Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A for any cross site scripting information. Feel free to ask away. 

Pages: 12345...LastNext
Current Page: 1 of 6
Results 1 - 30 of 176
4 years ago
Mephisto
Couple of tools here that allow you to decompile the classes.dex file associated with Android apps. Baksmali http://code.google.com/p/smali/ Dex2Jar http://code.google.com/p/dex2jar/
Forum: Mobile Devices
4 years ago
Mephisto
What are the odds of adding a "Mobile Devices" section to the forums to discuss iPhones, Androids, etc... and the apps that run on them?
Forum: OMG Ponies
4 years ago
Mephisto
I agree with kuza55, generally when an ActiveX COM object is instantiated from within the browser, it will run within that browser processes memory space.
Forum: SQL and Code Injection
6 years ago
Mephisto
It isn't currently accredited by any higher education body. I wouldn't waste my time or money unless they become nationally accredited. So far they are only attempting to become accredited through the state of New Mexico.
Forum: OMG Ponies
6 years ago
Mephisto
What browser are you using? expression is for IE as thornmaker mentioned.
Forum: XSS Info
6 years ago
Mephisto
Implementing "frame busting code" and correct implementation of DIV tags will prevent that issue.
Forum: News and Links
6 years ago
Mephisto
He's a sleep poster! I liked the movie "Goodfellas", so I'm gonna call you "Iota Two Times"!
Forum: News and Links
6 years ago
Mephisto
8. Re: hi
He's the strong, silent type I guess?
Forum: Intro
6 years ago
Mephisto
Are you the leader of a "hacker" cult? "Wait at the top of the heap and the packets will come to take you home!"
Forum: Intro
6 years ago
Mephisto
So, it's basically just a linux distro with a bunch of tools pre-installed. I have one of those too, it's called a VM running Gentoo. I think I'll box it up and call it "Ninja Web Testing Framework".
Forum: News and Links
6 years ago
Mephisto
We get blamed for everything...
Forum: Intro
6 years ago
Mephisto
Eric Lawrence (Creator of Fiddler) created an IE add-on called TamperIE, which does the same thing as TamperData. http://www.bayden.com/TamperIE/
Forum: XSS Info
6 years ago
Mephisto
1-4 appear to be server issues, not directly associated with the application itself. 5) Assuming you are using validators, if not you should be, you should be calling the "Page.IsValid" method to ensure validation occurs on the server as well.
Forum: SQL and Code Injection
6 years ago
Mephisto
I know, I'm a month late to this thread, but was interested in knowing what the "take on .NET frameworks" at the OWASP meeting.
Forum: News and Links
6 years ago
Mephisto
There are a couple of books out that discuss .NET app security on is "Developing More Secure ASP.NET 2.0 Applications" from Microsoft Press. There are some basic things to look at when doing .NET testing, besides the obvious, like input validation, etc... Version in use, some versions have known vulnerabilities. Check out securityfocus.com for details on vulnerable versions. Error handli
Forum: Intro
6 years ago
Mephisto
Yes, it was actually a well written essay over the abuse and torture I subjected him to during the process of watching his girlfriend eat her own eyebrow salad, while I mastubated. I'm thinking of getting it published... But enough about me...wait for my next request :)
Forum: OMG Ponies
7 years ago
Mephisto
timb, I don't see how that is possible? The .NET framework prevents "expression" tags. The only known work around (which has been fixed) was to use "expr/**/ession" or some other various that included the /**/ comment characters. Would you mind explaining the context in which you are injecting this vector?
Forum: XSS Info
7 years ago
Mephisto
The hash is also stored on the server and validated against on postback to ensure the data that was sent is identical to the data that was received.
Forum: SQL and Code Injection
7 years ago
Mephisto
The error SqlException: "Invalid column name 'a'", generally means it's vulnerable to sql injection. Try injecting a statement to get a table name.
Forum: SQL and Code Injection
7 years ago
Mephisto
Programming wise .NET is not a bad choice at all. However, neither is Java. Become as familar with as many different programming languages as you can. This will help if you want to do appsec work, as understanding the language capabilities assists in discovering vulnerabilities. I have a background in programming, with .NET being the past 5 years. After all that programming experience..I can prett
Forum: Intro
7 years ago
Mephisto
kuza55 Wrote: ------------------------------------------------------- > On a completely unrelated note, I know a site > which can tell you if hackers have stolen your > credit card details, just put your credit card > details into my site..... Dude, that is an awesome idea!!! I'd love to know if my info was stolen and I bet that service could make millions! All I have to do is
Forum: OMG Ponies
7 years ago
Mephisto
PM me a mailing address and I'll send a money order covering shirt and shipping...
Forum: OMG Ponies
7 years ago
Mephisto
I want my shirt too! How do I get it? I'll be in Dallas 10/22 - 11/2.
Forum: OMG Ponies
7 years ago
Mephisto
Okay, since I couldn't go to the con (had to travel for a client) how do I get a t-shirt?!
Forum: OMG Ponies
7 years ago
Mephisto
Anyone got any examples? My vector (either javascript or vbscript) doesn't work after the application forces it to uppercase. I can't enter script tags directly, I am using the closing tag/expression vector (</b style="expression(alert(1))">
Forum: XSS Info
7 years ago
Mephisto
I'm attempting to determine who owns a specific domain. I've done the usual whois lookup stuff, but that details are generic to the domain registrar and don't contain the actual domain registrants information. I've used Sam Spade to find some stuff, but really can't get the information I'm looking for...anyone have any other methods that would assist in determining this information? I've also sear
Forum: OMG Ponies
7 years ago
Mephisto
If you have to ask, then you aren't qualified.
Forum: Jobs
7 years ago
Mephisto
Because 'admin' may be a valid account and because 1=1 always equates to true. With the 1=1 it would pull all records. assuming the SQL looked like this SELECT * FROM dbo.TableName WHERE Username = 'admin' or 1=1 This would end up returning all records in the table.
Forum: SQL and Code Injection
7 years ago
Mephisto
HTML Injection http://homegrownsecurity.org/search.php?stype=f'><h1><font%20color='red'>Injected%20HTML</font></h1>
Forum: XSS Info
7 years ago
Mephisto
oh great...Epsteinbar brought the FBI to the party...now were all fucked!
Forum: Full Disclosure
Pages: 12345...LastNext
Current Page: 1 of 6