omg.wtf.bbq.

because arshan’s too cheap to license OneNote

Browsing Posts in webappsec

I haven’t blogged or released much research in the last two years. If you care about that, which I doubt you do, then I’m sorry. I’ve been putting all of my energy into Contrast, a completely new way of finding vulnerabilities in applications. Contrast uses instrumentation to add “sensors” to your running JVM, including in [...]

We released AntiSamy 1.4.2 a few days ago. This is a minor release with a lot of housecleaning behind it. The main purpose for the release was to address a vulnerability in the DOM engine discovered by Michael Kirchner, Barbara Schachner and Jan Wolff. The bypass is hilariously simple and incredibly frustrating: <![CDATA[]><script>alert(1)</script>]]> The new [...]

I’m flying back from Blackhat today where I presented and officially released JavaSnoop, a tool that makes security testing thick Java clients really, really easy. We use some magically awesome instrumentation and bytecode engineering. Despite the fact that those buzzwords were in play, Blackhat thought they’d hedge their bet on me by putting the talk [...]

You may be thinking, “what the hell happened to 1.4?”  A few things. First, I had a baby. That was really hard. Then, we were trying to manage all the logistics of moving to a new project structure during our 1.4 release cycle and during that time we added some really important stuff. So, AntiSamy [...]

Billy Hoffman and Matt Wood from HP presented on a new browser darknet at Blackhat, which of course the press went totally batshit for (the press love Billy et. al. as much as they love anyone – or HP’s marketing department is insanely good). I love the idea of totally anonymous P2P information sharing, but [...]

Last year Jeff Williams and I discovered 2 critical flaws in SiteMinder. Rather than just sitting on the flaws or leaving the client to report them, we decided to experiment with responsible disclosure with the company who manages SiteMinder, Computer Associates (CA). The process was painfully slow and from our perspective a little disrespectful. For [...]

A colleague of mine, Jerry Hoff, was testing AntiSamy a while ago and he found an interesting technique he quite hilariously and tongue-in-cheekly called “formjacking.” Once we dissected the payload we found a very strange cross-browser behavior. I wanted to talk about it but never had a chance until now. It seems that FF3 and [...]

browsers will accept strangely formed URLs and this could be used to bypass security checks

What could be better than Google Code Search for finding vulnerabilities? Look at MAMA. I bet you never heard of it – I hadn’t, until my buddy .mario pointed it out to me. It’s (as of today) an internal tool that Opera uses to crawl the web and index the structure of the world’s web [...]

Unchecked redirect vulnerabilities are annoying to fix for our customers. Sometimes the developers need to link to a constantly changing selection of partners and they always have to support different redirect URLs for testing, integration, and production. Sometimes these redirect mechanisms span different applications even though they live on the same domain, too. Given the [...]