Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A for any cross site scripting information. Feel free to ask away. 

Pages: 12345Next
Current Page: 1 of 5
Results 1 - 30 of 150
4 years ago
Ambush Commander
If you're interested in testing this out, http://htmlpurifier.org/demo.php has the logic I described here.
Forum: XSS Info
4 years ago
Ambush Commander
sirdarckcat: Newlines are removed. <> is kept normal for inline CSS, and converted to \XX (hex code) escape for insertion into an actual stylesheet. LeverOne: It looks like you're right. That's good to hear. The DOM interaction bugs are pretty crazy. Thanks for the pointer.
Forum: XSS Info
4 years ago
Ambush Commander
Hey all, I'm currently researching ways to safely encode in all browsers URLs and strings in CSS found in HTML. For example, * url(http://example.com) with backslash escaping of quotes and parentheses as \" and \) is insecure because Internet Explorer doesn't recognize those kinds of character escapes * 'Font name' with backslash escaping of single quotes is insecure for the same rea
Forum: XSS Info
4 years ago
Ambush Commander
So, that tells you once they got in, how they tried to establish control of the machine, but doesn't really tell you much about the attack vector, which you might be more interested in if you have similarly configured machines elsewhere that you're worried about. This seems like a really hard problem.
Forum: OMG Ponies
4 years ago
Ambush Commander
OK, so you got rooted. You found out because you saw a suspicious root login in your logs, or someone called you complaining about huge amounts of network. You've halted the machine and you've got the hard-drive mounted in a LiveCD VM and you want to know, "how." You kept up-to-date with patches, taking them within hours of coming out. There's no snazzy zero-day exploit lurking on Slashd
Forum: OMG Ponies
5 years ago
Ambush Commander
This looks like it'll be a lively conversation. First, the broad picture: your "principle" does work (barring a few minor details). But it doesn't work because it's a magic incant; there are very specific reasons why it works: each of your steps reflects a format-shift to the various mediums you need. Internally, you probably understand this "format-shifting" business, to
Forum: Projects
5 years ago
Ambush Commander
QuoteWhile reading: I don't agree on that the used examples are insecure. You just presented them in a insecure manner, in such a way that htmspecialchars without flags is insecure, but you always have to set flags. So the function isn't insecure, it's insecure if you do not understand what it's meant for. When I was giving the lecture, the examples made me double-take as well. They don't illus
Forum: Projects
5 years ago
Ambush Commander
Sorry, but it wasn't videotaped.
Forum: Projects
5 years ago
Ambush Commander
It went quite well, and a lot of people showed up. :-)
Forum: Projects
5 years ago
Ambush Commander
It's pretty good. It doesn't deal with everything, esp. the obscure multibyte attacks, and it allows a pretty limited subset of tags.
Forum: XSS Info
5 years ago
Ambush Commander
So, the idea is when I show the "Now for something new" slide, I show them a video demo of a clickjacking exploit, with me narrating a bit. I feel like that will be a lot more vivid than a hypothetical.
Forum: Projects
5 years ago
Ambush Commander
The last two parts of the lecture are up. They're a bit shorter than the rest, so tell me if you think there's something I should have covered that I didn't.
Forum: Projects
5 years ago
Ambush Commander
That's exactly what I talk about in the lecture. Look at the Safe API slides, around slides 24-32.
Forum: Projects
5 years ago
Ambush Commander
Quote1 - include some real world examples of the different bugs like XSS, CSRF - even if it is with a dumny app like web goat, it helps get the point across. 2 - perhaps include some "hands-on" activities that the students can mess with during the lecture. Again, something like web goat might fit the bill here, a home-made lab, or something completely different. I agree, these are thi
Forum: Projects
5 years ago
Ambush Commander
QuoteI'll take a look at the slides. Great! Any comments you have are welcome. QuoteI'm in the Boston area too, we should have a sla.ckers get together, eh :) Ah, nice! I'd be up for something like that, though this event probably wouldn't be that appropriate.
Forum: Projects
5 years ago
Ambush Commander
QuoteWho is your audience and what will their background be? Probably people who have written a few small web scripts before, maybe have vaguely heard of this XSS thing, but haven't looked into it too deeply. It focuses very much on the implementor/defender side, and not so much on the pentesting/techniques side. Quote I'm actually just a few T stops away (I go to Tufts)! Would love to go, bu
Forum: Projects
5 years ago
Ambush Commander
I've posted slides for Part 1 here: http://web.mit.edu/~ezyang/Public/iap/intro-to-was.html I suggest viewing the slides in outline form. You can toggle between formats by calling toggle() in your browser, or navigating to the bottom left of the slide and clicking on the slashed O. You can also view rough drafts of the slides in http://web.mit.edu/~ezyang/Public/iap . They are named part1.tx
Forum: Projects
5 years ago
Ambush Commander
As part of MIT's SIPB IAP classes series, I am going to be giving a two-hour introductory lecture to Web Application Security. I'm planning on focusing on XSS, HTML filtering and CSRF type attacks, since I've had the most personal experience on them. A brief outline of the talk is as follows: 1. String is not a type: - Know where your strings are going (HTML, SQL, text?) - Know wha
Forum: Projects
5 years ago
Ambush Commander
You could always trick the user into installing a bugged firefox extension... admittedly not hard to do, unfortunately.
Forum: XSS Info
5 years ago
Ambush Commander
Yep.
Forum: XSS Info
5 years ago
Ambush Commander
In theory, no. In practice, maybe. The theory says that what comes out of the htmlentities function is only safe for HTML. You don't know if it did something funny to the HTML such that suddenly an SQL injection came back into play. The practice says that htmlentities won't futz around with MySQL's escaping characters, namely backslashes, so thing will be hunky dory. The practice also says,
Forum: XSS Info
5 years ago
Ambush Commander
QuoteNow I'm not too keen on using HTML Purifier because I would like to be able port the code over to other projects easily, and most importantly, this software will be both redistributed and proprietary. Porting HTML Purifier to another language is hard; porting it to another project is easy. Also, because it's LGPL, we don't care if you use it in a proprietary project. Quote@Ambush, I don
Forum: XSS Info
5 years ago
Ambush Commander
So, you are completely missing the point of escaping. Treat programming data as just that: data. When it's in a PHP string, it can contain whatever characters you want and be safe. When you put it into a database, it needs to be escaped to prevent security vulnerabilities. When you put it into a webpage, it needs to be escaped. Not before then!
Forum: XSS Info
6 years ago
Ambush Commander
Ah yes, thank you DoctorDan for the endorsement! :-)
Forum: XSS Info
6 years ago
Ambush Commander
The problem with XSLT is that it isn't expressive enough to do the kind of validation you need to do with attribute values and CSS; from a strictly tags and well-formedness it works OK (although XML parsers are kinda evil from a usability standpoint). So possible, yes, but not without extensions to XSLT.
Forum: XSS Info
6 years ago
Ambush Commander
Which isn't very useful for the purposes of XSS. Some interesting research, however, would be finding vulnerabilities in the optimization tricks Google Chrome is doing on JavaScript.
Forum: XSS Info
6 years ago
Ambush Commander
Out of curiosity, does the fact that Chrome uses webkit mean that it has the same parsing behavior as Safari?
Forum: XSS Info
6 years ago
Ambush Commander
Not really. We hackers are lazy creatures. :-) Just don't piss us off.
Forum: XSS Info
6 years ago
Ambush Commander
Ah yes, with that I agree totally. But the closer you get, the more likely attackers will look somewhere else for low-hanging fruit.
Forum: XSS Info
6 years ago
Ambush Commander
Hmm... then would you consider HTML Purifier dangerous? http://htmlpurifier.org
Forum: XSS Info
Pages: 12345Next
Current Page: 1 of 5