omg.wtf.bbq.

because arshan’s too cheap to license OneNote

Browsing Posts tagged appsec

I haven’t blogged or released much research in the last two years. If you care about that, which I doubt you do, then I’m sorry. I’ve been putting all of my energy into Contrast, a completely new way of finding vulnerabilities in applications. Contrast uses instrumentation to add “sensors” to your running JVM, including in […]

We’ve released another version of AntiSamy into Maven and on the main downloads page. In terms of the actual code changes, there are just a few things – it’s more of a directional change for our engine. Here’s the changelist: fixed error message not sanitizing CDATA payloads when encountered (should only concern you if you […]

We released AntiSamy 1.4.2 a few days ago. This is a minor release with a lot of housecleaning behind it. The main purpose for the release was to address a vulnerability in the DOM engine discovered by Michael Kirchner, Barbara Schachner and Jan Wolff. The bypass is hilariously simple and incredibly frustrating: <![CDATA[]><script>alert(1)</script>]]> The new […]

Javasnoop 1.0 final released with new features, bug fixes, performance enhancements, and more.

I’m flying back from Blackhat today where I presented and officially released JavaSnoop, a tool that makes security testing thick Java clients really, really easy. We use some magically awesome instrumentation and bytecode engineering. Despite the fact that those buzzwords were in play, Blackhat thought they’d hedge their bet on me by putting the talk […]

The application I beat up for the ESAPI WAF preso at OWASP AppSec DC was JForum. It’s awesome, free, open source forum software that is quite popular (CBS, EA and the Ukrainian government seem to like it). That aside, it’s got serious security problems. I disclosed these problems to them, um, around a month ago […]

Using “Content-disposition: attachment” when streaming user-uploaded files is unfortunately incomplete protection against all cross-origin issues. Most savvy testers know that without it, a user could send a victim a link directly to a malicious uploaded file or <iframe> it in from their evil site, causing XSS & SSRF. When this header is sent down in […]

browsers will accept strangely formed URLs and this could be used to bypass security checks

Go download! The changes: Fixed empty element “bug” (a <b/> causes the rest of the page to be bold cross-browser, wtf? more on this later) Fixed some bugs handling CSS colors, fonts and margins (negative margins not allowed and colors are now c14nized – thx to Jason Li and designbistro) Added a usable pom.xml (thx […]

What could be better than Google Code Search for finding vulnerabilities? Look at MAMA. I bet you never heard of it – I hadn’t, until my buddy .mario pointed it out to me. It’s (as of today) an internal tool that Opera uses to crawl the web and index the structure of the world’s web […]