omg.wtf.bbq.

because arshan’s too cheap to license OneNote

Browsing Posts in webappsec

Jeremiah Grossman, who not many people know is actually the devil, smoked a bunch of crack and made the mistake of associating himself with me again with this virulently circulating “7 facts”. Before I got a chance to see his post, he sent me an e-mail saying he was sorry about the “7 facts” thing. […]

What other way is there of finding 216 million flaws in sub-second scanning time? Google, of course. How about 160,000 strictly within .gov? These numbers are absurd, especially since I’m only searching for one type of URL rewriting for J2EE. This type of flaw usually rates to a medium – the result of the combination […]

My boss Jeff Williams came up with something very clever while my company (Aspect Security) was participating in NIST’s Static Analysis Tools Exposition (SATE). Basically, NIST challenged all the major static code analysis vendors to a massive bakeoff sponsored by DHS. Being a consulting company that mainly performs code reviews and penetration tests, we couldn’t […]

This is your every day, ticket serving Amtrak kiosk. Look familiar? I love taking the train. God, the only thing better than taking the train would be taking the train for free. Whoops. Thanks for the ticket, Marge Power, traveling from Alexandria, VA. How was I able to do this? Direct object references (DOR). Laughably, […]

One of the cooler tools in the webappsec hacker’s handbook is Hackvertor. It’s a smart encoding tool written by Gareth Heyes that helps you craft XSS vectors that pass whatever filters you’re trying to evade. Rather than wasting 3 paragraphs describing it, you should just go try out this example that Gareth showed me for […]

There has been a lot of research into ways of getting around the same origin policy. What if the browser sandbox we’re all trying to figure out a way of implementing prevents you from adding various tags into the DOM dynamically? So, I imagine a common “sandbox” would prevent bad guys from dynamically inserting <script>, […]

One of theĀ things I highlighted in my paper on AntiSamy was the fact that JavaScript is often the only thing we think of when we hear the term “malicious code” in terms of webappsec. Let’s suppose that’s false for a second. The question then becomes: If MySpace can strip out all your JavaScript, what can […]

So my co-worker Eric Sheridan was talking about an attack scenario in one of our recent assessments where he left a note to the effect of, “we could download any file with this vulnerability if null byte injections work in Java – testing needed”. Interesting. Five minutes later I’ve got some test cases and as […]

So I took the opportunity during the OWASP San Jose conference to throw some of the ideas I’ve had bouncing around in my head at people. One of the things I was talking about was how strangely inefficient I thought the current XSS attack vector discovery paradigm was. What led me to this revelation was […]

I’m releasing the OWASP AntiSamy project today. I have a host of early adopters from big name companies who are looking to integrate the solution, including Sun, eBay and more. While it’s really exciting that I’m getting some instant traction, I know there is a lot of work ahead. The framework is in place and […]