omg.wtf.bbq.

because arshan’s too cheap to license OneNote

Browsing Posts in security

I caught up with Michael Eddington’s short and sweet analysis of the request validation in ASP.NET 2.0. So far I’ve seen a few people blast it, but I think it will actually help ASP.NET security against XSS in general, thanks to the Pareto principle (also called the 80/20 rule). I’ll quickly summarize Mike’s post and […]

I’m happy to say there’s a new version of AntiSamy out today! There were many more changes between 1.1 and 1.1.1 than there were from 1.0 to 1.1! And I’m thrilled about that, if that makes any sense – it means that usage really grew! Many international users made requests and e-mailed fixes to the […]

My boss Jeff Williams came up with something very clever while my company (Aspect Security) was participating in NIST’s Static Analysis Tools Exposition (SATE). Basically, NIST challenged all the major static code analysis vendors to a massive bakeoff sponsored by DHS. Being a consulting company that mainly performs code reviews and penetration tests, we couldn’t […]

This is your every day, ticket serving Amtrak kiosk. Look familiar? I love taking the train. God, the only thing better than taking the train would be taking the train for free. Whoops. Thanks for the ticket, Marge Power, traveling from Alexandria, VA. How was I able to do this? Direct object references (DOR). Laughably, […]

I’m happy to say that the OWASP AntiSamy 1.1 Java API is officially out! Thanks to everyone on the OWASP AntiSamy mailing list for helping me get a better API out the door. There were really only 5-6 changes worth getting excited about. Here are the highlights: ¬†Removed accidentally included internal Sun JRE classes (com.sun.*) […]

One of the cooler tools in the webappsec hacker’s handbook is Hackvertor. It’s a smart encoding tool written by Gareth Heyes that helps you craft XSS vectors that pass whatever filters you’re trying to evade. Rather than wasting 3 paragraphs describing it, you should just go try out this example that Gareth showed me for […]

I am submitting a paper for Blackhat USA and the OWASP Belgium and NYC conferences. These are exciting times. Blackhat is always cool, Belgium is far away, and I know Tom Brennan will put on a great show in NYC. The title of the paper, which I’m not glued to yet, is “Building And Mitigating […]

There has been a lot of research into ways of getting around the same origin policy. What if the browser sandbox we’re all trying to figure out a way of implementing prevents you from adding various tags into the DOM dynamically? So, I imagine a common “sandbox” would prevent bad guys from dynamically inserting <script>, […]

One of the¬†things I highlighted in my paper on AntiSamy was the fact that JavaScript is often the only thing we think of when we hear the term “malicious code” in terms of webappsec. Let’s suppose that’s false for a second. The question then becomes: If MySpace can strip out all your JavaScript, what can […]

So my co-worker Eric Sheridan was talking about an attack scenario in one of our recent assessments where he left a note to the effect of, “we could download any file with this vulnerability if null byte injections work in Java – testing needed”. Interesting. Five minutes later I’ve got some test cases and as […]