Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A for any cross site scripting information. Feel free to ask away. 

Pages: 12345...LastNext
Current Page: 1 of 6
Results 1 - 30 of 151
4 years ago
blad3
http://www.symantec.com/connect/articles/vulnerability-scanning-web-20-client-side-components My impression is they've copied the article from another place (SecurityFocus?) but they failed to properly sanitize/encode the contents of the article. How do you exploit this? You publish an article on SecurityFocus with your desired payload and wait a few days until it reaches Symantec :)
Forum: XSS Info
7 years ago
blad3
Cool .mario :) I'm curious about the IDS. Sounds pretty interesting.
Forum: Projects
7 years ago
blad3
Somebody instructed me to post the XSS link on some website. It seems that just submitting a link to Google is not enough. So, I created a blogspot forum, inserted the link and in 2-3 days it appeared on Google. http://www.google.com/search?hl=en&q=11c89bd5b1ae38140272fe4a0a52991b&btnG=Google+Search So, it's proved (for me at least, others probably were using this for some time).
Forum: XSS Info
7 years ago
blad3
Check this paper from Stefano Di Paola http://www.wisec.it/docs.php?id=5
Forum: SQL and Code Injection
7 years ago
blad3
Thanks for link wck. Very interesting reading.
Forum: CSRF and Session Info
7 years ago
blad3
It's not possible to reliably detect CSRF automatically.
Forum: CSRF and Session Info
7 years ago
blad3
Python vs Perl, the winner is Ruby :P Perl is old and has a very funky syntax, therefore hard to learn for beginners but once you know it, it's very powerful.
Forum: OMG Ponies
7 years ago
blad3
I also had this idea but tub girl would be too extreme. Some people might get shocked for life :)
Forum: OMG Ponies
7 years ago
blad3
This is really funny :) http://www.ex-parrot.com/pete/upside-down-ternet.html
Forum: OMG Ponies
7 years ago
blad3
OK, this is not exactly news. However, there is a very interesting video about creating an XSS worm on meebo.com Maybe some of you didn't saw it. Here it is: http://milw0rm.com/video/watch.php?id=71
Forum: News and Links
7 years ago
blad3
I liked your blog a lot, I think you are making a mistake. Following the hate will only bring you more hate. I know this sounds like preaching, but I'm talking from my experience. I've wasted a few years of my life in the underground.
Forum: OMG Ponies
7 years ago
blad3
Ronald, I also found some things which were undetected. So I reported them. I've been exchanging emails with the main developer (Nenad Jovanovic) for a few days and I think he's cool guy, very open to reports. So, we can help him to improve this tool. Pixy is not perfect. No automated scanner can replace a human. The automated scanners can assist us in our work, not replace us. However,
Forum: News and Links
7 years ago
blad3
Yes, the previous version only supported XSS. In 3.0 they added SQL injection.
Forum: News and Links
7 years ago
blad3
Yeah, $_SERVER array is not marked as tainted. I reported this problem, hopefully it will be fixed.
Forum: News and Links
7 years ago
blad3
What can I say, I like Pixy a lot :) Pixy is a Java program that performs automatic scans of PHP source code, aimed at the detection of XSS and SQL injection vulnerabilities. Pixy takes a PHP program as input, and creates a report that lists possible vulnerable points in the program, together with additional information for understanding the vulnerability. http://pixybox.seclab.tuwien.ac.at/
Forum: News and Links
7 years ago
blad3
I found one XSS in one customer portal like application. From this portal you can manage your websites/upload files/change FTP passwords, manage your advertisements and more ...
Forum: XSS Info
7 years ago
blad3
Ronald Wrote: ------------------------------------------------------- > Ghehe: http://www.google.com/search?q=*+a > 23.550.000.000 LOL, funny. I tried that but for some reason I had the impression that returns fewer results. Google is pretty unpredictable at these :) http://www.google.com/search?hl=en&safe=off&q=.*&btnG=Search Here, this one is returning some "Pr
Forum: OMG Ponies
7 years ago
blad3
I propose a little contest. Who manages to get the query that will return the highest number of results. Here is mine: http://www.google.com/search?hl=en&safe=off&q=a+*&btnG=Search 16,190,000,000 results :) I'm curious how many pages are indexed by Google :P
Forum: OMG Ponies
7 years ago
blad3
halo2master15 Wrote: ------------------------------------------------------- > yeah > so i have the email > i just need to know where to go from there to jail maybe???
Forum: Bugs
7 years ago
blad3
Dudes, we are talking about computers here, mkay ?:) It's not real life, just some damn machines.
Forum: News and Links
7 years ago
blad3
Damn, I completely forgot about that Expect header hole :)
Forum: News and Links
7 years ago
blad3
I was reading pdp-s latest post and followed a link to xssed.com So I found this: http://xssed.com/mirror/8870/
Forum: News and Links
7 years ago
blad3
I can access it without problems. Already skimmed through most of the papers.
Forum: News and Links
7 years ago
blad3
http://www.phrack.org/
Forum: News and Links
7 years ago
blad3
No, BlackHat is for stupid/bored managers who want to spend the company money and get a week off. Defcon is for hackers. In short, if you want to throw money out the window go to BlackHat. Anything they teach you and more can be found on Google. I'm talking about BlackHat trainings here. Not the briefings. The briefings are interesting but highly expensive.
Forum: OMG Ponies
7 years ago
blad3
Not directly related with web security but a very interesting read. http://www.scs.stanford.edu/mfreed/docs/illum-nsdi07.pdf Project homepage http://illuminati.coralcdn.org/
Forum: News and Links
7 years ago
blad3
The cool stuff starts at page 37. - Global uninitialized variables from Flash act like PHP register globals. So, you could do something like http://url?param1=value1 and control uninitialized variables from Flash. And more tricks are following if you read carefully.
Forum: News and Links
7 years ago
blad3
kuza55, I totally agree with you :)
Forum: News and Links
7 years ago
blad3
Stefano Di Paola released a very interesting paper at OWASP 2007. http://www.wisec.it/en/Docs/flash_App_testing_Owasp07.pdf
Forum: News and Links
7 years ago
blad3
30. Linutop
Linutop is a Linux-based diskless computer. It offers a completely silent, low-power operation in an extremely small package. http://www.linutop.com/
Forum: OMG Ponies
Pages: 12345...LastNext
Current Page: 1 of 6