omg.wtf.bbq.

because arshan’s too cheap to license OneNote

Browsing Posts tagged owasp

We’ve released another version of AntiSamy into Maven and on the main downloads page. In terms of the actual code changes, there are just a few things – it’s more of a directional change for our engine. Here’s the changelist: fixed error message not sanitizing CDATA payloads when encountered (should only concern you if you […]

We released AntiSamy 1.4.2 a few days ago. This is a minor release with a lot of housecleaning behind it. The main purpose for the release was to address a vulnerability in the DOM engine discovered by Michael Kirchner, Barbara Schachner and Jan Wolff. The bypass is hilariously simple and incredibly frustrating: <![CDATA[]><script>alert(1)</script>]]> The new […]

You may be thinking, “what the hell happened to 1.4?”  A few things. First, I had a baby. That was really hard. Then, we were trying to manage all the logistics of moving to a new project structure during our 1.4 release cycle and during that time we added some really important stuff. So, AntiSamy […]

The application I beat up for the ESAPI WAF preso at OWASP AppSec DC was JForum. It’s awesome, free, open source forum software that is quite popular (CBS, EA and the Ukrainian government seem to like it). That aside, it’s got serious security problems. I disclosed these problems to them, um, around a month ago […]

A colleague of mine, Jerry Hoff, was testing AntiSamy a while ago and he found an interesting technique he quite hilariously and tongue-in-cheekly called “formjacking.” Once we dissected the payload we found a very strange cross-browser behavior. I wanted to talk about it but never had a chance until now. It seems that FF3 and […]

browsers will accept strangely formed URLs and this could be used to bypass security checks

Go download! The changes: Fixed empty element “bug” (a <b/> causes the rest of the page to be bold cross-browser, wtf? more on this later) Fixed some bugs handling CSS colors, fonts and margins (negative margins not allowed and colors are now c14nized – thx to Jason Li and designbistro) Added a usable pom.xml (thx […]

Another great OWASP conference ended yesterday. Other than the terrible food and slightly jarring speaker shuffle, I had a great time. I met lots of interesting folks from lots of different places, including closet webappsec expert Chris Shiflett, the always-blogging Rafal Los, and seasoned veteran Gunter Ollman, among them. I gave a talk on Day […]

What a ridiculously fun but busy time for me. I’ve had the honor of beating up important applications at work, going to Blackhat, going on vacation in the beautiful OBX, and all the while pursuing lots of side projects during down time. Let’s catch up chronologically: 1. I taught an Advanced Web Application Penetration Testing […]

I just got back from Ghent, Belgium where I presented my research into next generation XSS worms. I hope people don’t take too much FUD from the talk- it’s only meant to show a few things, most notably how I (presume to have) solved the problem of decentralized, reliable, and unpoisonable command and control. Queue […]