omg.wtf.bbq.

because arshan’s too cheap to license OneNote

Browsing Posts tagged webappsec

Unchecked redirect vulnerabilities are annoying to fix for our customers. Sometimes the developers need to link to a constantly changing selection of partners and they always have to support different redirect URLs for testing, integration, and production. Sometimes these redirect mechanisms span different applications even though they live on the same domain, too. Given the […]

Jeremiah Grossman, who not many people know is actually the devil, smoked a bunch of crack and made the mistake of associating himself with me again with this virulently circulating “7 facts”. Before I got a chance to see his post, he sent me an e-mail saying he was sorry about the “7 facts” thing. […]

What other way is there of finding 216 million flaws in sub-second scanning time? Google, of course. How about 160,000 strictly within .gov? These numbers are absurd, especially since I’m only searching for one type of URL rewriting for J2EE. This type of flaw usually rates to a medium – the result of the combination […]

Another great OWASP conference ended yesterday. Other than the terrible food and slightly jarring speaker shuffle, I had a great time. I met lots of interesting folks from lots of different places, including closet webappsec expert Chris Shiflett, the always-blogging Rafal Los, and seasoned veteran Gunter Ollman, among them. I gave a talk on Day […]

I’m happy to say there’s a new version of AntiSamy out today! There were many more changes between 1.1 and 1.1.1 than there were from 1.0 to 1.1! And I’m thrilled about that, if that makes any sense – it means that usage really grew! Many international users made requests and e-mailed fixes to the […]

This is your every day, ticket serving Amtrak kiosk. Look familiar? I love taking the train. God, the only thing better than taking the train would be taking the train for free. Whoops. Thanks for the ticket, Marge Power, traveling from Alexandria, VA. How was I able to do this? Direct object references (DOR). Laughably, […]

I’m happy to say that the OWASP AntiSamy 1.1 Java API is officially out! Thanks to everyone on the OWASP AntiSamy mailing list for helping me get a better API out the door. There were really only 5-6 changes worth getting excited about. Here are the highlights: ¬†Removed accidentally included internal Sun JRE classes (com.sun.*) […]

One of the cooler tools in the webappsec hacker’s handbook is Hackvertor. It’s a smart encoding tool written by Gareth Heyes that helps you craft XSS vectors that pass whatever filters you’re trying to evade. Rather than wasting 3 paragraphs describing it, you should just go try out this example that Gareth showed me for […]

I am submitting a paper for Blackhat USA and the OWASP Belgium and NYC conferences. These are exciting times. Blackhat is always cool, Belgium is far away, and I know Tom Brennan will put on a great show in NYC. The title of the paper, which I’m not glued to yet, is “Building And Mitigating […]

One of the¬†things I highlighted in my paper on AntiSamy was the fact that JavaScript is often the only thing we think of when we hear the term “malicious code” in terms of webappsec. Let’s suppose that’s false for a second. The question then becomes: If MySpace can strip out all your JavaScript, what can […]