omg.wtf.bbq.

because arshan’s too cheap to license OneNote

Browsing Posts in security

What could be better than Google Code Search for finding vulnerabilities? Look at MAMA. I bet you never heard of it – I hadn’t, until my buddy .mario pointed it out to me. It’s (as of today) an internal tool that Opera uses to crawl the web and index the structure of the world’s web […]

Unchecked redirect vulnerabilities are annoying to fix for our customers. Sometimes the developers need to link to a constantly changing selection of partners and they always have to support different redirect URLs for testing, integration, and production. Sometimes these redirect mechanisms span different applications even though they live on the same domain, too. Given the […]

Jeremiah Grossman, who not many people know is actually the devil, smoked a bunch of crack and made the mistake of associating himself with me again with this virulently circulating “7 facts”. Before I got a chance to see his post, he sent me an e-mail saying he was sorry about the “7 facts” thing. […]

What other way is there of finding 216 million flaws in sub-second scanning time? Google, of course. How about 160,000 strictly within .gov? These numbers are absurd, especially since I’m only searching for one type of URL rewriting for J2EE. This type of flaw usually rates to a medium – the result of the combination […]

Another great OWASP conference ended yesterday. Other than the terrible food and slightly jarring speaker shuffle, I had a great time. I met lots of interesting folks from lots of different places, including closet webappsec expert Chris Shiflett, the always-blogging Rafal Los, and seasoned veteran Gunter Ollman, among them. I gave a talk on Day […]

Robert Hansen’s gripe with Google is easy to understand. Unchecked redirects are a phisher’s dream vulnerability. What would be Google’s motivation to not fix such a blatant vulnerability? Well, there’s only a few reasons why someone would choose to purposely not fix a vulnerability: 1. they don’t care about security 2. they don’t know how […]

What a ridiculously fun but busy time for me. I’ve had the honor of beating up important applications at work, going to Blackhat, going on vacation in the beautiful OBX, and all the while pursuing lots of side projects during down time. Let’s catch up chronologically: 1. I taught an Advanced Web Application Penetration Testing […]

The OWASP AntiSamy Project version 1.2 is now available at its home in Google Code. The highlights of the upgrade from 1.1.1: Internationalization of error messages. Japanese and German almost made the release, but for starters we’ve got the following: English Russian (Sergei Droganov) Italian (Jerry Hoff) Portuguese (Michael Coates) Chinese (Weilin Zhong) A number […]

The first thing you have to do is go read the whitepaper (or watch the movie) we just put together on some research I did into bypassing authentication and authorization mechanisms with HTTP verb tampering. It’s only been out for about 2 hours and we’ve already got a few thousand hits. Pretty cool! Ok, assuming […]

I just got back from Ghent, Belgium where I presented my research into next generation XSS worms. I hope people don’t take too much FUD from the talk- it’s only meant to show a few things, most notably how I (presume to have) solved the problem of decentralized, reliable, and unpoisonable command and control. Queue […]