa4c9cde /guides/source/security.md
parentedb74a187b905240675317a263d3e8c705157024 (diff)
downloadrails-f91ea5101725e87d28e6045795ae52d2394a2c60.tar.gz
rails-f91ea5101725e87d28e6045795ae52d2394a2c60.tar.bz2
rails-f91ea5101725e87d28e6045795ae52d2394a2c60.zip
incorrect url
incorrect url
Diffstat (limited to 'guides/source/security.md')
-rw-r--r--guides/source/security.md2
1 files changed, 1 insertions, 1 deletions
diff --git a/guides/source/security.md b/guides/source/security.md
index 7d84681c13..d7a41497f8 100644
--- a/guides/source/security.md
+++ b/guides/source/security.md
@@ -760,7 +760,7 @@ The following is an excerpt from the [Js.Yamanner@m](http://www.symantec.com/sec
The worms exploits a hole in Yahoo's HTML/JavaScript filter, which usually filters all target and onload attributes from tags (because there can be JavaScript). The filter is applied only once, however, so the onload attribute with the worm code stays in place. This is a good example why blacklist filters are never complete and why it is hard to allow HTML/JavaScript in a web application.
-Another proof-of-concept webmail worm is Nduja, a cross-domain worm for four Italian webmail services. Find more details on [Rosario Valotta's paper](http://www.xssed.com/article/9/Paper_A_PoC_of_a_cross_webmail_worm_XWW_called_Njuda_connection/). Both webmail worms have the goal to harvest email addresses, something a criminal hacker could make money with.
+Another proof-of-concept webmail worm is Nduja, a cross-domain worm for four Italian webmail services. Find more details on [Rosario Valotta's paper](http://www.xssed.com/news/37/Nduja_Connection_A_cross_webmail_worm_XWW/). Both webmail worms have the goal to harvest email addresses, something a criminal hacker could make money with.
In December 2006, 34,000 actual user names and passwords were stolen in a [MySpace phishing attack](http://news.netcraft.com/archives/2006/10/27/myspace_accounts_compromised_by_phishers.html). The idea of the attack was to create a profile page named "login_home_index_html", so the URL looked very convincing. Specially-crafted HTML and CSS was used to hide the genuine MySpace content from the page and instead display its own login form.