Archive / Web Security

RSS feed for this section

read the latest news and articles regarding the internet security field in order to keep you up to date to this forever changing environment

Payload Control Through Conditional Comments.

You probably noticed that in my last posts I went on writing about simple attack vectors and HTML features which aren't discussed very much. While it isn't high-tech material, it can be useful in any attackers toolbox for the reason … Continue reading →

Same Origin Policy UI Redressing.

UI redressing or clickjacking has gotten a lot of attention lately, and for a good reason because it's quite malicious. If you thought it stopped at enabling webcam and microphone access, your wrong. The Adobe settings manager which is ironically … Continue reading →

Bypassing NoScript Iframe Protection.

Recently I discussed the general problems of objects and it's context in which they maybe behave like IFRAMES. Strictly speaking HTML's multimedia features allow the OBJECT HTML to include images, iframes, applets, and other rich content like Flash and movie … Continue reading →

Bypassing NoScript Clickjacking Protection.

Recently I discussed the general problems of objects and it's context in which they maybe behave like IFRAMES. Strictly speaking HTML's multimedia features allow the OBJECT HTML to include images, iframes, applets and other rich content like Flash. Previously HTML … Continue reading →

Who Wants To Root Philips.

Writing about hacking and security isn't like anything else. It's cool and depressing, fun and dangerous at the same time. You'll never know what to expect. That's the beauty of it I guess. Since application hacking is quite well known … Continue reading →

Flash, Fuzzing and Girls.

A short update of developments this week. Let's start with how to impress girls. I just read some slides from Blackhat, and one that caught my interest was the slides from Mark Dowd and Alexander Sotirov[1]. I guess I don't … Continue reading →

Exploiting Apache Tomcat.

You might have seen the new Apache Tomcat <= 6.0.18 vulnerability found by Simon Ryeo[1]. The vulnerability involved a problem in Tomcat with processing UTF-8 encoded URI's which resulted in a directory traversal and canonicalization issues while mapping the paths. … Continue reading →

Hacking Fox.

This is just a walk in the park, really. Google's been on their servers before, due to some weird configuration setting. But well, it's nice to look a couple of months later to see what those foxtards actually did to … Continue reading →

The Dan Kaminskybox.

So I had a little fun with my new soundboard I created, starring the famous Dan Kaminski. Yes the DNS dude, for those who don't know him. A soundboard is used for making prank phone calls, which in terms can … Continue reading →

Bypassing MSIE8 XSS Filter By Design.

When MSIE8 beta 2 launched a few days ago, I took it for a little spin to see if it puts up what it says it does. I'm actually quite happy and surprised with the XSS filter, but one thing … Continue reading →

Ecommy

your ecommerce friend

² Navigation