Browse by Tags

XSS+phishing in Italian bank hack
10 January 08 11:43 AM | Billy | 1 Comments   
Netcraft is reporting today about a phishing attack leveraging XSS against an Italian bank. From the article (emphasis mine) An extremely convincing phishing attack is using a cross-site scripting vulnerability on an Italian Bank's own website to Read More...
Filed under: , ,
Ajax Security Book is published with strong buzz and reviews
20 December 07 01:29 PM | Billy | 2 Comments   
Our Ajax Security book from Addison Wesley has been published! By now I'm sure everyone is tried of me talking about the book and its merits, so let's see what some of experts in the web security space are saying about it: Andrew van der Stock Read More...
Another analysis of Larry Suto's comparative review
04 December 07 11:14 AM | jbforristal | 1 Comments   
IBM/Watchfire released their analysis of Larry Suto's web scanner comparative review , which was released in October. If you recall, we wrote one as well . IBM/Watchfire questioned Suto's methodology just like we did; they also found discrepancies Read More...
JavaScript strings immutable in Rhino???
28 November 07 06:19 AM | Billy | 1 Comments   
Update: Hmmm. I think I'm looking at the wrong thing. This needs more testing/tracing to see exactly whats going on. Just a quick update from yesterday's post . It appears that Mozilla Rhino (a JavaScript interpreter written in Java) uses Java's Read More...
[snarfs coffee]... wait, What are you doing?
27 November 07 08:13 AM | Billy | 6 Comments   
While reading through an article about Firefox 3 on Security Focus today I snarfed my drink when I read the following passage: The group also rewrote the Password Manager in JavaScript from C++ to eliminate memory errors, Schroepfer said. Digging a little Read More...
Digging into ASP.NET RegEx Validators
20 November 07 02:01 PM | Billy | 1 Comments   
RegEx Validators are handy for implementing Whitelist input validation (our DevInspect product has a library of a hundred or so) so it pays to see what they actually do under the covers. The following code is from the class System.Web.UI.WebControls.RegularExpressionValidator Read More...
Analysis of Larry Suto's comparative case study
12 November 07 10:52 AM | jbforristal | 2 Comments   
[ Update: PDF attachment download is working now] In October 2007, Larry Suto released a case study entitled “Analyzing the Effectiveness and Coverage of Web Application Security Scanners,” available for reading at http://www.stratdat.com/webscan.pdf Read More...
Attachment(s): Suto_review_FINAL.pdf
Ajax Security more than Increased Attack Surface
07 November 07 12:29 PM | Billy | 3 Comments   
I got an email from Christ1an the other day asking me what Ajax Security was all about. I was just going to send him the table of contents to the book, but I thought it might be educational to see how the components of Ajax security relate, and where Read More...
Praise for Ajax Security Book
31 October 07 10:43 AM | Billy | 2 Comments   
Bryan and I got to see the cover of our book Ajax Security before it went to the printers today. It included what is known in the industry as a praise quote , where someone who is famous in a certain space reads the manuscript and provides a quote for Read More...
Ajax Security Acceptance
30 August 07 12:45 PM | Billy | 3 Comments   
Its time again for AjaxWorld , the largest Ajax conference in the US. Bryan and I are thrilled. AjaxWorld offered us back -to- back sessions so we can do a 90+ minute workshop on how to break into Ajax applications. We will not only hit the major themes Read More...
The real reason for (JavaScript|JSON) Hijacking
27 August 07 01:59 PM | Billy | 1 Comments   
When JSON hijacking was first discussed and demonstrated in 2006 and 2007 by Whitehat, Fortify and others, all of the proof of concepts used Mozilla specific JavaScript extensions like setter or __defineSetter__ . This led many people to believe that Read More...
Filed under: , , ,
TigerDirect.com's "Improved" Security Policy
26 July 07 11:12 AM | Erik | 2 Comments   
While checking my email this morning, I suspected that yet another message eluded my SPAM filter. Much to my surprise, the subject line "Your TigerDirect Account Update" from 'TigerDirect@promo.tigeronline.com' was legitimate. Unfortunately, Read More...
Filed under:
SPI Labs advises avoiding iPhone feature
16 July 07 03:40 PM | Billy | 18 Comments   
The Apple iPhone’s Safari web browser has a special feature that allows the user to dial any phone number displayed on a web page simply by tapping the number. SPI Labs has discovered that this feature can be exploited by attackers to perform various Read More...
Filed under: , ,
Jikto in the wild
02 April 07 12:19 PM | Billy | 12 Comments   
It appears that the source code to Jikto is in the wild. I suppose it was only a matter of time, even though as you will see SPI to extreme steps to prevent this from happening. As my Shmoocon presentation slides discuss , Jikto bypasses the "Same Read More...
Filed under: , ,
Speaking at Shmoo
22 March 07 05:05 PM | Billy | 5 Comments   
I’m really excited to be speaking at Shmoocon again and especially excited about my presentation this Saturday at 1pm. Javascript Malware for a Gray Goo Tomorrow focuses on the increased scope of damage caused by Cross-Site Scripting (XSS) vulnerabilities Read More...
Filed under: , , ,
More Posts Next page »